Single Sign On Managed Services

Single Sign On Managed Services

Eliminate the unnecessary cost and lost productivity involved in managing user passwords.

Single Sign On Requires No Software or In-House Experience

Most organizations steadily bleed profit from the bottom line due to outdated password management techniques, unable to achieve single sign-on due to its complexity and perceived cost.

Single Sign On Managed Services eliminates up to 80 percent of most organizations’ password management costs within one day—using technology you already own—with positive ROI typically achieved in 4–12 months!

We can help you quickly diagnose the severity of your password management condition and determine whether your organization is a good candidate for Single Sign On Managed Services.

Read the datasheet >

Calculate Your Return on Investing in SSO

Download the ROI calculator to find our exactly how much your organization can save by implementing single sign on.

Single Sign On Includes:

One-day implementation of SSO between Windows-based workstations and AIX, IBM i, Unix and Linux systems

Hands-on implementation training with an experienced SSO expert

Ongoing tech support to proactively address issues introduced by OS or application updates

Meet Your Security Experts

SSO Managed Service is led by security expert Patrick Botz, a former Lead Security Architect at IBM, where he founded the IBM Lab Services security consulting team. Patrick has attained intimate knowledge of system security capabilities and pitfalls on a broad range of platforms, with special emphasis on IBM i (formerly AS/400), AIX, Unix, and Linux operating systems. He also architected the single sign on solution for OS/400 and i5/OS.

Patrick has more than 20 years of experience in cybersecurity and is a co-author of "Expert's Guide to OS/400 and I5/OS Security."

 

Single Sign On FAQs

 

Q: Does Single Sign On Managed Service only work between Microsoft Windows and IBM i?

A; Absolutely not. You can implement SSO for applications across nearly any combination of platforms.

Q: How does Kerberos work?

A: The Kerberos protocol is often a key component in single sign-on. It is used to simplify password management by authenticating a user to an interface running on a remote system. 

Q: How does single sign on save my organization money?

A: SSO can significantly reduce the high cost of managing passwords across your organization. The overwhelming majority of the cost of managing employee access to computing resources is tied up in the cost of managing passwords. Most people are shocked by the magnitude of these costs. When you add up the time spent managing passwords by all end users, administrators, and help desk personnel in an organization, plus the time waiting on the phone for a solution, and the time it takes every employee to change all of their passwords four or more times a year, these costs are surprisingly high. When you understand the actual cost of managing passwords, evaluating SSO solutions becomes so much easier. To calculate the cost of managing passwords in your organization, use our SSO ROI Calculator.

Q: Do the user IDs need to be the same on all systems for SSO to work?

A: No, that’s the beauty of this approach. EIM (enterprise information management) ensures that sessions get created under the appropriate user ID on non-Windows platforms even if the userIDs for a person are different in the Windows domain and in the non-Windows platform. 

Q: Will single sign on work with web server applications?

A: If the Web server you are using supports Kerberos and the application is written (or can be changed) to use Web server authentication, then the answer is yes.

Q: How does SSO work with IFS objects?

A: You have to access IFS through some sort of interface. FTP, NetServer, Telnet, ODBC, etc. all support SSO. Once the application/interface is connected and the job associated with it is running under the proper user ID, SSO has nothing to do with accessing any resources, such as IFS, QSYS.LIB, DB2, and others.

Q: Does Single Sign On Managed Service require purchasing software licenses?

A: No, this service relies entirely on function you already own. You need one Key Distribution Center (KDC, also known as a Kerberos server) and you need client-side Kerberos support for each client to which you want to authenticate. Windows domain controllers are KDCs. If you log into a Windows domain from your PC then, by definition, you have KDC. Nearly all commercial operating systems provide Kerberos client support. Of course, you don't have to have a Windows domain to use SSO—it's just more work to create a KDC and the Kerberos users.

Q: Does implementing SSO really take less than a day?

A: Yes, it typically takes less than a day to implement SSO assuming all components are in place. However, some clients prefer to do the work over the course of several days. For example, small configuration changes are often required either on the KDC or on the client. Some customers prefer to investigate these changes before making them in the interest of due diligence. In that instance, and a few others, the couple of hours may be spread over different days. 

Q: Does SSO work with old PC5250 clients?

A: It works with IBM PC5250 clients starting with V5R1. 

Q: Can SSO be achieved between Java Web applications?

A: Yes. The Java applications need to be implemented to use Kerberos. Use the JGSS class methods to do this.

Q: What happens to logons if EIM is offline?

A: Logons won’t work (for most systems) if EIM goes down. There are a couple of strategies for dealing with this. Each environment and set of requirements are different, so it’s hard to describe which solution works best without having the details. Sometimes companies can rely on their HA plan. They typically will host the EIM repository on the production system. If the production system ever goes down they know that the HA system becomes the production system. In this scenario, they can either use LDAP replication to keep the production and HA EIM repositories in sync or they can use their HA products to do so. You also must make sure that the Kerberos configuration and keytab file are enabled for HA. How this is done is highly dependent on whether the HA swap includes IP address and hostname takeover, only hostname takeover, or none. 

Q: ­Does SSO work with Lotus Domino web server?

Yes.

Q: Do I need any additional software?

A: No additional software is needed to get SSO working, though you can use a tool to automate loading and/or management of EIM. 

Learn more about the professional security services HelpSystems offers:

Get Started

Eliminate the unnecessary cost and lost productivity involved in managing user passwords with Single Sign On Managed Service.