Single Sign-on Without a Password Wallet - Hitachi ID Password Manager
Hitachi ID Login Manager automatically fills in application login IDs and passwords
on behalf of users, streamlining the application sign-on process for
Login Manager works as follows:
- When users sign into their workstations, Login Manager acquires their
network login ID and password from the Windows login process.
- Login Manager may (optionally) acquire additional login IDs (but not
passwords) from the user's Active Directory profile.
- Login Manager monitors the Windows desktop for newly launched
- It detects when the user types one of his known login IDs or his
Windows password into an application dialog box, HTML form
or mainframe terminal session. When this happens, the location
of the matching input fields is stored on a local configuration file.
- Whenever Login Manager detects an application displaying a
previously configured login screen, it automatically fills in
the appropriate login ID and/or the current Windows password.
The net impact of Login Manager is that login prompts for applications
with well-known IDs and passwords that authenticate to AD or
are synchronized with AD are automatically filled in. This is done
- Interfering with user access to applications from devices not
equipped with the SSO software, such as their smart phones.
- Having to deploy a secure location in which to store application
- Writing scripts.
Login Manager is installed as a simple, self-contained MSI package.
It does not require a schema extension to Active Directory.
The reduced sign-on process used by Login Manager
has several advantages over traditional E-SSO techniques:
- There is no global directory or database with user credentials:
- There is no target for a would-be attacker.
- There is no single point of failure which could cause a
widespread disruption to users who wish to sign into
- There is no need to enroll users by having them provide
- There are no manually written scripts:
- No manual configuration is required.
- No infrastructure is required to distribute script files to PCs.
- Continued access to applications:
- Users sometimes need to sign into application from devices
other than their work PC.
- Since passwords are synchronized and users know their own
password, they can still sign in, even without the SSO
- In contrast, with other E-SSO products, users may not know
their own application passwords. This disrupts application
access using a smart phone, home PC, Internet kiosk, etc.
These advantages significantly reduce the cost and risk associated
with deploying and managing Login Manager.