Sign-On Express is a next generation Web Single Sign On solution that provides users with seamless and secured access to any web based onpremise or cloud application from any device, anytime and anywhere. With Sign-On Express, users have to sign-in once and they don’t have to type their userid/password again and again.

1. Technical Note
Sign-On Express Security –
A technical note
Sign-On Express is a next generation Web Single Sign On solution that
provides users with seamless and secured access to any web based onpremise or cloud application from any device, anytime and anywhere. With
Sign-On Express, users have to sign-in once and they don’t have to type
their userid/password again and again.
Security in Sign-On Express
Sign On Express benefits
Increase user convenience and
productivity
SSO to any web based on-premise
or cloud application.
Secured cloud applications with
standard SSO protocols
Reduce password related help-desk
calls
Achieve compliance with extensive
auditing and reporting
Over 1500 SSO connectors
out-of-the-box and Do-It-Yourself
wizards to onboard other web based
applications for SSO without any
technical skill-set
SIMPLE
With ILANTUS’s deep domain experience in IAM and security since year 2000,
Sign-On Express has been architected ground up considering security best
practices to meet industry standard compliance norms. Sign-On Express deals
with lot of sensitive data that makes it imperative to secure data either at rest
or in motion.
Sign-On Express Development
Right from the development of the tool, the engineering team follows strict
security development lifecycle program based on AGILE SCRUM methodologies.
Before any version release is done, there are dedicated SPRINTS on peer code
review, vulnerability and penetration testing.
Security while data is in motion
Communication between all Sign-On Express components is over a secured
channel as depicted in the diagram.
SECURE
SWIFT

2. The following are the interactions between various components as indicated in the diagram:
1.
User’s browser to Sign-On Express Server – This communication is over secured HTTP(S) channel
and is encrypted. Depending on Sign-On Express deployment architecture, firewall, intrusion detection system,
proxy or reverse proxy could be some of the components that may be involved as well.
2.
Sign-On Express Server to LDAP – This communication is over secured LDAP(S) channel and is encrypted.
3.
Sign-On Express Server to Database – This communication is over secured channel and is encrypted.
Security while data is at rest
Static data resides in Database. All tables that have sensitive information are encrypted using industry standard AES 256-bit
block cipher encryption with unique key per customer.
Below table highlights the various additional security parameters of Sign-On Express
Security Parameter
Remarks

Multi-Factor Authentication


Password Vault Security

Integrated Windows
Authentication (IWA)
advanced security policies


In addition to regular userid/password based authentication, Sign-On Express also supports
multi-factor authentication built on HMAC-SHA1 algorithm.
The second level of authentication adds additional layer of security for user authentication.
For SSO to non-federated web-applications, Sign-On Express replays userid/password to give
users SSO experience. Sign-On Express leverages a secured Password Vault designed within the
database to securely store userid/password of the user.
Passwords are encrypted with industry standard AES 256-bit block cipher encryption with unique
key per customer. Passwords are not cached on the users workstation or browser at any point of
time. Only at run-time the userid/password is retrieved from the database and is injected to an
application on the browser.
Sign On Express supports IWA Authentication.
With advanced security policy, IWA can be restricted to multiple IP ranges. The feature adds
additional check for systems accessing the Sign On Express.
Vulnerability and
Penetration Testing

Every Sign-On Express release undergoes thorough vulnerability and penetration testing to ensure
strict security standard is followed.
Extensive Auditing & Logging

All events on Sign-On Express are audited and log levels can be configured.
SIEM integration for
co-relations and analytics

SIEM solutions could be integrated with Sign-On Express audit tables for co-relations to detect
anomalies at the enterprise level.
ILANTUS is a pioneer in identity and access management for more than a decade in industry
delivering the most comprehensive identity solution through its unique Hosting Express (HXP).
The HXP is built on a unique framework that enables components from multiple vendors of
your choice to be integrated into a unified solution, delivered in cloud or on-premise, and
managed by you or ILANTUS. All major Identity & Access Management components - Identity
& Access Governance, User Administration & Provisioning and Identity & Access intelligence
are incorporated in the HXP framework.
HOSTING