|
Learn how DSSS Authentication Server can be integrated with Sun Identity Manager
(Waveset Lighthouse) to support the Identity Management and User Provisioning within
a large corporation.
The Corporation had over 5,000 employees, and was facing large amounts
of resource overheads in managing user access within the Enterprise IT system.
They operate several large applications including HR, OfficeNet, Database
applications, etc, and the IT Security department was overwhelmed by the number
of requests for creating/deleting users, unlocking suspended accounts and
resetting forgotten passwords.
They have decided to use the Sun Identity Manager (Waveset Lighthouse) as the
Enterprise provisioning system to solve their problems. In this system, the Sun Identity
Manager (IM) site was protected using SSL encryption between the browser and Web Server
while the access was controlled via a UserID-password authentication database, which was
stored in the IM server.
There were three potential issues in this system:
- UserID-passwords were not end-to-end protected, leaving room for sniffers to be
placed at the web server to steal the login credentials.
- Authentication was one-factor. For more sensitive accounts, e.g. Administrators,
2-factor authentication should be used.
- High-demand of password-reset requests. Users still find difficulties in remembering
the infrequently used, yet very important IM password.
On top of that, the corporation also had a number of web-based applications and outsourced
applications that were not managed by the Sun IM. This could create confusion among the users
during the login process. Some means to ease these problems were extremely needed
DSSS Authentication Server can be integrated with Sun Identity Manager (Waveset Lighthouse)
to obtain a complete solution. After integration, the following areas of enhancement were achieved:
The DSSS Authentication Server is able to address the above three potential issues:
- The replay attacks and sniffers are prevented by the DSSS Applets which encrypt the password before
it leaves the browser, achieving the end-to-end security.
- Various methods of 2-Factor authentication such as VASCO, SMS, Java phone, etc are supported. A better
login security for administrators and even users.
- With the flexible token management support, users could opt to receive one-time user login via SMS for
authentication with the IM Server. In this way, they no longer need to remember the IM password
This preferable mechanism is one of the features supported by DSSS Authentication Server, which
is not found on the Sun IM product. The Pin Mailer printing can be done securely at multiple points of delivery.
This is because the content was encrypted before being transmitted to the final point of printing and the printing can
only be done by operators in possession of a smartcard.
Its template engine allows different format to be printed from the same printer.
The DSSS Authentication Server would function as the central and common point of
authentication for all applications, including non IM-managed applications.
The DSSS Authentication Server comes with a cryptographic engine (and optionally
a FIPS-certified HSM module) to carry out general purpose cryptography. User-specific
information would be encrypted and stored securely within the DSSS Authentication
Server.
The final integrated architecture is shown below:
- End-to-end security for better password protection.
- With unified login management and one-time password,
the number of password resets requests dropped drastically.
- Secure Pin Mailer results in higher reliability and security of
password deliveries.
| 
]
Back to Top
