Identity Management at the Desktop

With corporations implementing identity management solutions within their enterprises, users are gaining access to resources on a more efficient and automated manner. This is bringing companies into compliance and at the same time reducing costs. However, at the desktop, productivity and compliancy issues still plague the organization when users need to reset password on systems such as AD or share common user and passwords in accessing server applications.

In this paper we discuss a complete end-to-end identity lifecycle management solution that enhances and extends the identity management solutions that corporations have today; the password management issue of users – namely with Active Directory. But the issue still can be applied to password management across other thick client applications, examples being Terminal Server, Lotus and Terminal Emulators.

The Challenge
How do you effectively manage users when authenticating to Active Directory domains or other client applications without having to contact the Help Desk to reset forgotten passwords or to unlock their accounts. This challenge in Active Directory may be circumvented by creating less-restrictive password policies and password aging policies, but it then brings the question of compliancy and security into play. While this clearly shows a workaround being implemented that will alleviate the need for Help Desks to be inundated with hundreds, if not thousands of calls. For other thick client applications, the same could be true in that users forget their passwords to access client-server applications.

The Solution
Implementing an Enterprise Single-Sign On solution allows the corporation to effectively manage centrally what users have access to which applications and the passwords and the accounts connected to these servers, but also to put the responsibility on the end user of resetting their own passwords on Active Directory or unlocking their Active Directory accounts. Not only does the solution lend itself to allowing resetting passwords on Active Directory, but it also allows users to access thick client applications that require username and password to be automatically done on their behalf – thus achieving single sign-on.

What this does is enables the user to also move between desktops and still have access to the credential store – known as a ‘wallet’ so they can continue to access these applications without requiring to know what the password is. It allows corporations to dictate policies based on target systems. Passwords can be hidden from the users that will mean that without an Enterprise Access Agent on the desktops, they would not be able to authenticate to the target systems and nor would an intruder as it would be impossible for someone else to steal their password.

The solution provides for a proxy to act on behalf of the end user to sign on to configured applications, without the user having to enter their credential for the target application. The ESSO product – TAM for ESSO, maintains an association between a user’s Active Directory credential and the credential for all applications that the user has access to and which TAM for ESSO is configured for. TAM for ESSO recognizes login screens and a change password screen of Windows, Web, Mainframe and java based applications, intercepts such screens and then injects the user’s credentials into the application. In this way, a user who signs-on to a corporate desktop is able to sign into all their applications, i.e without having to enter their application credential. Moreover the application credentials are stored securely in a central location, thereby enabling single sign-on when users move between desktops.

The solution also lends itself to allowing password resets and unlocking of Active Directory accounts. If a user has forgotten their password, or need to unlock their Active Directory account, or have been locked out of their Windows Domain, they can use a set of challenge questions, which the user previously answered during an enrollment process to reset their AD password or unlock their account.

The solution also integrates with the Identity Management system in place at the company. Provisioning and deprovisioning users can now be extended to the TAM for ESSO server which also enables policies on the Identity Management system to dictate what applications the user will be able to automatically sign onto by having the IDM system manage the contents of the user’s wallet.
 
The Benefits
The end users experience ease of use, as a consequence of being seamlessly signed into applications, without having to enter application credentials, resulting in productivity increases. Active Directory password resets and unlocking of accounts are done by the end users themselves. This results in a significant reduction of helpdesk calls that equate to reduced help desk costs. Finally, this brings the corporation into compliance from all ends of Identity Management.

Services

• Business Process Management
• Security Services
• Identity And Access Management

Solutions

• Identity And Access Management Solutions
• Industry Based Solutions

Business Consulting

• Business Needs Analysis
• Architecture Design
• Integration Services
• Project Management