New Technology/enterprise Ltd
Project example #3:
Single sign-on security implementation
   Home > Services > Projects > Project_3


The business case
Our client was a household name multinational bank (NOT included in our customer list). They had several thousand users on a multitude of systems and programs spanning multiple countries, languages and timezones. Different passwords for
different applications created the following issues:-

Forgotten passwords resulted in downtime for the user and a drain on helpdesk resources,
Applications were spoofed to not time-out to avoid re-logging, a security risk, and
Passwords were frequently stuck on screens, keyboards etc., again a security risk.

The technical case
The objective was to provide cross-platform authentication and for users to access all available Web applications securely and seamlessly. The environments to be covered were: W2K/NT4, IIS, Netscape Enterprise Server, Apache, Lotus Domino, JavaScript, Jscript and Java.

Our input
We implemented Single Sign-on (SSO) software at each application server to check highly secure tokens, and to pass on authentication to a logon server in the event the tokens did not exist. The tokens were digitally hashed using MD5, then encrypted with 128 bit IDEA

SSO DiagramThe user supplies username and credentials which are transmitted to the authentication server over an encrypted (SSL) connection and the credentials validated by the server. The current system uses Windows NTLM authentication. When a user has signed on, the browser receives encrypted authentication tokens wrapped in a cookie. These tokens are validated invisibly as they move between web applications.

SSO provides a simple API that the web application calls. The web application includes a single line to invoke SSO authentication at the top of each protected page. On IIS on Windows NT, and on Lotus Domino, the option of seamless integration into SSO is achieved using an ISAPI filter (on IIS) and DSAPI filter (on Lotus Domino), which intercepts requests for pages, and authenticates the user BEFORE the web-application ever gets called. In such cases the application does not need to be modified to use SSO.

The resulting system is now highly secure and accommodates 10,000 login requests daily, providing seamless integration with an NT authentication mechanism, and many different web application platforms. The client has advised that, unlike many of its IT projects, SSO was clearly cost-effective, paying for itself within six weeks of deployment.