P-Synch/SSO -- Automating Application Login
What is P-Synch/SSO?
P-Synch/SSO is an enterprise single sign-on solution, designed to reduce the number of times that users must type their login ID and password to sign into applications. By leveraging password synchronization instead of password storage, P-Synch/SSO is more robust and has a lower total cost of ownership than previous approaches to single signon, which depended on password storage.
How does P-Synch/SSO work?
P-Synch/SSO automatically fills in application login IDs and passwords on behalf of users, streamlining the application sign-on process for users.
P-Synch/SSO works as follows:
- The P-Synch/SSO software is installed on each user workstation.
- When users sign into their workstations, P-Synch/SSO acquires their
network login ID and password from the Windows login process.
- P-Synch/SSO extracts additional login IDs, associated with
the same user, from the user's Active Directory or eDirectory
profile. These optional login IDs are the only persistent data
stored by P-Synch/SSO: passwords are never stored.
- P-Synch/SSO monitors the Windows desktop for newly launched
applications:
- It detects when a user types one of his known login IDs or hi
Windows password into an application dialog box, HTML form
or mainframe terminal session. When this happens, the location
of the matching input fields is stored on a local configuration file.
- Whenever P-Synch/SSO detects an application displaying a previously configured input prompt, it automatically fills in the appropriate login ID and the current Windows password.
- It detects when a user types one of his known login IDs or hi
Windows password into an application dialog box, HTML form
or mainframe terminal session. When this happens, the location
of the matching input fields is stored on a local configuration file.
The net impact of P-Synch/SSO on users is that they continue to sign into Windows with their network login ID and password. When applications prompt for a login ID which is known to belong to the same user, or for a password which is consolidated or synchronized with Windows, P-Synch/SSO fills in the user's information automatically, eliminating the need for the user to retype his ID or password.
Unlike other E-SSO products, P-Synch/SSO does not create administrative or accessibility problems:
- It does not require any configuration -- it automatically learns from what it sees the user doing.
- It does not require a schema change in AD or elsewhere.
- Users still know their own (synchronized) application passwords, which means that they can still log into their applications from devices that do not have P-Synch/SSO installed, such as PDAs or their home computers.
How is P-Synch/SSO different than existing E-SSO applications?
The patent-pending process for reduced sign-on embodied in P-Synch/SSO has several advantages over traditional E-SSO techniques, which derive from the fact that P-Synch/SSO has no credential database:
- There is no single point of failure. No global directory or database with user credentials exists, so none can be attacked to compromise security and none can fail and cause a widespread application outage.
- There are no scripts, so configuration and administration is simplified.
- There is no manual enrollment process, so widespread user adoption can be reached quickly and inexpensively.
- Users still know their (synchronized) IDs and passwords, and so can continue to access their applications even where the E-SSO client software is unavailable -- on the corporate Extranet, through telephony interfaces, from Internet kiosks, etc.
These advantages significantly reduce the cost of deploying and managing P-Synch/SSO, as compared to traditional enterprise SSO systems, which maintain a credential database for each user. P-Synch/SSO also poses less risk than a traditional E-SSO system, as it eliminates the possibility of catastrophic failures due to compromise or outage of the credential database.
Are there cases where P-Synch/SSO is not appropriate?
In order to achieve its benefits of low cost and high availability, P-Synch/SSO makes three important assumptions:
- The set of login IDs associated with a given user is known.
It may either be a single ID (i.e., the user's network login), or a short list.
Where users have different login IDs on different systems, P-Synch can generate login ID aliases using a combination of automation and self-service enrollment and can write this data to the user's profile in Active Directory or eDirectory, where P-Synch/SSO can access it.
- Passwords are synchronized.
Since P-Synch/SSO does not store a user's passwords anywhere, it relies on the assumption that the user signs into every system and application using the same password, which is extracted from the Windows login process.
- Users sign into their workstations with a password.
Since P-Synch/SSO acquires a user's password from the Windows login process, that process must use a password, or P-Synch/SSO will have no password at all.
P-Synch/SSO is therefore not usable in conjunction with smart cards, authentication tokens or biometric technology, which may replace the initial Windows login password.
P-Synch/SSO is designed to work only in environments where these assumptions are met.
Can I Evaluate P-Synch/SSO?
Yes. Use this link to request an evaluation.
Also, please download, print, sign and fax back this license agreement,
You will then receive the software at no charge, with a limited time license key. Hitachi ID will assist with software installation, and customers are asked to provide product feedback.