OneSign Technology
User Enrollment
OneSign administrators can import and synchronize users from existing directories in a straightforward operation. Import can be selectively restricted to groups or even individuals; no changes to existing directories are required. Multiple security policies and settings can be defined by the administrator and assigned to individuals, groups or specific computers upon enrollment. Policy settings may include designation of a user’s local and remote authentication method, frequency of challenge, offline mode, etc.
Single Sign-On (SSO) Application Enablement
The OneSign Single Sign-On Application Profile Generator (APG) functions by learning the authentication behaviors of any application and expressing those attributes in an XML profile document. Application support includes all application types, including win32, web applications, host-based mainframe applications (with or without HLLAPI TE), command-line console applications and Java JVM (AWT, SWING) applications.
OneSign uses these XML application profiles to define the login and password-change behaviors of all SSO-enabled applications. Adding or modifying new SSO-enabled applications is as easy as running the browser-based intelligent APG to create the updated profile in XML. There are no complicated scripts to write or connectors to build. The OneSign Intelligent Agent discovers and manages valid credentials for use in secure SSO sessions based on the established XML profile and SSO policy settings. This works regardless of how the application is accessed - locally, from a host, or via Citrix Metaframe server, for example. Credentials, SSO policy, and SSO application profiles follow the user securely across enterprise applications based on each user’s primary authentication to the OneSign appliance. Credentials and policy settings are now tied to the user, not the desktop PC.
Credential Transport and Session Management
OneSign automates SSO logon for an enrolled user to multiple applications within a single session. Instead of manual authentication to individual programs, a user’s credentials are transparently and securely delivered to multiple applications, creating a single, secure, unified identity that is easy to establish, maintain and use.
Our patent pending technology, Imprivata Secure eXchange (ISX) is a secure transport mechanism that manages the storage and delivery of user credentials, policy and XML profiles. Communication between the OneSign Intelligent Agent and OneSign appliance is always secure, private, and authenticated. User credentials are protected in a digital vault during the communication session and cannot be copied or stolen. An authenticated user gains secure SSO credentials for all enabled applications for the duration of the OneSign session. Session length and policy are set by the administrator and applied per user or per computer.
SSO Session and Credential Management
The OneSign Intelligent Agent actively monitors user activity for attempts to launch client/server, legacy, or web-based applications and compares this to the list of registered applications that is updated throughout each OneSign session.
The OneSign Intelligent Agent detects if a registered application is performing a function defined in the application profile and initiates the correct task, such as capturing or delivering credentials, or executing a password change on behalf of the OneSign user. If credentials are absent, the OneSign Intelligent Agent waits in discovery mode for the user to provide credentials for the application. If the credentials provided by the user are valid, the OneSign Intelligent Agent stores them in the credential vault. If the credentials are rejected, the credentials are not saved.
At all times, the OneSign Intelligent Agent is aware of any transitions that may have taken place since the last SSO session update, including modifications to credentials, policy or changes in application behavior. By keeping a synchronized view of the credentials that the target application requires to successfully login, the OneSign Intelligent Agent can dynamically and transparently manage all changes on the user’s behalf, allowing seamless application access without the need for administrative intervention. Users launch an SSO-enabled application the same way they normally do, including clicking on a desktop icon, selecting it from the Windows start menu, or running a command line. Any application that is accessed from a supported Windows PC can be enabled for SSO with Imprivata OneSign Single Sign-On.
User Monitoring and Reporting
OneSign records all SSO events in log files that are accessible to the administrator. These logs include a history of all OneSign configuration changes together with a timestamp and the username of the administrator to provide an audit trail. Client-side events pertaining to SSO services are collected and consolidated by the OneSign appliance for centralized viewing and reporting. Events can be reported by user, by application, or by computer.
Easy–to-use tools enable report generation of: user and administrator activity, SSO sessions, application SSO, password changes, and exception reports for specific failure events. Administrators can export any report to a Comma Separated Variable (CSV) file for use in third-party reporting applications.
Support for Authentication Modalities
Imprivata OneSign supports major forms of strong authentication out of the box, including strong passwords, ID tokens, digital certificates, proximity cards and finger biometric technology.
Sites that have deployed ID token technologies from VASCO Digipass, RSA SecurID or Secure Computing SafeWord for strong authentication can leverage existing investments immediately – without custom integration.
Finger biometric support is automatically offered without additional licensing costs. All biometric matching algorithms and the technology required to support self-enrollment and user authentication are bundled within the OneSign appliance. Interoperability across various biometric devices is fast, easy and secure. The biometric signature captured by OneSign from one biometric vendor’s scanner is fully compatible with an authentication request from a second vendor’s scanner. This uncommon flexibility is an important feature of OneSign for organizations that require a heterogeneous biometric scanner environment.
Digital certificates are supported by leveraging standard Microsoft Smart Card services. Any Windows-compatible smart card device with compatible middleware can be used for strong authentication. Support for both active and passive proximity cards is likewise included in OneSign.