Imprivata OneSign 4.1

Single sign-on (SSO) is the holy grail of network administration as it can save so much time and improve security. With a single username and password, users can gain authenticated access to all applications and services without calls for lost or forgotten passwords.

Imprivata's OneSign provides complete SSO implemented as an appliance, supporting authentication client/server, web and legacy applications. An SSO agent installed locally on each client captures their authentication credentials, stores them on the appliance and proxies them when required.

Imprivata offers a choice of agents, with the standard version used on systems of a single user. The Workstation Agent is deployed to systems that have multiple users, while a third is used for Microsoft Terminal Services and Citrix MetaFrame environments and is installed on the server.

OneSign handles a range of authentication methods, including passwords, tokens and fingerprints. A new feature is Imprivata's Physical/Logical, which links network access to the physical presence of the user. You map a user's profile to their access card so they can only use a workstation and network resources if the building has registered their entry.

After the wizard-based setup routine you can add users and security policies. The latter can be used to apply lockouts, the number of allowed login attempts and password strength. Policies can also issue challenges when an account has been inactive for a time, and an offline mode when a link to the OneSign server isn't available.

We used email to deploy the agent where users are advised of the download location on the appliance. The agent modifies the Windows login prompt and offers options for authentication methods. Next, you define applications and the APG (application profile generator) is used to learn this process where you load an application and drag a target from the APG onto its login screen. It presents a form with the relevant fields filled in and you can check that each field is correctly identified by clicking on it.

We used access to web mail clients to test this. After policy deployment, users were required to log in as normal, and the agent captured their details from the browser and stored them on the appliance. The next time they loaded the login screen their details were proxied and entered for them by the agent.

OneSign provides plenty of report tools to keep a close eye on enrolments, failed logins, lockouts and so on. You can also select users to be monitored, where notifications will be sent to you when they trigger specific events.

We found the enrolment process to be lengthy, but once completed it makes light work of the login process. For small user bases, the OneSign solution is expensive but it can pay back these costs with reduced administration and support for password management.

Author: Dave Mitchell