One Identity on the Board - Enterprise Single Sign-On

Hi, I'm Todd Peterson, product marketing manager at Quest Software. Today, we're going to talk about single sign-on, one of the most important aspects of identity and access management. When we talk to customers in identity and access management, we find that they are often looking for single sign-on, but we find that it means different things to different people. Generally, there are four types of single sign-on that we run across and that can really benefit our customers. The first is what we would call holy grail single sign-on. It's where you have one identity. That one identity gives you a single log-on. That single log-on to a single directory gives you one credential, which gives you access to everything you need, regardless of what it is. That's what you get with Windows and with active directory. Your one log-on, you never log on again to get access to any Windows resources. It's the most efficient, it's the most secure, it's the most compliant way to do single sign-on. The second type is what we call enterprise single sign-on. It's often also called login automation. Enterprise single sign-on is where the end user has a single login. They log in once. But under the covers and behind the scenes, the login automation tool logs them into everything else they need. So the user has more convenience, but the IT staff still has to manage the identities on all of the systems. All the directories still exist, and actual logins still happen on all those systems. The third is probably the most common form. It's called synchronization, or sometimes it's also called same sign-on. What it means is that you have a tool that synchronizes all of the directories and all of the passwords across the entire system. So the user logs in once to, for instance, active directory, and once to the mainframe, but the mainframe login is the same as the active directory login. That's what synchronization is. And then the fourth type is a specialized case called web single sign-on. It's what you do to allow your users that are coming in remotely over the Internet to get to what they need to do in a single login instead of multiple logins in multiple web sessions. So how does Quest help with single sign-on? We have a set of solutions called the Quest One identity solutions that address all four of these types of single sign-on. Let's start with the holy grail. You can assume that every user has an account in active directory. But what if that account could be expanded to cover a number of other things? We have a solution called Quest authentication services, and another called Quest single sign-on Java, that actually do that. It allows Unix, Linux, Mac, Java, SAP-- both the SAP GUI and the NetWeaver editions-- DB2, Oracle databases, and any application that speaks a number of standards, to become what we would call a full citizen in active directory. That means when the user logs into active directory, they are automatically given access to all of these other things as well. It's the true "get to one" we were talking about earlier. It's the holy grail. One credential, one login, one password. But you may ask yourself, well, I'm sure not everything can become a full citizen in active directory. For cases like that, things like Oracle databases, Oracle applications, mainframes, some other applications, we have an enterprise single sign-on solution called Quest enterprise single sign-on. It's the classic login automation. The user logs into active directory, and that login initiates an enterprise single sign-on session that gives them seamless access to what they need. The login still happens on the Oracle application, it still happens on the mainframe, but it happens behind the scenes. The user doesn't have to do anything, doesn't have to manage that password. We also have a web single sign-on solution. It's called Webthority. What it does is it allows the user to log in once, over the internet, to get access to whatever you have authorized that user to get to. This access is more secure because it's based on existing identities in active directory or whatever other directory you choose, and you can control access, you can control authorization, all based on that role and those policies. So web single sign-on is also a very real solution. Another option is if you need to do synchronization. Generally, people like to do that for things like self-service password resets across the environment. We have a solution called Quest One in sync. It provides classic synchronization of passwords, especially integrated with our Quest password manager solution. So as you can see, Quest offers the full spectrum of single sign-on offerings. Perhaps no other vendor in the industry does that. And why do we do that? Because there's three things that most companies need to do when it comes to identity and access management. Number one, they need to enhance security. Single sign-on allows you to enforce strong password policy, strong authentication, across your entire environment. They need to improve efficiency. Single sign-on makes it more efficient for your end users. They're only logging in once. Your IT staff is more efficient because they have fewer passwords to reset. They can focus their time on what they need to do, rather than helping stupid people like me who forgot their password to log on. And finally, it helps you achieve compliance. Single sign-on allows you to take an existing and compliant directory, such as active directory, and extend it to a number of other systems. So you can see that the Quest One approach addresses all those challenges you may have with identity and access management. Security, compliance, and efficiency. To learn more about our single sign-on offerings, I encourage you to visit quest.com/identity-management. Thanks.