Imprivata OneSign review
Unlike Enatel’s SSOWatch, the OneSign from Imprivata is implemented as an appliance-based solution and aimed purely at the enterprise space. And whereas SSOWatch is designed to work with LDAP directory stores, OneSign supports a range of servers including Microsoft Active Directory and Novell Directory Services environments.
It comprises two components: an appliance-based server and a software agent, which is installed on all workstations to be included in the process. Three agents are available, with the main one allowing users to disable the single sign-on (SSO) process, another aimed at simple workstation sharing and a third that runs on Citrix MetaFrame servers. Fault tolerance is another key feature, as Imprivata only supplies the OneSign Server as a pair of appliances. Both are connected to the network and each other, with one functioning as a primary server and the other as a failover mirror.
Installation in our AD domain didn’t take long and the appliance’s web interface is well designed. You need to enroll the main administrator first, then you can import users from the chosen user directory. Security policies determine the authentication methods for different user groups. OneSign supports passwords, ID tokens and fingerprint scanners – the latter two methods being optional features in SSOWatch. Lockouts can be applied to failed authentication attempts, while an offline mode uses cached encrypted credentials when a link to the server isn’t available.
Although SSOWatch was easy enough to use, we found application enrolment with OneSign much slicker. The APG (application profile generator) makes light work of defining applications and the login process. You choose the screens you want remembered and can select login and password change success and failure screens. When the application’s login screen appears, you simply drop a single target on it. OneSign recognises every field in the screen and creates a form for them. You can click on each field in the form and the corresponding field in the login screen will flash so you can confirm that OneSign has correctly learnt the screen and all relevant fields.
All you need do next is deploy the new profile to selected user groups, and the agents will pick this up the next time they contact the OneSign server. We tested this process with Microsoft Outlook, a webmail login screen and a Telnet session with a managed switch, and all worked perfectly. We also found OneSign handled command-line login screens far more efficiently than SSOWatch.
Reporting and event logging are two areas where Imprivata wins out and these are both far more sophisticated. Predefined reports are provided for a wide range of user activities including failed and successful logins and enrolments over a specific period.
There’s also a useful report that will pick up users trying to get away with sharing their credentials. Notification options allow you to choose from 20 types of event such as a failed login, specific user logins, repeated fingerprint ID failure and application credential changes. You can decide which users are to be monitored and an email will be sent to one address whenever the event is triggered.
OneSign is clearly a sophisticated product and works extremely smoothly. We had no problems enrolling our test applications and the level of features on offer makes this appliance-based product a good choice for enterprises.