Features
Learn about the different IBM® Security Access Manager for Enterprise Single Sign-On features that are available.
Single Sign-On with workflow automation
IBM Security Access Manager for Enterprise Single Sign-On provides single sign-on and workflow automation on shared and personal workstations.
You can automate user access to all corporate applications such as Web, desktop, generic computer terminals, and legacy applications by using policies and AccessProfiles. AccessStudio helps users to automate their logon and logoff workflow, through login and logoff scripts and AccessAgent plug-ins.
Users need to remember only one password. Users authenticate once, and IBM Security Access Manager for Enterprise Single Sign-On does the rest.
Strong authentication
Weak passwords and wrong management of passwords can compromise security. IBM Security Access Manager for Enterprise Single Sign-On provides strong authentication services to prevent unauthorized access to confidential corporate information and IT networks.
You can set user, machine, and system policies. You can configure IBM Security Access Manager for Enterprise Single Sign-On to enforce screen locks, graceful log offs, application logout, application shutdown, automatic termination of inactive sessions, and so on.
IBM Security Access Manager for Enterprise Single Sign-On integrates with existing authentication factors. IBM Security Access Manager for Enterprise Single Sign-On combines the use of primary authentication factors and second authentication factors. Primary authentication factors are user passwords and secrets. Strong authentication factors are smart cards, hybrid smart card, and RFID fingerprint.
- Provides open authentication devices interface to support a wide range of smart cards.
- Supports easy integration with serial ID card devices such as RFID badges.
- Provides BIO-key support to leverage a broader range of biometric devices.
- Supports the use of hybrid smart cards.
Secure session management
IBM Security Access Manager for Enterprise Single Sign-On provides session management on both the Windows workstation and on the Citrix or Terminal Server. AccessAgent provides personal, shared (kiosk), and private (kiosk with multiple sessions) desktop modes. Users can share workstations, and roam easily and securely from one workstation to another.
You can enforce inactivity timeout policies, or use session lock, unlock, logon, and logout scripts to secure the user session.
Auditing and reporting
IBM Security Access Manager for Enterprise Single Sign-On records audit events including user log on and log out of applications. All audit logs are stored in a central relational database. The logs provide the meta-information that can guide compliance and IT Administrators to a more detailed analysis. You can also create different types of reports from the audit logs. See IBM Security Access Manager for Enterprise Single Sign-On Administrator Guide for more information.
Password reset
IBM Security Access Manager for Enterprise Single Sign-On provides a password reset functionality.
Users can reset their ISAM ESSO password from any workstation through a challenge-response process. During AccessAgent sign-up, the users provide a number of secrets (answers to challenge questions), which can be used later to do a self-service reset password. See Change password and reset password.
Policy management
IBM Security Access Manager for Enterprise Single Sign-On uses policies to control the behavior of its components. There are user policies, system policies, and machines policies. You can configure these policies through AccessAdmin.
Integration with user provisioning technologies
IBM Security Access Manager for Enterprise Single Sign-On can be integrated with user provisioning technologies to provide end-to-end identity lifecycle management.
When provisioned, users can single sign-on to applications on shared and personal workstations by using only one password. There is no need to register each application user name and password because all user credentials are automatically provisioned.
IBM Security Access Manager for Enterprise Single Sign-On provides end-to-end identity and access management by integrating with the centralized identity management functions of IBM Security Identity Manager.
Utilities
- An Export Import configuration tool Use this tool to automate the replication of the IMS Server configuration. You can easily export the IMS Server configuration details such as the IMS Server root certificate, data source, and enterprise directories. The Export Import configuration tool is useful if you want to:
- Set up a high availability environment
- Set up a disaster recovery environment
- Reuse the IMS Server configuration from a Test environment to a Production environment or vice versa
- Reuse the IMS Server configuration from a Proof-of-Concept to a Production environment or vice versa
- Back up the IMS Server configuration for your current WebSphere® Application Server Stand-alone or Network Deployment setup
- A diagnostic test page
Use the test page to check the enterprise directory connector.
- A code translation utility
You can use this tool to query event codes and result codes and to view their corresponding descriptions.
Lightweight mode AccessAgent for Citrix/Terminal Server
AccessAgent installed on a Citrix or Terminal Server can run on lightweight mode. Running on lightweight mode can reduce the memory footprint of AccessAgent on a Citrix or Terminal Server and it can improve the single sign-on startup time.