3.1 Understanding SSO Assistant

SSO Assistant enables users to securely store their credentials for existing accounts of online applications and provides an SSO experience.

For example, a user Maria has an account on ChatWork. Maria uses ChatWork to communicate with her team members. Instead of logging in to ChatWork with separate credentials each time, she can log in to ChatWork once. SSO Assistant will save and replay her saved credential every time she accesses ChatWork.

SSO Assistant and Form Fill policies both automatically populate HTML forms. Form Fill policies scan each login page accelerated through Access Gateway to populate the credential information. For more information, see Form Fill Policies in the NetIQ Access Manager 5.0 Administration Guide.

SSO Assistant does not go through Access Gateway. SSO Assistant provides connectors for the different applications. You can configure a connector for a specific site. SSO Assistant captures users’ credentials through a browser plug-in or extension. It securely stores users’ credentials on Identity Server.

Access Manager protects users’ credentials through an SSL connection and AES-256 encryption on Access Manager.

The following graphic depicts how Access Manager securely stores the credentials:

Figure 3-1 How Access Manager Securely Stores Credentials

Users must install the appropriate SSO Assistant extension or plug-in for their browser or install the MobileAccess app to experience SSO Assistant to an application. The following is the flow of actions a user logs in to first time to access an SSO Assistant application:

  1. A user logs in to User Portal by using Access Manager credentials.

  2. The user sees the appmarks for the available applications and clicks the appropriate appmark.

  3. If the SSO Assistant extension or plug-in for the browser is not installed on the computer, Access Manager prompts the user to install it.

  4. After installing the extension or plug-in, the user goes to User Portal and click the application again.

  5. The extension or plug-in opens a new tab where the user enters the user name and password for the application.

    The user must enter the user name and password for the application once.

  6. The extension or plug-in captures the user’s credentials for the application. The extension or plug-in sends the user’s credentials to Access Manager over an SSL connection.

  7. Access Manager encrypts the user’s credentials with AES-256 encryption, and then stores the user name and password in the credential store that is part of Identity Server.

    Identity Server encrypts the user’s credentials with an encryption key that is unique per user account in Access Manager.

  8. Access Manager then redirects the user to the application over an SSL connection.

In subsequent Access Manager sessions, the user can log in with Access Manager credentials and access the destination application without providing the additional credentials for the application. Identity Server securely retrieves and submits the user’s credentials for an automatic login on behalf of the user. This provides the user with an SSO experience.

The SSO Assistant browser extension must be installed on each device where the user wants to access the application. Access Manager automatically prompts the user to install the extension the first time that the user accesses the application’s appmark from a different device, even if the user’s credentials for the application are available in the user store. The extension then retrieves and submits user’s credentials for the selected application from Access Manager for an automatic login.

Typically, users have a different login user name and password for their individual accounts for each application. A user can have only one account per application. Access Manager stores the user’s current credentials, but users still have the responsibility to maintain the credentials. The User Portal page, on the menu on the user’s name, provides a way for users to modify their credentials through the Clear Single Sign-on Credentials option if they are expired or stolen.

If the user changes the user name or password or cancels the account, stored credentials become invalid. The automatic login fails and the browser extension takes the user to the application’s login page where the user can log in with new credentials. You will need to remove the old credentials from the store on the portal page. For subsequent logins, the new credentials will be saved if the previous ones are removed.