Photo

How Agent-Less SSO Works

Step 1:Register an application for A-SSO usage
  • An administrator registers an application for SSO, providing the application name and whether or not the users are allowed to know and set their credentials for that application. This involves following a wizard that learns the various pages (login, password change, etc.) and their controls. Once an application is fully registered, its metadata is stored in a secure, encrypted, metadata database
Step 2:Enable the client devices to utilize the A-SSO infrastructure
  • This is a two step process involving changing the DNS IP address and installing a digital certificate. The client machines’ DNS server IP address must change to point at the BiTKOO DNS filter IP address. This DNS filter is called by the client’s browser whenever the user navigates to a URL. If the application being navigated to is registered, the DNS filter returns to the browser the IP address of the A-SSO Proxy server and not that of the desired URL. This step is dependent on the client environment. In most organizations this can be handled by an Active Directory policy push. Changing a client’s primary and secondary DNS server IP address does not involve installing software and in most cases can be handled with ease. The second step is to register a digital certificate provided by the A-SSO server. In Active Directory shops this can be handled via a policy push as well. In other environments, the user may be asked to download a certificate, double click it and follow a simple set of instructions.
Step 3:Use the A-SSO system to access applications without the need to provide credentials
  • Upon receiving the A-SSO Proxy server IP address from the DNS filter, the browser sends the request to the A-SSO Proxy. It in turn checks to see if the user has already authenticated. If the user has already authenticated, the SSO proxy extracts the user’s credentials for the target application from an encrypted database. The database contains different credentials for a user for every one of the registered applications. The SSO proxy then injects the user’s credentials into a request to the application and upon successful login the cookies returned from the application as well as all pages are routed through the SSO proxy to the client’s browser.
Step 4: Continuous password management by the password change service
  • The password change service is responsible for logging on to registered applications on a configurable interval and changing the users’ password based on password strength policy applied to each individual application. The service operates based on metadata collected when the application was registered. It validates that the password change was successful and records the newly created password in the A-SSO encrypted database.