Technical Note

Sign-On Express is a next generation Web Single Sign On solution that

provides users with seamless and secured access to any web based on-

premise or cloud application from any device, anytime and anywhere. With

Sign-On Express, users have to sign-in once and they don’t have to type

their userid/password again and again.

Sign On Express benefits

Increase user convenience and

productivity

SSO to any web based on-premise

or cloud application.

Secured cloud applications with

standard SSO protocols

Reduce password related help-desk

calls

Achieve compliance with extensive

auditing and reporting

Over 1500 SSO connectors

out-of-the-box and Do-It-Yourself

wizards to onboard other web based

applications for SSO without any

technical skill-set

SIMPLE SECURE SWIFT

Sign-On Express Security – A technical note

Security in Sign-On ExpressWith ILANTUS’s deep domain experience in IAM and security since year 2000,

Sign-On Express has been architected ground up considering security best

practices to meet industry standard compliance norms. Sign-On Express deals

with lot of sensitive data that makes it imperative to secure data either at rest

or in motion.

Sign-On Express Development Right from the development of the tool, the engineering team follows strict

security development lifecycle program based on AGILE SCRUM methodologies.

Before any version release is done, there are dedicated SPRINTS on peer code

review, vulnerability and penetration testing.

Security while data is in motionCommunication between all Sign-On Express components is over a secured

channel as depicted in the diagram.

1. – This communication is over secured HTTP(S) channel User’s browser to Sign-On Express Server

and is encrypted. Depending on Sign-On Express deployment architecture, firewall, intrusion detection system,

proxy or reverse proxy could be some of the components that may be involved as well.

2. – This communication is over secured LDAP(S) channel and is encrypted. Sign-On Express Server to LDAP

3. – This communication is over secured channel and is encrypted. Sign-On Express Server to Database

Security while data is at restStatic data resides in Database. All tables that have sensitive information are encrypted using industry standard AES 256-bit

block cipher encryption with unique key per customer.

Below table highlights the various additional security parameters of Sign-On Express

Security Parameter Remarks

Multi-Factor Authentication

In addition to regular userid/password based authentication, Sign-On Express also supports

multi-factor authentication built on HMAC-SHA1 algorithm.

The second level of authentication adds additional layer of security for user authentication.

Password Vault Security

For SSO to non-federated web-applications, Sign-On Express replays userid/password to give

users SSO experience. Sign-On Express leverages a secured Password Vault designed within the

database to securely store userid/password of the user.

Passwords are encrypted with industry standard AES 256-bit block cipher encryption with unique

key per customer. Passwords are not cached on the users workstation or browser at any point of

time. Only at run-time the userid/password is retrieved from the database and is injected to an

application on the browser.

Integrated Windows

Authentication (IWA)

advanced security policies

Sign On Express supports IWA Authentication.

With advanced security policy, IWA can be restricted to multiple IP ranges. The feature adds

additional check for systems accessing the Sign On Express.

Vulnerability and

Penetration Testing

Every Sign-On Express release undergoes thorough vulnerability and penetration testing to ensure

strict security standard is followed.

Extensive Auditing & Logging All events on Sign-On Express are audited and log levels can be configured.

SIEM integration for

co-relations and analytics

SIEM solutions could be integrated with Sign-On Express audit tables for co-relations to detect

anomalies at the enterprise level.

The following are the interactions between various components as indicated in the diagram:

HOSTING

ILANTUS is a pioneer in identity and access management for more than a decade in industry

delivering the most comprehensive identity solution through its unique Hosting Express (HXP).

The HXP is built on a unique framework that enables components from multiple vendors of

your choice to be integrated into a unified solution, delivered in cloud or on-premise, and

managed by you or ILANTUS. All major Identity & Access Management components - Identity

& Access Governance, User Administration & Provisioning and Identity & Access intelligence

are incorporated in the HXP framework.