Understanding SecureLogin
SecureLogin Architecture
SecureLogin is a suite of applications for authentication and single sign-on. As the following figure illustrates, it includes components for both client and server:
SecureLogin works by keeping a record of user authentication credentials and instructions on how to use those credentials. SecureLogin stores these credentials in the directory, either directly or through the patented Novell SecretStore® technology. At runtime, SecureLogin detects login opportunities, retrieves the appropriate authentication credentials, then automatically supplies those credentials.
Script Language
The SecureLogin script language is a key feature of SecureLogin single sign-on. This language enables the product to be compatible with almost all network environments and applications.
SecureLogin uses the scripting language to provide a flexible single sign-on and monitoring environment. For example, the SecureLogin Windows Agent watches for application login boxes. When a login box is identified, the agent runs a script to enter the username, password, and background authentication information.
The script language is used in individual application scripts to retrieve and enter the correct login details. These scripts are stored and secured within the directory to ensure maximum security, support for single-point administration, and manageability.
The script language can be used to automate many login processes, such as multi-page logins and login panels requiring other information that can be stored in the directory (such as surname and telephone number). The script language also contains the commands required to automate password changes on behalf of users and request user input when it is required.
The scripting language has the following advantages:
- Enables you to define single sign-on methods for almost any Windows, mainframe, Internet, intranet, Terminal Server, or UNIX* application.
- Allows more sophisticated single sign-on to supported applications, including the ability to seamlessly handle several versions of one application.
This feature is especially important when you upgrade your applications.
- Provides full control of which applications can be used for single sign-on.
- Provides the ability to update the entire directory database with a new application login script by updating a single object.
- Enables you to store corporate scripts in a Container object rather than individual User objects.
SecureLogin Components
SecureLogin provides the SecureLogin workstation client and snap-ins to ConsoleOne®, Active Directory, and LDAP.
SecureLogin leverages your existing directory so that you can administer single sign-on solutions for applications, users, and the entire organization. With the SecureLogin administration tools, you can centrally manage users and corporate single sign-on applications and configurations.
SecureLogin includes the following utilities:
- Workstation Administration
- Container and User object snap-ins
- Terminal Launcher
- Window Finder
- Login Watcher
SecureLogin provides support for
- Mainframes
- Corporate scripts
- Prebuilt scripts for a wide range of Windows applications
- Internet browsers
- Lotus* Notes*
- Mobile single sign-on
- Novell SecretStore
- ConsoleOne, Microsoft Management Console (MMC), and LDAP
- NMAS
- One-time passwords
The SecureLogin Application
Novell SecureLogin runs on the desktop. Users and administrators can use this tool to manage their single-sign-on logins. The following figure illustrates SecureLogin's main window:
This tool enables users to do the following at their workstations:
- Add new applications for single sign-on
- Manage logins by viewing existing applications and Web sites that single sign-on is enabled for.
- Modify passwords to existing single sign-on enabled sites.
- Change settings and preferences
To access this tool:
Terminal Launcher
Terminal Launcher enables you to log in to any type of host that requires a user to log in using an emulator (for example, an ACF2 or RACF mainframe, a UNIX host, or a Cisco* router). Either you or the user configures Terminal Launcher to connect to the mainframe or host, wait for the login sequence, and then enter usernames and passwords.
Terminal Launcher enables you to easily launch terminal emulation sessions and to run a script within those sessions.
The script is stored within your configured host directory (for example, eDirectory, Active Directory, or LDAP), which makes it more secure than generic scripts that are written in a particular language for a particular emulator. These scripts are designed to be compatible with many different emulators.
Terminal Launcher can be used to provide shortcut icons to mainframe or UNIX applications, removing the need for user intervention.
The following figure illustrates Terminal Launcher:
To access Terminal Launcher, click Start > Programs > Novell SecureLogin > Terminal Launcher.
Corporate Login Scripts
SecureLogin is designed for large networks. It supports the ability to use the directory to centralize the setup of the single sign-on applications. This feature is referred to as corporate login scripts.
A corporate login script can be stored in either a file system or in a Container object located in the directory. This feature gives you the ability to write and define single sign-on scripts once for the whole organization, while still allowing for customized subordinate Container objects and User objects. This customization significantly reduces the effort and complexity of enterprise deployment.
If a subordinate object has a different script for the same application defined locally, the local copy will be used instead of the version that is on the higher object. If a script is defined on a User object with the same name as a script defined on a Container object, or if there are two scripts with the same name on different level Container objects, the script from the subordinate object will always be used instead of the script in the higher level object. This strategy allows for specialization in corporate scripts.
Prebuilt Scripts
SecureLogin includes prebuilt scripts for many applications. These allow for quicker and easier integration of single sign-on for a broad range of industry standard applications.
Internet Browsers
The Microsoft* Internet Explorer and Netscape* components enable applications that are accessed through these browsers to use single sign-on. Depending on a workstation's configuration, the browsers might behave differently.
These components also enable sites using http dialogue authentication to use single sign-on.
Lotus Notes
The SecureLogin Lotus Notes component enables you to use single sign-on easily with Lotus Notes. At the end of the Notes password expiration period, SecureLogin can prompt for a new password or automatically populate the password field with a new random value.
In addition to controlling single sign-on, this component supports
- Multiple ID files for each user
- The ability to exclude certain administrative IDs from being enabled for single sign-on
Mobile Single Sign-On
Taking advantage of the directory architecture, SecureLogin allows users to roam with their authentication details. Because there are no workstation dependencies, users can move freely from office to office. Their credentials follow them.
By using the local encrypted cache, SecureLogin also allows notebook users access to single sign-on while those users are disconnected from their network environment.
Window Finder
Window Finder can be used to gather information about a window containing a login box. The information shown by Window Finder can be helpful in creating new SecureLogin scripts for complex environments or to troubleshoot existing ones.
The following figure illustrates Window Finder:
To access Window Finder, click Start > Programs > Novell SecureLogin > Window Finder.
Login Watcher
Login Watcher can assist with gathering information about an application that a user may want to single sign-on enable. When run at the same time as an application, Login Watcher captures information such as key and button actions used in the application and saves that information to a log file.
SecretStore
When SecureLogin is used with eDirectory, you can use SecretStore, a patented Novell technology, to store your application passwords and other authentication credentials. SecretStore is a repository located within your eDirectory User object.
SecretStore provides an added level of protection and security to SecureLogin. Only the SecretStore server can access secrets, and each secret is stored separately, so that access to data is very compartmentalized and controlled. SecretStore also provides additional capabilities to deter would-be intruders, whether internal or external to your organization.
You can share secrets among services. See "Interoperability Issues" as well as "Sharing Secrets with Novell Portal Services" in the Novell SecretStore 3.3.3 Administration Guide.
SecretStore runs on all eDirectory platforms: NetWare® 5.1, NetWare 6 or later, Windows NT/XP/2000/2003, Linux*, and Solaris*.
Snap-Ins to Manage SecureLogin
The following tools enable you to manage SecureLogin, so that users have a secure and productive single-sign-on environment:
- SecureLogin snap-in to ConsoleOne
- SecureLogin snap-in to MMC
- SecureLogin Manager (slmanager.exe)
One-Time Passwords
SecureLogin 3.51.2 supports one-time passwords. This method provides background authentication and sign-on to back-end systems. Instead of using a password, this method uses a cryptographic key process to securely authenticate the user to the remote system.
Rather than simply typing in the username and password for a user, SecureLogin can effectively take over the authentication process of the application using a shared cryptographic key between different platforms (such as the LAN and mainframe). This can only be achieved on applications that give programmers interfaces into their products, so that one-time password functionality can happen.
To leverage one-time passwords with SecureLogin, you must purchase a third-party product for the application/server environment supporting the OTP authentication. This third-party product must be installed on the system that SecureLogin authenticates to. For example products, see One Time Password Authentication.