| |
SecureLogin leverages your existing eDirectory to provide user, organization, and application administration for your single sign-on solution. With the SecureLogin administration tools, you can centrally manage users and corporate single sign-on applications and configurations.
You are able to set SecureLogin preferences for the users at either the User object level or at the container level. To manage these eDirectory objects, you can use either NetWare Administrator or ConsoleOneTM. The following figure illustrates the SecureLogin Login Details, SecureLogin Configuration, and SecureLogin Corporate Configuration tabs.
You can also administer SecureLogin through the user administration tool.
The workstation user administration tool is used to
Installed with SecureLogin, this tool enables users to view their single sign-on credentials. Also, you can permit users to administer their own credentials.
You can access this tool by clicking the SecureLogin icon on the workstation's task bar. The following figure illustrates this icon:
Using eDirectory, you can enable or disable all of these functions for individual users and the entire organization.
SecureLogin uses a script language to provide a very flexible single sign-on and monitoring environment. For example, the SecureLogin Windows Agent watches for application login boxes. When a login box is identified, the agent runs a script to enter the username, password, and background authentication information.
The script language uses individual application scripts to retrieve and enter the correct login details. These scripts are stored and secured within eDirectory to ensure maximum security, support for single point administration, and manageability.
The script language can be used to automate many login processes, such as multi-page logins and login panels requiring other information that can be stored in eDirectory (such as surname and telephone number). The script language also contains the commands required to
SecureLogin is designed for large networks. It supports the ability to use eDirectory to centralize the setup of the single sign-on applications. This feature is referred to as Corporate Login Scripts.
A corporate login script can be stored in either a file system or in a Container object located in eDirectory. This feature gives you the ability to write and define single sign-on scripts once for the whole organization, while still allowing for customized subordinate containers and User objects. This customization significantly reduces the effort and complexity of enterprise deployment.
If a subordinate object has a different script for the same application defined locally, the local copy will be used instead of the version that is on the higher object. If a script is defined on a User object with the same name as a script defined on a Container object, or if there are two scripts with the same name on different level Container objects, the script from the subordinate object will always be used instead of the script in the higher level object. This strategy allows for specialization in corporate scripts.
For more detail on scripting, see Administering Scripts and Script Reference Guide.
Terminal Launcher enables you to easily launch terminal emulation sessions and to run a script within those sessions.
The script is stored within eDirectory, which makes it more secure than less generic scripts that are written in a particular language for a particular emulator. These scripts are designed to be compatible with many different emulators.
With the use of corporate scripts, the Terminal Emulator Launcher is very powerful. It can be used to provide shortcut icons to mainframe or UNIX applications, removing the need for user intervention.
You access Terminal Launcher from Start > Programs > Novell SecureLogin > Terminal Launcher.
The OS/390 component allows clients to authenticate to a mainframe using a fixed password. It also provides background authentication if the user has logged onto the LAN and the LAN has been set up as a trusted partner.
The SecureLogin ACF2 and RACF interfaces (known as SAF exits) are called from ACF or RACF to validate a user's account and password. The Exit reads the user's authentication information from InfoStorage (the mainframe database), validates the user-provided details, and returns an ACCEPT or DENY to ACF2 or RACF.
The InfoStorage database is a copy of the user's authentication data held inside eDirectory. The SecureLogin ACF2/RACF is composed of two components:
SecureLogin supports the AS/400 with its Universal Single Sign-On client and can use the script engine to automate complex multi-stage logins as required.
The SAP/R3 interface takes advantage of the SecureLogin Universal Single Sign-On client and can use the script engine to automate complex multi-stage logins as required.
The component for Windows applications enables most Windows applications to use single sign-on. This component works with
The Microsoft* Internet Explorer and Netscape* components enable applications that are accessed through these browsers to use single sign-on.
This component also enables sites using http dialogue authentication to use single sign-on.
The SecureLogin Lotus Notes* component enables you to use single sign-on with Lotus Notes. This component is a more specialized version of the Windows applications single sign-on component and is designed so that you do not even notice you have switched over to single sign-on (apart from the lack of login screens). A Lotus Notes SecureLogin DLL, which tightly integrates with the Lotus Notes authentication system, is installed on each workstation.
After installation, the next time you authenticate to Lotus Notes you actually type your password into a SecureLogin panel designed to look like the Lotus Notes password box. This will be the last time you have to enter you password into Notes.
The next time you are required to authenticate, SecureLogin communicates with Lotus Notes in the background. The password box to log in never appears. At the end of the password expiration period, SecureLogin can prompt for a new password or automatically populate the password field.
SecureLogin supports password expiration in Notes and, as with all applications, can be set up to automatically generate a random password, based on a password policy. In addition to controlling single sign-on, this component supports
Taking advantage of eDirectory architecture, SecureLogin allows users to roam with their authentication details. Because there are no workstation dependencies, users can move freely from office to office. Their credentials follow them.
By using the local encrypted cache, SecureLogin also allows notebook users access to single sign-on.
SecureLogin includes a method of signing on to back-end systems. This method does not involve the use of a password. Instead, it uses a cryptographic key process to securely authenticate the user to the remote system. This technology is referred to as Passticket single sign-on or background authentication.
Background authentication means that rather than simply typing in the username and password for a user, SecureLogin can effectively take over the authentication process of the application by using a shared cryptographic key between different platforms (such as the LAN and mainframe).
This method can only be achieved on applications that give programmers interfaces into their products, and the interfaces allow Passticket technology.
SecureLogin currently supports a number of platforms with background authentication, including UNIX, mainframe, and Internet servers such as Netscape Enterprise Server*.
The Windows NT Login panel is a Windows NT GINA application. It enables users to enter their login details and use fixed passwords to gain access to the network.
The process works as follows:
SecureLogin for Windows 95/98/ME integrates with the existing WINLogin process and allows a user to authenticate to the network using biometric, token, smartcard, or fixed password technology.s
| |