Articles

Flexible yet Secure Authentication

Single Sign-On

New technology, demanding stronger user authentication than obtainable through traditional 2200 "user id/password" protection, required Unisys to develop innovative yet flexible new software.  With HMP level 7.1, Unisys introduces "the Flexible User Authentication (FLEX), Authentication Modules (AM), and the Authentication and Session Initiation Subsystem (ASIS) software to provide authentication for demand and TIP." This software provides optional, single sign-on capability to Windows and OS2200.  Once you sign on to Windows, you will no longer be prompted for a "user-id/password" when signing on to the 2200. 

KMSYS Worldwide, Inc.  is pleased to announce Version 3.1 of UTS eXpress.  Version 3.1 encompasses the latest releases of KMSYS Worldwide, Inc.  2200 connectivity products providing complete compatibly with the Unisys release.  KMSYS Worldwide products with the single point sign-on feature include emulators (UTS eXpress Plus, UTS eXpress Net, and UTS eXpress IT), development packages (UTS eXpress Pro and eQuate), query software (InfoQuest Client with Q-LINK) and database reorganization tools (I-QU ReorgComposer with I-QU PLUS-1). 

How does it work?

When you configure a KMSYS Worldwide product, you specify that you want to use single point sign-on for a specific virtual destination (2200).  When a session is opened through that virtual destination, our product will pass your Windows logon credentials (NTLM token) to the host for authentication.  If you use Kerberos security, you configure the domain-name\account-name (Kerberos ticket) on the same virtual destination window and that is sent to the host instead.  Depending on what you configure, the KMSYS Worldwide product will interface with the appropriate AM through the EXEC. 

Once I commit to single point sign-on, do I have to use it for all systems?

No.  You could have some virtual destinations configured that use it and others that don't.  For example, your production system requires single sign-on capability while your development does not, or maybe you require it for TIP transactions but not demand. 

What if I need to use more than one 2200 account, like an administrator’s, can I override single point sign-on without reconfiguration?

Yes.  The UTS eXpress SECURE software will look for a "$$OPEN_SOLICIT open-id" string, and if encountered, will open a dialog that allows you to choose a form of authentication which might be as simple as using the user-id/password of that administrator.  It could even be another NTLM token or Kerberos ticket.