Computer Associates etrust Single Sign-On (SSO)

Transcription

1 Ant Allan Product Report 12 November 2002 Computer Associates etrust Single Sign-On (SSO) Summary CA s etrust SSO gives an organization s users a single password instead of multiple passwords to Web and enterprise systems. It uses Tcl scripting and supports strong authentication methods. Table of Contents Overview Analysis Pricing Competitors Strengths Limitations Insight List Of Tables Table 1: Comparison of Unicenter SSO and etrust SSO Table 2: Overview: Computer Associates etrust Single Sign-On (SSO) Table 3: Features and Functions: etrust SSO: Identity Management Table 4: Features and Functions: etrust SSO: Interfaces Table 5: Features and Functions: etrust SSO: Authentication Methods Table 6: Features and Functions: etrust SSO: Single Sign-On Table 7: Features and Functions: etrust SSO: Security Table 8: Features and Functions: etrust SSO: Administration Table 9: Features and Functions: etrust SSO: Auditing Table 10: Features and Functions: etrust SSO: System Requirements Table 11: Price List: etrust SSO Table 12: Competitors List Of Figures Figure 1: etrust SSO Network Diagram Gartner Entire contents 2002 Gartner, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

2 Corporate Headquarters Computer Associates International Inc. One Computer Associates Plaza Islandia, NY 11749, U.S.A. Tel: , Fax: Internet: Overview Computer Associates offers two single sign-on (SSO) products, Unicenter SSO and etrust SSO. CA developed Unicenter SSO entirely in-house, whereas CA developed etrust SSO from the PLATINUM SSO product, formerly Memco s Proxima SSO. (CA acquired PLATINUM technology International, inc. in May 1999; PLATINUM had acquired Memco Software Ltd. in March 1999.) The following table summarizes the key differences between the two products. Table 1: Comparison of Unicenter SSO and etrust SSO Unicenter SSO Requires Unicenter framework Computer Associates Basic Language (CABL) scripting Limited authentication plug-ins Supports billing codes Supports client/server and mainframe-hosted applications etrust SSO Stand-alone product Tool Command Language (Tcl) scripting Flexible authentication options (public key infrastructure (PKI) and biometric.) PKI support Supports Web applications, client/server and mainframe-hosted applications While CA promotes etrust SSO as its flagship SSO product, its strategy is to migrate Unicenter SSO and etrust SSO into a superset which will retain the etrust SSO name. The superset etrust SSO will capitalize on the strengths of both products with general availability in late etrust SSO Components The components of etrust SSO include: The etrust SSO Server is the product s authorization engine, supporting a number of authentication methods to provide flexibility to all organizations using the product. The etrust SSO database stores all information about an organization s users, groups, resources, applications, login parameters and access control rules utilizing databases used by other etrust products. An organization can load this database with user and group information from existing databases, during or after product installation. User and group information can be imported by running an etrust SSO utility or by using the command line interface. 12 November

3 Login dialogues are filed on the same server host as the etrust SSO database, but in a separate directory (usually user/sso/scripts/ on a Unix server) rather than the database itself. These provide instructions that the etrust SSO Client executes to log an end user into an application. For client/server and mainframe SSO, a copy of the etrust SSO Client runs on every workstation using etrust SSO services. The etrust SSO Client software: Communicates with primary authentication agents to verify the user s identity for accessing etrust SSO. Displays applications that the end user is authorized to use. Communicates with the etrust SSO Server and retrieves login dialogues and login data from the server platform. Executes login dialogues and logs the user into authorized applications. Sends the results of the login attempt to the etrust SSO Server (if so instructed by the login dialogue). The etrust SSO Web Agent provides single sign-on, authentication, and authorization services to Web applications and resources for all of an organization s users. An organization must install the etrust SSO Web Agent on the Web server hosting the target application(s). No software needs to be installed at the user s desktop. No client software is required on the workstation for Web SSO where the etrust SSO Web Agent can be installed, but a Web Client is required for SSO to external Web applications. etrust SSO Primary Authentication Agents run on the enterprise s authentication hosts/platforms, such as Windows 2000 and third-party security servers, and facilitates primary authentication of the end user. The etrust SSO APIs are application-programming interfaces that allow an organization to customize existing applications for use with etrust SSO. The etrust SSO Application Agent resides on an application server and handles communications with the etrust SSO components to log an end user into an application. The etrust SSO Assistant is a Windows based graphical user interface (GUI) tool for managing etrust SSO and its database. It is installed on an administrator s Windows NT or Windows 95/98/2000 workstation with Transmission Control Protocol/Internet Protocol (TCP/IP) communication to the etrust SSO Server. An organization can use this GUI to communicate with both Unix and Windows NT etrust SSO servers. (The etrust SSO Web Assistant offers similar functionality as the etrust SSO Assistant through a Web browser.) The etrust SSO Broker is an optional component that provides load balancing and configuration control. Figure 1: etrust SSO Network Diagram 12 November

4 Table 2: Overview: Computer Associates etrust Single Sign-On (SSO) Version etrust SSO 6.5 SP2 Date Announced v6.5 released: 06/02/2000 SP2 released: 05/03/ November

5 Table 2: Overview: Computer Associates etrust Single Sign-On (SSO) Platforms Supported Installed Base Background authentication (PassTicket/AppTicket) support: IBM OS/390 & z/os with Resource Access Control Facility (RACF) or Computer Associates etrust CA-ACF2 or etrust CA-Top Secret Background authentication (One-Time Password) support: Unix OSs, via Pluggable Authentication Modules (PAMs) Password store-and-forward support: Pre-built scripts for many target systems, including: Microsoft Windows 32-bit applications Any Web-based application using forms-based or HTTP-header-based authentication IBM OS/390 & z/os via 3270 High-Level Language Application Programming Interface (HLLAPI) emulators IBM OS/400 via 5250 HLLAPI emulators Unix OSs via Telnet emulators Additional platforms can be supported through custom scripts, which can be created automatically or manually by the organization or CA. Over 2 million users in 408 organizations worldwide. By region: North America: 180 organizations Latin America: 20 Europe, Middle East, Africa (EMEA): 152 Asia/Pacific: 56 Table 3: Features and Functions: etrust SSO: Identity Management User Definition User Groups A record in the etrust SSO database defines each user. The user record contains information such as: The user s full name; The times the user is allowed to log in; The target systems that the user is allowed to access; The list of groups to which the user belongs. The user ID for a user in the etrust SSO database is the ID used for primary authentication and so must match the user ID in the primary authentication server for example, a MS Windows 2000 username. A user record also contains multiple instances of login info, one for each target system, comprising: User credentials for that target system: login name and password Statistical information: last login, first login, login count and last password change. etrust SSO administrators can also define user groups to simplify administration and maintenance. Access rights assigned to a group apply to all users in that group. Access rights assigned to specific users take precedence. 12 November

6 Table 3: Features and Functions: etrust SSO: Identity Management User Registration Target-System User Name Assignment An organization can populate the etrust SSO database from information already present in existing enterprise systems. etrust SSO provides a number of methods to extract this information and use it to load the etrust SSO database. User information is typically already present in: Operating systems, such as Windows NT/2000 and Novell NetWare; Groupware, such as Lotus Notes or SAP; Enterprise management tools; Computerized employee records. To use existing data for an initial load of the etrust SSO database, an organization can employ third-party management tools or build selang scripts (batch files) and load them into the etrust SSO database. Login info for a target system is created in one of two ways: An administrator enters the information in the user record before the user s first login to the system. An administrator must do this for ticket-based systems. The user creates the login info during the first login to the system via etrust SSO. Table 4: Features and Functions: etrust SSO: Interfaces Target System Interface Passwords Other User Credentials etrust SSO uses a ticket-based approach to effect SSO: After successfully verifying the user s identity, the Primary Authentication Agent creates an SSO ticket. This is a data object that includes user identification and a time stamp which is valid for a defined period. The Agent encrypts the ticket and sends it to the Client on the user s workstation. The Client caches the ticket and sends it to the Server. The Server retrieves from the database a list of target systems the user may use and sends this to the Client. (Depending on the workstation OS and configuration, the Client can display this list as application icons, a program group or as a part of the MS Windows Start menu.) When the user selects a target system, the Client sends the SSO ticket and the target system identifier to the Server. The Server validates the ticket and sends the Client the necessary login dialogue and login data. The Client then executes the login dialogue. The login dialogues, which are written in an extended set of the Tcl scripting language, provide the instructions for the Client to simulate the actions of a user logging into the target systems. The Client executes the login dialogue to enter the login data retrieved from the database into the proper fields in the target systems login window or screen. The Client communicates with an Application Agent on the target system. The Client receives the required ticket or one-time-password (OTP) from the Server and forwards it to the Agent. etrust SSO supports: OTPs on Unix operating systems; IBM PassTickets on RACF, etrust CA-ACF2 and etrust CA-Top Secret; Proprietary AppTickets on RACF or etrust CA-ACF2. 12 November

7 Table 4: Features and Functions: etrust SSO: Interfaces User Desktop etrust SSO provides different types of SSO Client installation: Batch Installs all the etrust SSO Client components needed for normal operation on the end user s workstation. Custom Allows you to determine a number of installation parameters. The SSO Client can also be installed using a third-party software distribution tool, if a response file is prepared and distributed together with the standard SSO Client software. Table 5: Features and Functions: etrust SSO: Authentication Methods Operating System Password etrust SSO Password OTP Tokens Certificates and Smart Cards Biometrics Open Authentication Toolkit etrust SSO can check the user s login to Microsoft Windows NT/2000 or Novell NetWare, via an etrust SSO Primary Authentication Agent. etrust SSO can prompt a user for an SSO-specific username and password, via the Server component. Optionally, etrust can simultaneously sign the user to a Microsoft Windows NT/2000 or Novell NetWare network and authorize the user to use etrust SSO. etrust SSO can use third-party OTP security servers from Rivest-Shamir-Adelman (RSA) Security (with RSA SecurID tokens) and Secure Computing (with SafeWord tokens). Supports all X.509-compliant PKI systems. etrust SSO supports Iridian s iris recognition technologies. Also, via SAFLINK s SAF Module for Computer Associates etrust SSO (SAF/etrust) plug-in, other technologies (fingerprint, face and voice). This provides APIs and code modules to enable administrators, as well as systems integrators and authentication vendors, to develop etrust SSO Authentication Engines (AEs) that communicate between the Client and the authentication device or software and Primary Authentication Agents for the authentication server/host. Table 6: Features and Functions: etrust SSO: Single Sign-On Target-System Password Discovery Target-System Password Change Primary Password Timeout Desktop Locking With the Learn mode enabled, when a user logs in to a target system with etrust SSO for the first time, the Client prompts the user for the username and password for that system. These credentials are automatically saved to the database in the login info for that system in the user s record. etrust SSO automatically handles target system password change. The auto-gen utility can be used to automatically generate random target-system passwords based on password formation rules set by the administrators. etrust SSO limits the lifetime of the SSO ticket. When the ticket expires, the Client prompts the user to re-authenticate that is, to repeat the primary authentication process. etrust SSO Client has a ScreenLock option. When enabled, this locks the user out of the workstation if idle for a specific period. It displays an input box for username and password (or equivalent, depending on what primary authentication method is used) for re-authentication. If re-authentication is successful, the Client unlocks the workstation. 12 November

8 Table 7: Features and Functions: etrust SSO: Security Communications Server/Repository Resilience Scalability The communication between the client and the server is fully encrypted via Triple Data Encryption Standard [3DES] algorithm and El-Gamal key management. Web SSO uses Secure Sockets Layer (SSL) to encrypt the information transmitted between browsers and servers. etrust SSO contains a special version of etrust Access Control that controls access to applications and authentication hosts, updates to the database, and protects the etrust SSO components on the server host. An organization can implement a farm of etrust SSO Servers, each of which backs up and is backed up by all the others. A replication mechanism can be used to ensure that each server will simultaneously update the local database and the databases of all the other servers. A single etrust SSO can support a total population of approximately 65,000 users with concurrent SSO requests. Higher scalability can be achieved using etrust SSO Broker and server farms. Table 8: Features and Functions: etrust SSO: Administration Interface Reporting Local Administration Utilities Tools for administering etrust SSO include: etrust SSO Assistant a MS Windows-based tool that manages the etrust SSO database; selang a command language that controls etrust SSO from a command line interface (CLI) and batch programs; etrust Admin CA s user provisioning tool, which shares the etrust SSO database. CA recommends etrust Audit for full auditing of security events and alerts. An organization can delegate administration at the etrust SSO group level. Group administrators can have either full administration rights or the ability to change users passwords (on etrust SSO and target systems). Group administrators have authority over all users within that group and any levels of subgroups. API toolkit for supporting additional authentication mechanisms. Password enhancing mechanisms including password auto-generation, password enforcement policies and password exits for adding self-defined quality checks according to the needs of the security policy. Table 9: Features and Functions: etrust SSO: Auditing Event Logging Log Archiving Reporting Alerting etrust SSO provides audit capabilities to allow all user login activity to be recorded and stored for later retrieval. SSO auditing includes user logins, access to the etrust SSO Server, requests for application lists, failed login attempts and more. Audit logs may be forwarded to etrust Audit which provides for full reporting and archiving of log data. Audit log reports can be generated via the seaudit tool (part of the embedded etrust Access Control product). An organization can also create reports via CA s etrust Audit tool. etrust SSO provides alerting based on configurable criteria. 12 November

9 Table 10: Features and Functions: etrust SSO: System Requirements Directory Server (etrust SSO Server) Unix: HP-UX 10.x or 11.x IBM AIX 4.1.x, 4.2, or 4.3 Sun Solaris 2.5.1, 2.6 (SPARC & X86), 2.7 (SPARC) Microsoft Windows NT4 SP3 or 2000 Server etrust SSO Primary Microsoft Windows NT Authentication Agent NT4.0 Novell NetWare NetWare 3.12 or 4.x Novell NetWare Client must be installed on the end-user workstation rather than standard NetWare client from Microsoft RSA Security RSA SecurID, Secure Computing SafeWord HP-UX 10.x IBM AIX 4.x Sun Solaris 2.x (SPARC or UltraSPARC) Entrust Sun Solaris 2.x (SPARC or UltraSPARC) etrust SSO Broker Unix: HP-UX 10.x IBM AIX 4.1.x or 4.2 Sun Solaris 2.5.1, 2.6 (SPARC & X86) Microsoft Windows NT4 SP3 or 2000 Server OTP Agents HP-UX 10.x IBM AIX 4.x SunSolaris2.x IBM PassTicket RACF Agents etrust CA-Top-Secret (TSS) 5+ CA etrust SSO RACF AppTicket Agents etrust CA-Top-Secret (TSS) 4.4+ Administrator Microsoft Windows 95, Windows 98, Windows NT 4.0 Workstation or Windows 2000 Workstation (etrust Professional SSO Assistant) Client Microsoft Windows 95, Windows 98, Windows NT 4.0 Workstation or Windows 2000 Professional Analysis While CA has sold more licenses for its Unicenter SSO product than for etrust SSO, etrust SSO is its flagship SSO product. CA plans to integrate the two products within the next year, so that the new etrust SSO product will benefit from the additional features (for example, support for billing codes) that Unicenter SSO offers. etrust SSO fits into CA s Identity Management portfolio that also includes the following products: etrust Admin CA s provisioning product, etrust Admin simplifies administration of users and resources across heterogeneous security systems and directories. etrust PKI Provides strong authentication of users and management of public-key certificates across the enterprise. 12 November

10 etrust Directory A multiprotocol solution for large-scale directory service applications. etrust SSO has a worldwide customer base, with many organizations supporting up to 20,000 users. Some of its largest implementations include a university (with 10,000 users), hospitals (5,000, with biometric primary authentication), a bank (14,500), a telco (13,500) and a government agency (about 10,000). Server-Based SSO etrust SSO s architecture is based on a dedicated etrust SSO Server and database. While this approach gives the organization another user repository to manage, where other leading SSO products can use an existing corporate directory, it can be shared by other etrust identity and access management (IAM) products. Once an organization loads information into the database, these products can all read and update the shared database for their separate and common purposes. An organization can use an etrust SSO utility or its CLI to load user and group information from existing databases and directories, but this is still an implementation step that is not required in v-go SSO or SecureLogin SSO. This approach requires a separate management regime, and etrust SSO includes several management tools, including a command line language, the etrust SSO Assistant (a graphical user interface), and the etrust SSO Web Assistant. An organization can also integrate etrust SSO with management tools such as CA s etrust Admin. etrust SSO also allows distributed management: certain users can be designated as group or password managers to reduce the administrative burden on central administrators. Nonproprietary Scripting Language etrust SSO login dialogues support login schemes ranging from target-systems native passwords to tickets. They are written in an established scripting language, Tcl, with some proprietary extensions, where SecureLogin SSO uses a proprietary language. CA s approach might reduce the organization s training requirement where Tcl is already in use. The login dialogues are designed to provide compatibility with almost all network environments and target systems. An organization can define SSO methods for almost any Windows, Terminal Server, mainframe, Unix, Internet or intranet target system. The dialogues are stored and secure filed on the same server host as the etrust SSO database, (but in a separate directory rather than the database itself) to ensure support for single-point administration and manageability. Range of Primary Authentication Options etrust SSO supports a range of primary authentication options, including strong authentication methods, out of the box. As with v-go SSO and SecureLogin SSO, an organization can use network operating system passwords for etrust SSO primary authentication; etrust SSO also offers its own, independent password mechanism. etrust SSO offers built-in support for strong authentication methods such as OTP tokens (from RSA Security and Security computing), public-key certificates and smart cards, and biometrics (Iridian s iris recognition). Further biometrics can be used via SAFLINK s SAF Module for Computer Associates etrust SSO (SAF/etrust) plug-in. etrust SSO also allows custom integration via its Open Authentication Toolkit. This provides APIs and code modules to enable organizations to use other authentication methods/devices. SSO Improves Security 12 November

11 As with other SSO products, etrust SSO allows the organization to implement strict password policies across all target systems. An organization can use etrust SSO s auto-gen utility to automatically generate random target-system passwords based on password formation rules set by the administrators. These generated passwords are more complex, and hence more secure, than users would normally use or remember. Random passwords can create a big problem if the etrust SSO server is unavailable if users don t know their target system passwords, they cannot login directly. etrust SSO cannot provide a persistent local credentials cache. once the user logs off, the target system passwords are unavailable. Alternatively, etrust SSO can keep passwords for target applications synchronized with the primary authentication password, addressing such requirements as remote access with a single password. Organizations also have the option to designate mission-critical applications as sensitive, which requires users to re-authenticate themselves with their primary authentication method before they can access these applications. This can stall an opportunist attack on a sensitive application when the user has left his or her workstation unattended but is still signed on. SSO Reduces Costs CA estimates that by giving each user only one password to remember can eliminate up to 85 percent of password problems, as it will not be forgotten as often. This reduces both lost user productivity and calls to the organization s help desk (which Gartner Research estimates can account for upwards of 30 percent of all help desk calls). CA states that customers generally see 100 percent return on investment (ROI) in 12 to 18 months. Secure Credential Storage All users credentials are stored centrally in the etrust SSO database. But etrust SSO offers a higher level of security for the credentials repository than other SSO products through the use of dedicated server and a bundled version of CA s etrust Access Control product. Support for User Mobility etrust SSO stores all login information on the etrust SSO Server to centrally support roaming users. This means that several users can use the same PC and work well with SSO. In addition, the SSO Familiar Desktop provides re-login capabilities for shared PCs. etrust SSO does not, however, maintain local caches of SSO credentials to allow users to access target systems when disconnected from the corporate network. Ease of Deployment etrust SSO is a complex product, and CA estimates that a typical implementation project for 1,000 users will take three to six months, while a project for 50,000 users will take between six months to one year. CA offers service packages to streamline implementation and ensure rapid ROI. Pricing CA offers per user licensing with discounts for tiered quantities. Table 11: Price List: etrust SSO Product 100 users (US$) 1,000 users (US$) 10,000 users (US$) 100,000 users (US$) etrust SSO 75 per user 50 per user 35 per user 20 per user 12 November

12 CA can offer additional discounts for 1 million or more users. Maintenance: 20 percent of the license cost is charged annually for a minimum of three years. Support includes unlimited telephone and incidents and software upgrades. GSA Pricing Yes. Competitors CA s etrust SSO competes directly with other SSO products, and, more broadly, with authentication management infrastructure (AMI) products that offer SSO alongside centralized management of multiple authentication methods and flexible authentication policies. Table 12: Competitors ActivCard Inc. Trinity Internet: BioNetrix Systems Corp. BioNetrix Authentication Suite (BAS) and BioNetrix SSO Internet: Passlogix, Inc. v- GO SSO Internet: Protocom Development Systems SecureLogin Internet: Ankari s Trinity AMI product supports multiple authentication schemes, including memorized passwords, RSA SecurID, smart cards and biometrics (fingerprint only). It also supports a wide range of platforms including Unix and IBM mainframe operating systems and groupware such as Lotus Notes. SSO functionality is integrated with the core product. BioNetrix s BAS supports multiple authentication schemes, including memorized passwords, smart cards and various biometrics, but no one-time password tokens. It also supports a wide range of platforms but not Unix or IBM mainframe operating systems. It allows user re-authentication to be built into workflow applications for transaction security. A separately licensed product, BioNetrix SSO, adds SSO functionality, but by itself the only supported primary authentication method is memorized passwords. Passlogix s v-go provides SSO via a client-oriented architecture that supports roaming and offline access. Its modular primary authentication allows an organization to use Windows network passwords, PKI (Entrust, RSA Keon) passwords, graphical user passwords, or strong authentication methods such as smart cards and biometrics. It supports a wide range of Windows, Web and terminal-emulated target systems via Wizards. Novell used to offer this product under license as Novell Single Sign-On (NSSO). Protocom s SecureLogin provides SSO via a directory-oriented architecture that supports roaming and offline access via local caching. It supports a range of primary authentication methods including Windows or NetWare network passwords and strong authentication methods such as smart cards and biometrics. It supports a wide range of Windows, Web and terminal-emulated target systems via pre-built and custom scripts. Novell offers this product under license as Novell SecureLogin. Strengths Server-Based Architecture Eases Manageability and Improves Security etrust SSO s architecture provides easy manageability. Administrators can manage everything centrally on etrust SSO Server via a range of administration tools. CA also supports levels of distributed administration. 12 November

13 etrust SSO also benefits from the additional security provided by the version of etrust Access Control bundled with it. Built-In Support for Strong Authentication Methods etrust SSO provides out of the box support for OTP password tokens and smart cards. It also supports Iridian s iris recognition technology, but other biometric technologies (fingerprint, face and voice) require an additional third-party product (SAF/etrust) or custom integration via etrust SSO s Open Authentication Toolkit. Non-Proprietary Scripting Language etrust SSO s use of login dialogues scripting language maximizes its versatility. Dialogues can be used to keep software implementation at the client level so backend servers don t have to be touched, and the target system code doesn t have to be changed. (Agents can be used for a more secure interface for example, OTPs, PassTickets.) etrust SSO dialogues are written in Tcl (with some extensions) which, especially if they already use Tcl, may make it easier for an organization s technical staff to use than a proprietary scripting language. Limitations Requires a Dedicated Server and Database etrust SSO requires its own dedicated server and database, rather than leveraging an existing corporate directory (or MS Windows NT domains). While this has some advantages in improved security and interoperability with other etrust IAM products, and CA offers a range of good management tools, it does impose a management overhead on an organization that is looking for a stand-alone SSO product. Scripting May Be a Barrier for Some Organizations Although etrust SSO s login dialogues provide a flexible target-system interface using an industrystandard scripting language, and CA offers many pre-built scripts, some organizations may be averse to a scripting approach. etrust SSO doesn t offer script-generating tools to address this limitation. Insight CA etrust SSO is a robust server-based SSO product, and CA claims over 400 production implementations, many of 5,000 to 20,000 users. Its requirement for a dedicated server and database, and the consequent management overhead will deter some organizations, but it does give benefits in both manageability especially when used in conjunction with CA s other IAM tools such as etrust Admin and security via an embedded version of etrust Access Control. etrust SSO supports password storeand-forward via Tcl scripts with no need for software on the target system as well as more robust (but technically more challenging) OTP and ticket-based mechanisms. It provides out of the box support for a variety of primary authentication methods including OTP tokens, smart cards and biometrics. CA etrust SSO will be a good choice for some medium-to-large enterprises, especially those looking to use strong authentication. 12 November