End users often need to log on to numerous systems, applications, or databases to carry out their jobs. However, they tend to forget passwords or worse, write them on scraps of paper they leave around their desk. The former results in increased calls to the help desk, while the latter compromises your overall security.
IBM's Global Sign-On 1.1 greatly simplifies end-user access to multiple systems and services by providing a single end-user log on, and centralising the end-user security information on a server. Although this release supports limited platforms, IBM plans to bolster Global Sign-On's platform support in future versions. That, in combination with potential cost savings, increased manageability, and a variety of supported applica-tions, makes Global Sign-On a solution worth investigating.
Supporting a large number of end users logging on to multiple services can take a toll on IS budgets. By using Global Sign-On to centrally manage end-user security, you can save a lot of money. Using this simple calculation, you can figure out how much you would save: take the number of users on your network and multiply that by the average number of applications they log on to each day. Then, multiply that figure by the average of users' hourly wages and finally by the average number of hours spent logging on (estimated to be 44.4 hours per year).
The resulting figure could be substantial for a large network. More information on calculating cost savings is at the Network Applications Consortium Web site (www.netapps.org).
Other products support single sign-on solutions. In addition, vendors such as Novell have plans to add this capability to their directory services offerings. However, IBM currently holds the lead by supporting centralised security for relational databases, user-defined applications, and 3270 emulation sessions.
Global Sign-On is composed of four components - authentication service, configuration information manager (CIM), personal key man-ager (PKM), and log-on coordinator (LC). Each component performs a different function during end-user log-on.
The authentication service component is stored in part on the end user's computer and on the centralised security server. This component provides the initial user log on screen and authenticates that user against the centralised server that contains security information.
In addition, with some operating systems such as Windows NT, Global Sign-On integrates the client portion of the authentication service with the OS.
The other three components reside on the centralised security server. The CIM module contains information about how to log on to a particular application or system independent of the user. The PKM component holds all of the user-specific information, including user ID, password, and system name. And the LC module matches information about how to log on with the user-specific data, then performs the required log-on action.
Acting as the administrator, I set up a test user with access to a NetWare server, a 3270 emulation session, an Oracle database, and a custom server-based application. The Global Sign-On administration utility allowed me to quickly define the characteristics of each log-on target.
Global Sign-On includes some predefined templates, such as NetWare access, and also some sample templates for quickly defining other types of access, such as custom applications. Setting up a single user was rather simple and took minutes.
Administrators that need to set up hundreds of users will want to use Global Sign-On's scripting capabilities to automate the configuration process. Creating a script that defined 50 test users was rather easy and proved a better mechanism for automating my user setup process.
After completing the configuration, I logged on under my test user ID and password. The Global Sign-On server located and authenticated me, then presented me with the applications, systems, and databases available to me.
While setting up my test user, I specified whether I wanted my user to log-on to different systems and applications manually or automatically following the initial user log-on. I chose to always have my test user automatically log on to NetWare, the Oracle database, and my custom application.
After my initial log on as the test user, I used Global Sign-On's Launcher feature to verify that I had been automatically logged on to NetWare, Oracle, and my custom application. I then chose to start logging on to the mainframe to gather research data. The Launcher let me see the progress and success or failure of my log-on.
The client portion of Global Sign-On does not require any real configuration effort on the part of the administrator.
This first release of Global Sign-On requires installation of Distributed Computing Environ-ment - an open standard for managing distributed computing architectures - as well as IBM's Directory and Security Server as part of the authentication process.
Furthermore, Global Sign-On's server and client support is rather limited.
This makes the current version of Global Sign-On a viable solution for only a small number of IS shops. However, Global Sign-On's architecture and potential benefits will extend to a larger number of environments as IBM adds more platform support.
Global Sign-On holds a lot of promise for sites looking to ease end-user access to multiple services as well as reduce support and administration costs. Although currently held back by limited platform support, future versions of Global Sign-On should provide an effective solution to a larger number of enterprise environments.
Global Sign-On 1.1
With this tool, network administrators can give end users access to all authorised systems and databases via a single log-on. By storing user security and access information on a centralised server, IT departments can save both money and time.
Pros: Reduced support-call volume; easedsecurity administration; templates extendlog-on to custom applications; supportscentralised log-on to 3270 mainframeapplications.
Cons: Limited platform support.
Price: Program package: $US1999; one
server: $us1969; pricing per user starts
at $US99 for one client
Platforms: Server: AIX 4.1.4 or later. Client:
Windows NT Workstation, OS/2 Warp.
Tel (02) 9354 7355 or Tel 1800 817 918