1.1 Understanding Basic Single Sign-On

The purpose of Basic Single Sign-on (SSO) is to allow users to securely store their credentials for existing accounts of on-line applications while providing a single sign-on experience for users. For example, a user Maria has an account for Evernote. Maria uses Evernote to take notes for her job in marketing. Instead of logging into Evernote with separate credentials each time she wants to use it, she would log into Evernote once and Basic SSO will save and replay her saved credential every time she accesses Evernote.

Basic SSO and Form Fill policies both automatically populate HTML forms. Form Fill policies scan each login page, accelerated through the Access Gateway, to see if the Form Fill policy can populate the credential information. For more information, see Form Fill Policies in the NetIQ Access Manager 4.3 Administration Guide. Basic SSO does not go through the Access Gateway. Basic SSO provides connectors for the different applications. You configure the connector for the specific site. Basic SSO captures the users’ credentials through a browser plugin or extension. It securely stores the users’ credentials on the Identity Server, never using the Access Gateway.

Access Manager protects the users’ credentials through an SSL connection and AES-256 encryption on Access Manager. The following graphic depicts how Access Manager securely stores the credentials.

Figure 1-1 How Access Manager Securely Stores Credentials

For the users to experience Basic SSO to an application, they must install the appropriate Basic SSO extension or plugin for their browser or install the MobileAccess app. The following occurs the first time a user logs in to access a Basic SSO application:

  1. The user logs in to the User Portal page using their Access Manager credentials.

  2. The user sees the appmarks for the available applications and clicks the appropriate appmark.

  3. If the Basic SSO extension or plugin for the browser is not installed on the computer, Access Manager prompts the user to install it.

  4. After installing the extension or plugin, the user must go back to the User Portal and click on the application a second time.

  5. The extension or plugin opens a new tab where the user must enter their user name and password for the application.

    The user must enter the user name and password for the application once.

  6. The extension or plugin captures the user’s credentials for the application, then the extension or plugin sends the user’s credentials to the Access Manager over an SSL connection.

  7. The Access Manager encrypts the user’s credentials with AES-256 encryption, and then stores the user name and password in the credential store that is part of Identity Server.

    Identity Server encrypts the user’s credentials with an encryption key that is unique per user account in Access Manager.

  8. Access Manager then redirects the user to the application over an SSL connection.

In subsequent Access Manager sessions, the user can log in with the Access Manager credentials and access the destination application without providing the additional credentials for the application. Identity Server securely retrieves and submits the user’s credentials for an automatic login on behalf of the user. This provides the user with a single sign-on experience.

The user must install the Basic SSO browser extension on each device where the user wants to access the application. Access Manager automatically prompts the user to install the extension the first time that the user accesses the application’s appmark from a different device, even if the user’s credentials for the application are available in the user store. The extension then retrieves and submits the user’s credentials for the selected application from Access Manager for an automatic login.

Typically, users have a different login user name and password for their individual accounts for each application. A user can have only one account per application. Access Manager stores the user’s current credentials, but users still have the responsibility to maintain the credentials. The User Portal page, on the menu on the user’s name, provides a way for users to modify their credentials if they are expired or stolen through the Clear Single Sign-on Credentials option.

If the user changes the user name or password to the account for the application, or if the user cancels the account, the user’s stored credentials are no longer valid. The automatic login fails, and the browser extension takes the user to the application’s login page where the user can log in with new credentials. Access Manager removes the old credentials and stores the user’s new credentials for subsequent logins to the application.