Single Sign On Managed Services
Eliminate the unnecessary cost and lost productivity involved in managing user passwords.
Single Sign On Requires No Software or In-House Experience
Most organizations steadily bleed profit from the bottom line due to outdated password management techniques, unable to achieve single sign-on due to its complexity and perceived cost.
Single Sign On Managed Services eliminates up to 80 percent of most organizations’ password management costs within one day—using technology you already own—with positive ROI typically achieved in 4–12 months!
We can help you quickly diagnose the severity of your password management condition and determine whether your organization is a good candidate for Single Sign On Managed Services.
A Guide to Practical Single Sign On
The cost of managing user access to data and software applications with user IDs and passwords is surprisingly high. Find out how a business approach to solving this problem can eliminate much of this recurring cost.
Single Sign On Includes:
One-day implementation of SSO between Windows-based workstations and AIX, IBM i, Unix and Linux systems
Hands-on implementation training with an experienced SSO expert
Ongoing tech support to proactively address issues introduced by OS or application updates
What You Can Achieve with Single Sign On Managed Services
Eliminate up to 80 percent of password problems
For most organizations, the vast majority of password problems occur when users access servers from their PCs. Managed Single Sign On Service quickly and efficiently eliminates multiple passwords between Windows and your IBM i, AIX/UNIX, and Linux systems. Depending on your IT environment, this cost-effective service can eliminate up to 80 percent or more of your password management costs.
Basic SSO in one day
Avoid the long and complex SSO learning curve. Our experts teach your Security Officer the SSO concepts necessary for your environment, guide them through each of the configuration steps to implement all of your current users, and train them to implement new users—all in a single day!
Immediate, tangible results
Unlike most IT projects, the positive impact of Managed Single SIgn On Service is immediately evident across the enterprise. End users love that they no longer have to log in to applications they use every day, the number of help desk calls drops, and everyone experiences fewer password-related distractions. The best part is that most organizations achieve ROI within the first 12 months, and the savings continue year after year.
No software required
If your IT network includes a Windows domain, you are already using and managing all of the software you need to implement SSO for many of your systems and applications. Most IT professionals just need experienced guidance on how to configure the complex software on non-Windows systems within their specific environment
With no software to buy and the efficiency of one-on-one training by an independent expert, most organizations can implement basic SSO—with a full year of technical support—for under $10,000.
Managed Single Sign On Service is non-disruptive, and your administrator remains in control of your systems at all times. Once we configure your non-Windows systems, you can immediately enable all of your users, a few users, or a single user to test results. You can also disable users from using SSO at any time. You maintain full control.
Proven ROI-based approach
SSO is not a technology problem—it’s a business problem. How do you minimize the cost of password management with the best possible ROI? Drawing on experience as chief security architect for IBM’s Power Systems, plus years of implementing SSO in all kinds of IT environments, Patrick Botz has developed a reliable process for quickly 1) measuring the costs of password management and 2) evaluating the best solution for your company based on ROI.
Meet Your Security Experts
SSO Managed Service is led by security expert Patrick Botz, a former Lead Security Architect at IBM, where he founded the IBM Lab Services security consulting team. Patrick has attained intimate knowledge of system security capabilities and pitfalls on a broad range of platforms, with special emphasis on IBM i (formerly AS/400), AIX, Unix, and Linux operating systems. He also architected the single sign on solution for OS/400 and i5/OS.
Patrick has more than 20 years of experience in cybersecurity and is a co-author of "Expert's Guide to OS/400 and I5/OS Security."
Single Sign On FAQs
Q: Does Single Sign On Managed Service only work between Microsoft Windows and IBM i?
A; Absolutely not. You can implement SSO for applications across nearly any combination of platforms.
Q: How does Kerberos work?
A: The Kerberos protocol is often a key component in single sign-on. It is used to simplify password management by authenticating a user to an interface running on a remote system.
Q: How does single sign on save my organization money?
A: SSO can significantly reduce the high cost of managing passwords across your organization. The overwhelming majority of the cost of managing employee access to computing resources is tied up in the cost of managing passwords. Most people are shocked by the magnitude of these costs. When you add up the time spent managing passwords by all end users, administrators, and help desk personnel in an organization, plus the time waiting on the phone for a solution, and the time it takes every employee to change all of their passwords four or more times a year, these costs are surprisingly high. When you understand the actual cost of managing passwords, evaluating SSO solutions becomes so much easier. To calculate the cost of managing passwords in your organization, use our SSO ROI Calculator.
Q: Do the user IDs need to be the same on all systems for SSO to work?
A: No, that’s the beauty of this approach. EIM (enterprise information management) ensures that sessions get created under the appropriate user ID on non-Windows platforms even if the userIDs for a person are different in the Windows domain and in the non-Windows platform.
Q: Will single sign on work with web server applications?
A: If the Web server you are using supports Kerberos and the application is written (or can be changed) to use Web server authentication, then the answer is yes.
Q: How does SSO work with IFS objects?
A: You have to access IFS through some sort of interface. FTP, NetServer, Telnet, ODBC, etc. all support SSO. Once the application/interface is connected and the job associated with it is running under the proper user ID, SSO has nothing to do with accessing any resources, such as IFS, QSYS.LIB, DB2, and others.
Q: Does Single Sign On Managed Service require purchasing software licenses?
A: No, this service relies entirely on function you already own. You need one Key Distribution Center (KDC, also known as a Kerberos server) and you need client-side Kerberos support for each client to which you want to authenticate. Windows domain controllers are KDCs. If you log into a Windows domain from your PC then, by definition, you have KDC. Nearly all commercial operating systems provide Kerberos client support. Of course, you don't have to have a Windows domain to use SSO—it's just more work to create a KDC and the Kerberos users.
Q: Does implementing SSO really take less than a day?
A: Yes, it typically takes less than a day to implement SSO assuming all components are in place. However, some clients prefer to do the work over the course of several days. For example, small configuration changes are often required either on the KDC or on the client. Some customers prefer to investigate these changes before making them in the interest of due diligence. In that instance, and a few others, the couple of hours may be spread over different days.
Q: Does SSO work with old PC5250 clients?
A: It works with IBM PC5250 clients starting with V5R1.
Q: Can SSO be achieved between Java Web applications?
A: Yes. The Java applications need to be implemented to use Kerberos. Use the JGSS class methods to do this.
Q: What happens to logons if EIM is offline?
A: Logons won’t work (for most systems) if EIM goes down. There are a couple of strategies for dealing with this. Each environment and set of requirements are different, so it’s hard to describe which solution works best without having the details. Sometimes companies can rely on their HA plan. They typically will host the EIM repository on the production system. If the production system ever goes down they know that the HA system becomes the production system. In this scenario, they can either use LDAP replication to keep the production and HA EIM repositories in sync or they can use their HA products to do so. You also must make sure that the Kerberos configuration and keytab file are enabled for HA. How this is done is highly dependent on whether the HA swap includes IP address and hostname takeover, only hostname takeover, or none.
Q: Does SSO work with Lotus Domino web server?
Q: Do I need any additional software?
A: No additional software is needed to get SSO working, though you can use a tool to automate loading and/or management of EIM.