04.25.2018

about agentless single sign on

SSO, or single sign-on, as a desired end-state for the user experience as they connect to a diverse set of applications reaps many advantages. There are multiple methods and architectures for achieving SSO, but one that should interest just about every customer is agentless SSO.

How Does Agentless SSO Work?

SSO is easily achieved in an environment where you are a domain-joined Windows client and access only Kerberos based resources that are a part of that same A.D. forest. However, even domain joined resources, like SQL Server have the ability to be its own directory silo—requiring an additional login. Inside the firewall, there may exist hundreds of applications, many requiring their own user account and password.

In the past, administrators and developers have compromised security by trying to enable ‘SSO’ scenarios by trying to allow the user to use their same password in disparate applications through a number of possible insecure ‘workarounds.’ To enable a more secure SSO experience inside the firewall, some software vendors would require their proprietary software agent to sit on one of the application servers (sometimes a domain controller) and intercept and channel the requests to their proprietary server/application for an SSO experience. The advent of internet web-based applications, extranet applications and mobile apps provide a challenge to the proprietary software agent model because the applications exist outside your firewall.

Each of your end-users authenticate to scores of web applications. Administration of thousands of end-users and their numerous accounts would be a prohibitory administrative burden. Decentralizing this administrative burden is one of the things that Federation Services offer.

How Federation Services Decentralize Administrative Burdens

Federation aware applications use a standards-based approach to enable SSO securely. Federation basically sets up an authentication handshake between a trusted authority, usually referred to as an Identity Provider (referred to as an IdP or sometimes as a ‘broker’) and a Service Provider (SP). This allows the user to leverage a single identity against numerous federation aware and supported applications (SPs). For the most part, modern federation aware applications, like web apps and SaaS apps require no software agents.

Non-Federation aware ‘legacy’ apps require some level of ‘intervention’ to support SSO. Most legacy applications inside your firewall can be made federation aware, and offer SSO convenience to your end-users. There are a couple ways to enable this scenario—only a few vendors support a clean, non-invasive agentless SSO solution.

Software agents in your network provide several challenges. Software agent-based solutions include additional deployment considerations, supportability ramifications to the application and the vendor of the proprietary software agents, versioning issues, the privilege model that the software agents usually need to run in, the fact that they access highly sensitive information and that they are closed solutions that you can’t see in to.

Optimal IdM Offers Solutions To Support Multiple Architectures

Optimal IdM offers a heterogeneous, vendor agnostic solution that supports multiple architectures—as an IdP, SP or even as a reverse proxy. We have enabled thousands of legacy applications to support an SSO model without a single software agent to be installed to support them. Done properly, SSO, especially combined with access policies and multifactor authentication (MFA), can give you a highly secure solution that provides nearly no administrative overhead or burden as well as the most productive end-user experience that both global enterprises and small businesses can leverage.

Instead of installing a software agent on the provider environment, customers of an agentless single sign-on system rely on already established communication protocols between the application and the Federation Broker. Therefore, there are no software agents to deploy or maintain and no changes to application servers. Now that’s a big deal!

Optimal IdM provides agentless solutions which save a tremendous amount of time and help ease the workflow of onboarding and supporting SSO for new applications. Contact us today to learn how we can help you.

Tags

  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.