Macintosh SSO via PasswordBank
I recently had the opportunity to participate with PasswordBank (PB) at a Proof of Concept (POC) demonstration for a company in Chicago. The company was interested in seeing how the PB SSO product would integrate with their Macintosh Users. Most of the senior company officers were Mac users and the ability of the PB SSO product to work with the Mac was the focus of the POC.
The PasswordBank Server was pre-configured by PB in the Amazon Cloud prior to the POC. This is the same installation/configuration that would be done on a bare metal server onsite. Installation is rather straightforward and requires only a couple of hours. The entire server/database combination can be setup on a single server via a single DVD. The server is CentOS based and the DVD includes the PB software as well as a MySQL database.
Access to the PasswordBank WebSSO requires the use of a browser plug-in. In the case of the POC, the new Safari plug-in was used. Safari was the browser of choice for this customer.
Two methods of cloud based server configuration were discussed. The first was the single server in the cloud with no local presence. All traffic would have to be enabled to the cloud server in order for SSO to work. The second method, known as the hybrid, utilized a password router to intercept traffic inside the firewall and route the SSO traffic to the cloud server. This router, also known as an Identity Server, would reside on any IIS server along with whatever web services were running in IIS. For this POC the single cloud server was used.
The Safari plug-in is managed through the extensions settings for Safari.
Settings include the check box to enable the server and the URL for the PB Server. The second setting is used for the hybrid mode where the Identity Server/Password Router would be setup.
Application configuration is very simple. Once the application URL has been entered (LinkedIn in this case), the PB extension will attempt to capture the login information as it is entered.
Note the PasswordBank banner is shown. That is the indication that the password capture process is happening. Once you enter your userid and password it will be captured and the banner will not show again. Your credentials are now stored for future use. Should your password expire the PB extension will detect this and offer the means to update the credentials. The next time you go to LinkedIn the PB extension will provide the credentials.
Should you not wish to have credentials entered automatically the PB extension can be paused for a particular application.
- Credentials can always be modified for each application individually without having to access the application.
- Credentials can also be deleted by a user for an application. This would cause the PB extension to ask for credentials again the next time the user accessed the application.
Applications are created by users who have Administrative rights to create applications. They do this by accessing the application one time. Once created, any user may access the application and have SSO for that application. Applications are named after the Title value of the web page but his is readily changed should the title not accurately reflect the application (we had a few in the POC where the title was simply “Login”). The administrative UI provides the ability to customize the applications in many ways. Application accessed via PB can be granted to a user or group and user stores can be internal or external (i.e. Active Directory).
User Access to the PasswordBank server is via User Certificate. Administrative users generate certs for users, and users have the means to retrieve them via web or to have them emailed to themselves. Once a cert is installed in the OSX Keychain Safari will request the cert when the extension is accessed via the dedicated PB icon (right most icon shown below).
Hint: If you click on Always Allow then you will not be asked this for any future access.
This is a very simple, yet flexible, means to provide SSO functions within Safari on a Macintosh. Should your Mac users be Firefox based a similar plug-in is available. PasswordBank has an OSX Client in the works that would extend single sign on to the OS level similar to what it already provides for Windows XP, Windows 7 and Linux Desktop Operating Systems. These clients integrate at the OS login to provide Single Sign-On for the entire user experience.
As usual let us at IDMWorks know if you have questions or comments.