Single Sign On Business Case



Similar documents
Single Sign On Requirements

Lenovo Partner Access - Overview

Using YSU Password Self-Service

Employers Guide to Online Recruiting

Active Directory Validation - User Guide

OneLogin Integration User Guide

Guide to Complete EIA SSO (Single Sign-On) Registration. 1. Open your Internet Browser, enter this address, and press Enter

Virtual Code Authentication User s Guide. June 25, 2015

NU SSO Account Activation Job Aid NU Employees

Welcome (slide 1) Welcome to the Florida Department of Education Single Sign-On tutorial for federated user login and navigation.

Account Activation. Guide

User Manual 03/12/2014. A collaborative effort by

MULTI-FACTOR AUTHENTICATION SET-UP

Deploying RSA ClearTrust with the FirePass controller

Provider OnLine. Log-In Guide

Marcum LLP MFT Guide

Single Sign On. SSO & ID Management for Web and Mobile Applications

MULTI-FACTOR AUTHENTICATION SET-UP

How Parents Use Single Sign On and New PowerSchool Features

1. How to Register Forgot Password Login to MailTrack Webmail Accessing MailTrack message Centre... 6

Bahamas Tax Information Exchange Portal Documentation

Technical Support KPMG. Last Updated: January 2014 KPMG. July 2015

Optum ID Migration for Provider Express Users

Cash Management 5.0 User Guide

Single Sign-on Frequently Asked Questions

eservice Portal Overview

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

Instructions for the Integrated Travel Manager (ITM) Self Service Password Reset (May 2011)

Health Insurance Oversight System (HIOS) Portal User Manual

Add Title. Single Sign-On Registration

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

DPH TOKEN SELF SERVICE SITE INSTRUCTIONS:

7. In the boxed unlabeled field, enter the last 4 digits of your Social Security number.

The Initial Registration Process. During the initial registration process, this guide assumes the user has been provided a login ID.

Building Secure Applications. James Tedrick

IMS Health Secure Outlook Web Access Portal. Quick Setup

McAfee Endpoint Encryption (SafeBoot) User Documentation

Accessing your 1098T online through General Dynamics Information Technology (Vangent).

Stewart Secure User Guide. March 13, 2015

How to Create a Broker Account

Cloud Authentication. Getting Started Guide. Version

4. Enter a Password, and then Confirm the new Password by typing it again. NOTE: Passwords must contain at least 6 characters (numbers or letters).

CONNECTING TO THE DTS WIRELESS NETWORK USING WINDOWS VISTA

Perceptive Experience Single Sign-On Solutions

Internet Access Gateway Logon Instructions IAG Platform, XP

BlackShield ID Agent for Remote Web Workplace

Embedded Web Server Security

Citrix Single Sign-On Self-Service Password Reset

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

Dealer Licensing Online Services

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

account multiple solutions

The Top 5 Federated Single Sign-On Scenarios

How to use SURA in three simple steps:

Welcome to Remote Access Services (RAS)

Mississippi Educator Licensure Management System. Single Sign On User Guide

WHITE PAPER Usher Mobile Identity Platform

Web Applications Access Control Single Sign On

Go to and click on the Click Here to Access BreEZe Online Services link.

Prescription Review (PMP) - SAW Integration

Getting Started with AD/LDAP SSO

Embedded Web Server Security

Set My University of Melbourne Identity Management Password for the First Time

Steps for: POP (Post Office Protocol) and IMAP (Internet Message Access Protocol) setup on MAC Platforms

The Benefits of an Industry Standard Platform for Enterprise Sign-On

Mobile Banking Frequently Asked Questions

The increasing popularity of mobile devices is rapidly changing how and where we

Introduction to SAML

RealMe. Technology Solution Overview. Version 1.0 Final September Authors: Mick Clarke & Steffen Sorensen

State of Michigan Single Sign-On Registration Instructions for First Time Users

Lexington Chinese School Online Class Registration Step-by-step Instructions

Vyom SSO-Edge: Single Sign-On for BMC Remedy

SECUREAUTH IDP AND OFFICE 365

Employer Online Registration at jobs.mt.gov

BUILDING SECURITY IN. Analyzing Mobile Single Sign-On Implementations

Training Guide for Delaware Practitioners and Pharmacists Delaware Division of Professional Regulation Prescription Monitoring Program

OHIO BUSINESS GATEWAY USER ACCOUNT UPDATE GUIDE FOR PASSWORD RESET AND ACCOUNT SECURITY FUNCTIONALITY

State of Nevada Unemployment Insurance Tax. Guide to Online Employer Self Service

Electronic Questionnaires for Investigations Processing (e-qip)

How to set up your NMC Online account. How to set up your NMC Online account

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

IIS, FTP Server and Windows

FLX VoIP Registering with Avaya IP Office 500

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

NetBeat NAC Version 9.2 Build 4 Release Notes

Single Sign-On Instructions (SSO) Registration for the SSO

Center for Educational Performance and Information (CEPI) Single Sign-On (SSO) User Guide

How to set up your NMC Online account. How to set up your NMC Online account

For Mac User Directions, see page 5

SDI Online Tutorial: Claimant Registration, Online Access, and Claim Filing

Multi-Factor Authentication Job Aide

Single sign-on for ASP.Net and SharePoint

Law School Computing Services User Memo

ACCOUNT SERVICES HELP

Business Banking Customer Login Experience for Enhanced Login Security

Transcription:

Single Sign On Business Case Project Name: Project Requestor: Project Director: Single Sign-On Steve Cuthbert Dave Ostrom 1.0 Introduction Single sign-on (SSO) is a property of access control of multiple, related, but independent software systems. A user logs in once and gains access to authorized systems without being prompted to log in again at each of them. Consider the following example: Jane is a dislocated worker receiving training funds, unemployment insurance, and food Stamps while looking for work and providing child care to another DWS customer. For Jane to access all of the systems managing these services, she would need at least five different log on accounts. Using Single Sign On, Jane would be authenticated once when she accesses a DWS system that is providing her service. When she requests access to other authorized DWS systems, an exchange of information would take place behind the scenes to establish her credentials. Once established and authorized, she would be allowed to enter any authorized system. From her perspective, entry across systems would be seamless. Authenticated customers would be directed to a landing page providing an Overview/Summary of the customer s information, authorized services, required tasks, DWS communications specific to authorized services, or if not registered with any service, a list of possible services. NOTE: The design of a landing page will be determined by a specific committee. 1.1 Problem / Opportunity Statement Many DWS customers access multiple DWS systems. These systems require the user to be authenticated and authorized for each system accessed. In order to be granted access, users must prove their identities. For the most part this is done by providing different authentication credentials; e.g., userid, password, PINS, etc, to each and every web application. This is an obvious inconvenience to the user. Each of these web applications requires the redundant development and management of authentication. Currently, authentication varies from system to system i.e., username and password, email address and password, social security number and user defined pin, case number and DWS defined pin, etc. resulting in the end user having to manage multiple usernames and passwords in various formats. This hinders the objective of DWS to integrate services under a single umbrella. Various Gartner studies have estimated that 25% to 35% of calls made to help desks are related to password resets. Analysts estimate costs at approximately $25 to $40 per call with four password reset calls per user per year. Various DWS web application user password activities are managed by Single Sign On Project Business Case Page 1 of 5

front line DWS workers. If a customer has a determined number of unsuccessful login attempts, the account is locked and the password must be reset by a DWS worker. DWS web applications that create PINS require a user to return an email for verification of their account. Often these emails initiated by DWS fall into Spam or Junk Mail folders. People using the auto-delete Spam/Junk Mail never receive the DWS email to verify their account. These people must call a DWS worker to have their password reset. Users who must manage large numbers of passwords either ignore recommended strong password rules by adopting easy-to-remember formulas or keep a written record of their complex passwords as a memory aid. The simple passwords are easy to hack, and the password lists are easy to steal. Either way, security is compromised. 1.2 Business Value Simplified login reduces the many confusing username/password options users must navigate today to a few secure methods standardized across all DWS systems; effectively reducing the number of calls associated with password support and creating a seamless, secure, integrated environment for DWS customers. 2.0 Current Environment DWS has 14 customer-facing systems that require user s to register and create accounts for access. Each of these systems has varying credential requirements for authentication. Some do not actually authenticate at all. System Not only are these web applications not developed on the same platform, but the authentication protocols are also not the same. Unemployment Suite of Applications - CUBS Employment Exchange (Job Seeker) - UWORKS Employment Exchange (Employer) - UWORKS Job Training Provider - UWORKS Supportive Services - equery Authentication SSN / PIN Email address / password Email address / password Username / password Case # / PIN Data Elements to Create Acct SSN, DOB, gender, mother s maiden name, PIN First and last name, SSN, DOB, Gender, email address UI ID and FEIN DWS issued Provider # and name Case #, PI DOB, email address Platform ASP.NET/with mixture of C# and vb.net Unemployment Suite of Contact Info ASP.NET/with mixture of C# and Applications - CATS email address / password vb.net Child Care Provider email address / password License # and contact info Appeals SSN / PIN Employer ID / PIN.NET Almost all of these systems can be accessed by the same individual but in a different role. Users of these systems include: Unemployment Insurance Claimants Job Seekers Employers Single Sign On Project Business Case Page 2 of 5

Providers Supportive Services customers Scenario In today's economy, a UI claimant that is on furlough could be receiving Dislocated Worker funds, Food Stamps and be looking for another job. To register for these services with DWS, the user would be required to login to the Unemployment Suite of Applications to file their weekly UI Claim; the Employment Exchange to register for work and search for a job; and the Public Assistance application to access their food stamps case information Each requiring separate usernames and passwords. For everyone who files an initial UI claim, they will almost always file continued claims (which is how payment is made). Also those who file continued claims will eventually have an eligibility review and could likely have an appeal. Everyone who files a UI claim and is not deferred is required to complete a work registration within five business days, using UWORKS to search for jobs. 3.0 Business Requirements 1. Users must use a single username and password to access all DWS systems for which they are registered, authorized, authenticated and verified. 2. Users manage their own password activities, including creating passwords, resetting passwords, changing passwords, etc. DWS applications/customer directory will not store passwords. 3. Users only have access to services for which registration and authorization are granted. 4. Users must not have to log into a DWS website to access information that they can currently access without a login. 5. SSO shall not affect the availability of services provided in the DWS offices. 6. SSO must be a seamless transition for users of current DWS web applications requiring username/email address/case number/ssn/employer ID and passwords/pins for access. 7. The jobs.utah.gov home page and all subsequent pages must identify the logged in user and provide a log out button. 4.0 Technical Requirements 4.1 Authentication/Verification User validation will be the responsibility of individual applications. For example: to file for unemployment, users must provide a verified ssn and Utah driver s license (or Identification Card). Once a user identity has been established, individual applications will prompt users to provide their OpenID credentials. Users who do not have an OpenID, will be guided through the registration process. DWS must adhere to OpenID Exchange guidelines as to which OpenID providers the agency will accept based on their level of trust. After a user s OpenID has been authenticated, the single sign on service will store the user id s token along with any application specific identifier (not SSN). Users with verified OpenID credentials that visit jobs.utah.gov may or may not be prompted to re-authenticate, depending upon the security Single Sign On Project Business Case Page 3 of 5

requirements of the individual applications. We envision that most applications will require users to re-authenticate. 4.2 User Session Management To facilitate single sign on between DWS applications, user information must be shared. This will be accomplished via shared user session management. Each DWS application must include user session management and user session timeout, configurable at the application level. Users logging out of the browser session automatically logs the user out of all DWS web applications. 4.3 Existing Application Integration Implementation of Single Sign On service will have minimal impact on existing applications. Where possible, Single Sign On service will be modified to meet the need of the existing application code. This includes but not limited to using existing user primary keys and adding fields to the Single Sign On database as needed. 4.4 New Development of Applications Development of new applications that require authentication must use the SSO protocol. 5.0 Future Environment Web Single Sign On will be implemented for DWS internet applications that require external users to provide some form of authentication and require authorization for access. DWS customers will be self-sufficient in navigating DWS websites and authorized services. 5.1 Single Sign-On Process Flow Below are the steps of a typical Single Sign On registration scenario. 1. User visits one of the jobs.utah.gov online services. 2. User registers with the online service 3. Online service validates user information 4. User is prompted to provide OpenID credentials. a. If OpenID credentials do not exist, the user will be guided through the OpenID registration process. In the case of existing registered users, the user will be prompted to enter their OpenID credentials and the application will prompt for any additional user verification data. 6.0 Potential Risk If a user s OpenID is compromised, our applications would be subject to unauthorized access. To mitigate this risk, DWS applications will require the user to provide additional data that identifies the user. 7.0 Solutions Analysis and Estimation 7.1 Solutions Analysis Single Sign On with OpenID Single Sign On Project Business Case Page 4 of 5

Use OpenID issued by third party OpenID providers who are members of the Trust Network to authenticate users. Develop DWS web applications using Single Sign On protocol accepting authentication by Trust Network OpenID providers. 7.2 Cost Estimates and Assumptions Assumptions: 1. Legacy systems will be modified to use Single Sign On protocol. 2. Web applications will be implemented in phases Costs: The costs include: - Development of OpenID integration - Integration of existing applications with Single Sign On service - Separate cost incurred for integration of each application 7.0 Recommendations Begin implementation of a Single Sign On protocol to include Phase I applications implemented by September 30, 2010. Phase I - Unemployment Suite of Applications - CUBS - Employment Exchange UWORKS - Supportive Services (equery) Phase II Unemployment Suite of Applications - CATS Child Care Provider Appeals Applications identified as out of scope include: eshare Refugee Data Collection Single Sign On Project Business Case Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information