Single Sign On: regulating access cards

By now, many organisations are aware of the advantages of Single Sign On (SSO). Employees benefit from SSO because they only have to remember a single (complex) password rather than dozens of (complex) passwords, the IT department receives fewer password reset calls and network security is enhanced ensuring the organisation can meet auditing requirements.

However, many organisations want to enhance security even further by adding pass cards into the login process –meaning 2-factor (and therefore stronger) authentication. SSO makes this possible by replacing the initial AD username and password login process with an access card and PIN code. Any type of card can be used for this, e.g. a debit or even a library card. Users will be logged in by placing their card against or on a card reader, and then via SSO will be automatically logged in when they launch their permitted applications. The card’s unique ID is linked to the holder’s username and password. In many cases, end users are able to assign the card to their account themselves by a process of self-service enrolment.

Although this is very user-friendly for employees, organisations usually prefer to only permit the use of cards which have been issued by the organisation itself rather than random card types. Tools4ever is the only supplier offering network administrators the ability to only accept cards within a certain number range. In other words, certain cards can be excluded from self-service enrolment, so that physical access cards are only allowed if they have been issued by management.

E-SSOM, the Single Sign On solution by Tools4ever, can also be configured to only allow active cards. For example, when a card is issued (i.e when a new employee joins), it is activated. By setting up a link with the key card system, it’s possible to only accept cards that are used actively within the organisation. When employees leave, their access cards will be revoked and/or disabled, after which the card is also disabled in E-SSOM.

It is even possible to go a step further and only accept cards of employees who are physically present within the premises. Another option is to link access cards to the HRM system. When the HRM system indicates that an employee has left the company, that user card will be disabled so that it can no longer be presented to obtain physical or network access.

Single Sign On combined with a pass cards offers a variety of options for integration with other systems. Tell us what you want and we can give you a tailored solution.

Who’s speaking please?

The majority of calls received by the IT helpdesk need to be verified. After all, to protect the network, helpdesk needs to be certain that the caller is who they say they are before they can grant access rights to applications. So, how can they do this whilst protecting each end-user’s personal information?


A lot of organisations use physical forms of identification – for example; employees will be asked to provide a document signed by their manager or a copy of their passport before being assigned permissions. Although this process can be unnecessarily time-consuming, quicker approaches such as calling the helpdesk are often deemed to be unsafe by management as they can involve too many risks.

To help to solve these issues, Tools4ever has developed the Helpdesk Caller ID Verification solution – which allows service desk staff to securely determine a caller’s identity over the phone. When enrolling with the software , employees must answer a series of personal questions, for example; “What is your mother’s maiden name?”

The answers to these questions can from then on be used to verify each employee’s identity. To make this process even more secure IT Support are not able see the actual answer to the question, only parts of it (for example the first and last letter of the answer). The helpdesk assistant asks the caller which letters should be filled in and can then verify the identity of the caller.

Helpdesk Caller ID Verification can be a very cost effective solution as it doesn’t require any additional hardware and allows organisations to securely determine the identity of their callers, without any long-drawn out procedures. An ideal way to secure your network, without the muss or the fuss!

ACCESS MANAGEMENT AND SOX COMPLIANCY/AUDITS

We frequently deal with companies that have to be compliant to SOX regulations. This often has a big impact on the IT department, particularly with regards to managing access rights. We find in these scenarios there are three very common issues which tend to arise:

Workflow and validations on access rights:

Whether it concerns regular active directory user accounts, NTFS rights, active directory groups, e-mail or application authorisations, all requests and validations have to comply with SOX regulations. This can often mean that, in order to create each user account, the IT department needs sign off from the person making the request, as well as the validating manager and the IT Management.

Traditionally this had to be done by a manual, paper driven process –and many companies still use this outdated method. This means that every time a SOX audit takes place, the IT department has to spend weeks sorting through the papers with the auditor. However, an automated workflow management system (As provided with software like UMRA, User Management Resource Administrator) can automate these steps and make SOX audits a piece of cake for the IT department.

With UMRA there’s no risk of papers getting lost in the audit process or people having to wait for their access rights, as the solution will automatically alert the appropriate staff, who can validate a request before it is sent to IT.

Traceability:

In order to comply with regulations, all requests for access and granting of access must be traceable. This is a standard feature of the Tools4ever’s Identity and Access Management suite.

Segregation of Duty:

In order to comply with some SOX requirements, certain tasks must be done by separate members of staff. For example an order placed by person X must be validated by person Y. This has consequences for access management as permission to use certain data, or the access rights within an application must be tightly controlled.

The access management system must block or alert personnel whenever two permissions are being granted to the same user. This is easy to achieve with the reporting and provisioning mechanisms in Tools4ever’s identity and access management solutions. The solution only needs to know which permissions cannot be combined and it will then automatically manage and audit these requirements.

Feel free to contact your Tools4ever office if you have any questions about SOX compliancy, and Access Management workflows.

Password Synchronisation vs. Single Sign On

Clients often ask me to advise them on reducing the number of passwords end-users need to use in order to access their account and applications. Their first approach, in order to avoid multiple passwords, is usually to ensure that passwords are synchronised over different systems.

This is certainly a valid approach, but is it always the best solution? This post focuses on the advantages and disadvantages of using a password synchronisation tool to reduce the number of login credentials. It also looks at the strength of Enterprise Single Sign On software as an alternative (Such as Tools4ever’s E-SSOM).

Although password synchronisation solutions will reduce the number of passwords the end user needs to key in, a number of technical conditions must be met in order for the software to function effectively:

1. Password synchronisation applications (for example PSM (Password Synchronisation Manager) by Tools4ever) need to be able to know which accounts in each application correspond to which user in the enterprise directory (such as Active Directory). However, this is not always an easy process as many applications use different (manual) naming conventions or limit the number and/or type of characters in the user name.

2. Each application must allow an automated password change whenever a password is amended in Active Directory. This often requires a specific connector or API. The password complexity rules of the application must also comply with those of the central directory. However, many applications have limited password complexity rules and therefore weaker passwords would need to be used at Active Directory level in order for the password synchronisation solution to work. This kind of scenario is not ideal as it could lead to potential security issues.

In many cases the conditions above mean that a new project must be undertaken to make password synchronisation possible. This involves time, resources and may involve changing usernames and passwords for the end user which is just the situation that we are trying to avoid.

Enterprise Single Sign On solutions can offer a number of advantages over PSM software. Firstly, it is often easier to implement an Enterprise Single Sign On solution. Enterprise SSO solutions (specifically E-SSOM by Tools4ever) can recognise the login screens/events of applications and can automatically fill them out. The result for the end user can be even better than a successful password synchronisation as not only do they no longer have to remember different sets of login credentials, but they also do not need to key in logon credentials for each application.

In the case of Enterprise SSO Manager:

1. The conditions (as specified above) for password synchronisation do not have to be met.

2. Nothing has to be changed in the existing login/password structures.

3. No API’s or connectors are necessary to access application passwords.

4. The solution will work with any type of application or mode of authentication.

As such, Enterprise Single Sign On solutions are often the preferred choice over Password Synchronisation tools. Personally, I find that if you only have one or two applications to synchronise and all the conditions have been met anyway, Password Synchronisation can be an excellent tool to use. However, if the conditions for password synchronisation are not met natively or if you are interested in ‘synchronising’ more applications, an Enterprise SSO solution like Tools4ever’s E-SSOM, would be the better solution in terms of light implementation, scalability and resulting ease of use for the end-user.

To learn more about E-SSOM and PSM please visit:

Enterprise SSO Manager http://www.tools4ever.com/gb/products/enterprise-single-sign-on-manager/

Password Synchronisation Manager http://www.tools4ever.com/gb/products/password-synchronization-manager/

SSO- The new software that could be the answer to NHS data protection woes

Healthcare organisations such as hospitals and surgeries operate complex networks comprising various applications running on multiple systems. Users need to have access to multiple applications for e-mail, the helpdesk and patient data, etc. In order to comply with increasingly strict security requirements, staff must enter separate username and password combinations for each application. This can easily lead to entering credentials for 12 different applications or more [Source: SINGLE SIGN ON SURVEY REPORT, July 2011]. With so many combinations to remember it is likely that employees will store this data in an insecure way – i.e write their password on sticky notes or share login credentials with colleagues. System administrators take extra precautions to keep the network safe, such as using complex passwords and setting a maximum validity period for passwords, etc. Often, all of this can only serve to exacerbate the issue further.


Issues such as these, gave rise to the development of Enterprise Single Sign On (SSO) solutions. With an SSO solution employees have to enter just one set of login credentials, after which they will be logged in automatically to all their required applications. This greatly helps to limit security issues, and speed up the login process. However, even the initial login can prove to be too time-consuming in a busy A&E and this is where the innovative further features of E-SSOM-Tools4ever’s SSO solution could have industry changing consequences.

To ensure proper patient care, doctors need quick access to patient information. The “Fast-User Switching” feature offers users the ability for staff to login and out on public computers quickly. When users login using Fast User Switching, the applications they need are launched and logged-in immediately and automatically. When users log-out, the SSO solution can log-out of the applications and/or close the applications. The login process can be made even easier when Fast User Switching is combined with a key card. In this scenario entering the key card grants the user access to the desired applications, and removing it logs them out, making the computer available to other members of staff.

Another feature which can prove very useful in this environment is the “Follow Me” feature. An alternative to Fast User Switching. Staff begin by logging into the network and launching the required applications (the SSO solution takes care of automatic login). If the user decides to change computer, they have the ability to take the logged-in session ‘with them’ to the other one. The user has immediate access to the desktop launched earlier and the applications. As with Fast User Switching it’s possible to link the switching of users to a key card. In this scenario a user only needs to identify themselves with a key card and an optional PIN code.

This kind of innovative technology could greatly reduce the instances of data protection breaches within the healthcare sector, whilst also improving the overall productivity of the workforce in general. In the current economic climate this could help to improve the quality of care given despite tight budget cuts.

Can time- consuming login processes become a thing of the past?

Password synchronisation solutions can prove extremely useful for increasing efficiency and reducing costs. As with Tools4ever’s Password Sychronisation Manager, they allow end-users to use a single password for logging into their network, and all other applications they require access to. After end-users have changed their password, PSM ensures that they can log in directly to all the required systems and applications with a single set of log-on credentials. This can improve end-user productivity and minimise the number of password-related helpdesk calls. But is it possible to enhance efficiency and workforce productivity further still?


Password Synchronisation solutions alone still require the end-user to manually log-in to each application and system they use, which can be extremely time-consuming. A recent survey has shown that an alarming 28.1% of us have to remember over 12 different username and password combinations in order to do our work on a daily basis, with the majority of us having to key-in up to seven. And 85.3% of us think that we would be able to work more efficiently if the time it took to log-in to systems was reduced.

SSO solutions, such as Tools4ever’s E-SSOM offer effective solutions to these issues. Once a user has logged into the network, and logged on to their required applications, E-SSOM will remember the login credentials required for each applications/system and automatically log the user in thereafter, whenever the applications/systems are launched.

However, with the combination of PSM, there is no need for this process as PSM communicates directly with E-SSOM. When a password is changed in Active Directory, PSM will immediately ensure that all applications/systems receive and apply the new credentials, and will communicate the current password credentials to E-SSOM , which will then launch all applications and systems automatically.

The combination of these two solutions make login procedures even more efficient. Optimising user convenience and simplifying the process for system administrators when access to new applications have to be added to user accounts, and when applications/systems require users to frequently change their login credentials.

With the combination of the two solutions, time-consuming log-in procedures can become a thing of the past. End-user convenience can be at an optimum level, with increased workforce productivity.

UMRA & Migration

Many companies are apprehensive about implementing UMRA when they are in the middle of a migration process to an Active Directory (AD) environment. A common misconception is that the migration must first be completed before UMRA will work properly, another is that starting a different project during the process of migration might overcomplicate matters, and delay the project deadline. However, the truth is that UMRA assists migration both pre and post project and streamlines the process. Tools4ever provides indispensable project management expertise which speeds up the migration process.

There are two common migration scenarios. The first of which is domain consolidation -multiple AD domains being collapsed into a single domain. In this scenario UMRA is able to recreate the user account and, more often than not, retain the username in the new domain. In a situation where the migration results in the duplication of names, organisations can choose to implement new naming conventions.. UMRA will create a new user name and alert end users, via email, what their new username will be along with the date from which that name will be valid. .

Not only is the user migration process streamlined, but the resources of those users are as well including items such as group memberships and home directory data. As users are migrated UMRA will retain their group memberships, if one of groups doesn’t reside in the new domain UMRA will create it automatically. Home directory data can either be copied to a new server in the new domain or re-permissioned on the existing server with the SID of the newly migrated account.

UMRA also assists and eases the migration process by:

Eliminating Pollution-Most migration tools will copy 1:1 which will include erroneous and/or stale accounts. However UMRA migrates users by reconciling them against a HR/SIS system so that pollution is not included. Activity reports on un-used groups are generated so that these objects are not migrated.

Fill Attributes-When migration takes place there might be some missing information such as “title” or “Department”. UMRA automatically populates this information as needed.