Single Sign-on, Reduced Sign-on, and Centralized Authentication

For efficiency, security, and complaince in heterogeneous environments

The Importance of Standards

Many of the challenges presented in single sign-on lie in the fact that disparate systems in heterogeneous enterprises typically do not participate in a common authentication methodology. In other words, a lack of standards often prevents organizations from achieving the benefits of single sign-on. Quest Software offers solutions that give many of these disparate systems a common, standards-based platform upon which to build single sign-on. This strategy relies on a technical foundation of commonly installed infrastructure (Active Directory) and key standards that can be leveraged across the enterprise environment:

• Kerberos – in Active Directory and a number of “Kerberized” applications
• Lightweight Directory Access Protocol (LDAP) – in Active Directory, non-Windows systems, and a number of “LDAP-aware” applications
• Pluggable Authentication Module (PAM) – in Unix and Linux systems
• Name Service Switch (NSS) – in Unix and Linux systems
• GSS-API – in a number of standards-based applications
• SSPI – Security Support Provider Interface

The Quest Solution Set

Quest’s approach to identity integration (and consequently the centralized authentication, single sign-on, and reduced sign-on benefits) has proven successful at more than 500 companies worldwide representing more than 3 million users.

• One of North America’s leading financial institutions was able to leverage Quest technology to reduce logins and password for its entire retail teller population from 18 logins to only two. This success extended to more than 7,000 Unix servers and more than 110,000 users.
• The SAP single sign-on capabilities of Vintela Authentication Services are being used by tens-of-thousands of users at one of the world’s leading nutrition and food companies and at one of North America’s top aerospace corporations.

But large companies aren’t the only ones achieving benefit from Quest’s approach to simplifying identity and access management. Hundreds of organizations of all sizes are also realizing operational, security, and compliance benefits as they extend their Active Directory infrastructures to non-Windows systems and applications.

Quest builds upon the integration of Kerberos with Active Directory—which delivers single sign-on through Windows Integrated Authentication for Windows systems—to help organizations bring a high number of platforms, systems, and applications into the Active Directory “trusted realm.” Quest provides an expanding set of capabilities with its Vintela Authentication Services and Vintela Single Sign-on for Java solutions that allow a diverse set of applications and platforms to achieve single or reduced sign-on through Active Directory while leveraging the advanced features of Kerberos wherever possible.

1. Centralized Authentication for Unix and Linux Operating Systems - Vintela Authentication Services integrates Active Directory with more than 80 Unix/Linux operating systems functionally allowing them to be “full citizens” in Active Directory.  A single login to Active Directory and the resulting Kerberos credential provides “reduced sign-on” to all enabled Unix/Linux operating systems.
2.  Single Sign-on for OS-oriented Services and Applications - Vintela Authentication Services provides single sign-on to Unix from Active Directory through popular Unix/Linux services and applications such as PuTTY, Samba and OpenSSH.
3. Windows Integrated Authentication for Apache/Unix-hosted Applications - Through the mod_auth_vas Apache authentication module, Vintela Authentication Services provides single sign-on for Apache/Unix-hosted applications with client software running on Internet Explorer or Firefox. The apache mod enables not only browser-based single sign-on, but also enforces access control based on Active Directory groups for example.
4. Single Sign-on for Oracle Databases - Vintela Authentication Services allows Oracle databases that use the Oracle Advanced Security option to achieve “Kerberized” single sign-on login from Active Directory. 
5. Single Sign-on for SAP Applications Running SAPgui - Vintela Authentication Services’ Single sign-on for SAP integrates the GSS-API component of the SAPgui with Active Directory for single sign-on to the SAP application from the Windows login. This is the only SAP certified solution of this type on the market and is in use at extremely large installations worldwide.
6. Windows Integrated Authentication for Java Applications - Vintela Single Sign-on for Java extends Active Directory’s Kerberos single sign-on functionality to Java application servers. Client software can run on Internet Explorer or Firefox. This solution allows for single and/or reduced sign-on in complex web services architectures; fat client, multi-tier, and portals. 
7. Reduced Sign-on for LDAP-aware Applications - Vintela Authentication Services’ LDAP proxy functionality extends the reduced sign-on capabilities to include LDAP-aware applications (such as Siebel) Using the LDAP proxy to access the  Windows/Active Directory username and password for authentication further leverages the benefits of a single, centralized directory.
8. Support for “Passwordless” Environments - Both Vintela Authentication Services and Vintela Single Sign-on for Java provide the ability to extend Active Directory authentication to non-Windows systems when that authentication is initiated through a smart card rather than username and password. Current support includes Gemalto Cyberflex smart cards and the Coolkey Common Access Card (CAC).
9. Custom Integration with Other Applications - Through the Vintela Authentication Services API, organizations can build Active Directory-based single or reduced sign-on for a large number of applications across every Unix/Linux platform supported by Vintela Authentication Services (more than 80 fully supported platforms).  This approach leverages the PAM and GSS-API interfaces available within Vintela Authentication Services and Vintela Single Sign-on for Java to extend the Active Directory credential to additional applications hosted on non-Windows systems.
10. Extended Password Management - In addition to the single sign-on and reduced sign-on opportunities available through Quest, organizations can extend an AD-based password management strategy to non-Windows systems. Quest Password Manager provides advanced password management beyond the native capabilities of Active Directory while providing and end-user self-service password reset capability. This solution provides equal functionality for any non-Windows identity that has become a “full citizen” in Active Directory through Vintela Authentication Services or Vintela Single Sign-on for Java.