|
|
|
|
|
|
The
business case
Our client was a household name multinational bank (NOT included in our
customer list). They had several thousand users on a multitude of systems
and programs spanning multiple countries, languages and timezones. Different
passwords for different
applications created the following issues:-
1
|
Forgotten
passwords resulted in downtime for the user and a drain on helpdesk
resources, |
2
|
Applications
were spoofed to not time-out to avoid re-logging, a security risk,
and |
3
|
Passwords
were frequently stuck on screens, keyboards etc., again a security
risk. |
The
technical case
The objective was to provide cross-platform authentication and for users
to access all available Web applications securely and seamlessly. The
environments to be covered were: W2K/NT4, IIS, Netscape Enterprise Server,
Apache, Lotus Domino, JavaScript, Jscript and Java.
Our
input
We implemented Single Sign-on (SSO) software at each application server
to check highly secure tokens, and to pass on authentication to a logon
server in the event the tokens did not exist. The tokens were digitally
hashed using MD5, then encrypted with 128 bit IDEA
The
user supplies username and credentials which are transmitted to the authentication
server over an encrypted (SSL) connection and the credentials validated
by the server. The current system uses Windows NTLM authentication. When
a user has signed on, the browser receives encrypted authentication tokens
wrapped in a cookie. These tokens are validated invisibly as they move
between web applications.
SSO provides
a simple API that the web application calls. The web application includes
a single line to invoke SSO authentication at the top of each protected
page. On IIS on Windows NT, and on Lotus Domino, the option of seamless
integration into SSO is achieved using an ISAPI filter (on IIS) and DSAPI
filter (on Lotus Domino), which intercepts requests for pages, and authenticates
the user BEFORE the web-application ever gets called. In such cases the
application does not need to be modified to use SSO.
Results/benefits
The resulting system is now highly secure and accommodates 10,000 login
requests daily, providing seamless integration with an NT authentication
mechanism, and many different web application platforms. The client has
advised that, unlike many of its IT projects, SSO was clearly cost-effective,
paying for itself within six weeks of deployment.
|