Single Sign On with Frontier Software chris21

Single Sign On is a big topic for enterprises. For most end users of an enterprise, password bloat is a real challenge - the more systems a user has to use, the more passwords they have to remember. This is especially challenging when most of the systems are not used regularly as it becomes hard to remember passwords you don't use often.

Single Sign On solutions are available in many forms these days - typically you look for the following outcomes:

• Minimising the number of accounts a user needs to use to do their regular business activity, meaning less need to remember (sometimes by Post-It notes stuck to a monitor!) passwords.
• Reduction in the number of times a user needs to authenticate - often using just a desktop session to prove who the user is.
• Reduction in complexity of system integration, with decoupled trust frameworks allowing just in time provisioning, and deprovisioning users in a central directory reducing risk of those users gaining access to a system when they no longer work for you.

Frontier Software chris21 is an ideal source of authoritative identity information about employees in your enterprise, and as such is often used as a source for identity management solutions.

Did you also know that chris21 can act as a consumer of identity information? Typically, you have these kinds of users of chris21:

1. IT Administrators: They keep the infrastructure that supports your chris21 installation running. Typically, when acting as IT Administrators, they aren't actually using chris21 itself. They fall out of scope of the rest of this article.
2. HR/Payroll Administrators: They operate the HRIS in order to keep the HR and payroll systems operational.
3. Employees: They access the system to perform self-service functions; for example, checking leave balances, applying for leave, updating personal information.

HR and Payroll Administrators typically use the chris21 desktop application to access the HRIS. Although this is less of an administrative overhead keeping users up to date for this class of user, it is good practice to use at the very least the LDAP integration options that chris21 provides. This allows HR users to log in using the same credentials they use to log in their computer. This is called "Simple" or "Same" Sign On.

If using the Internet Option, you can use the Single Sign On option (available as an additional module) to allow the currently signed in Windows desktop user to sign in automatically.

Both of these provide better security - if the user can no longer sign in to the corporate directory, they can't sign in to chris21.

The Internet Option web server can be configured to:

• Use Integrated Windows Authentication in IIS - with this model, if users are on the same domain as the IIS server, Kerberos can be used to specify the user. Each request then has the user identified by the request available for chris21 to authorise.
• Use another method of integration that can insert the identified user - for example, using a reverse proxy solution such as Ping Access to provide OAUTH or federation against an authentication source.

This also works for employees using HR21. The HR21 web server is configured in a similar way to the Internet Option.

For both types of users covered in this scenario, a matching record must exist in the USR table. This can of course be done manually, if you know the domain and account name of users and have the inclination to want to do this manually. Otherwise, an automated identity solution (such as Identity Broker PLUS for Frontier chris21) can ensure all appropriate users have USR records with the right permission sets.

If you have a sign in or user management problem with your chris21 installation, please feel free to contact me or the team at UNIFY Solutions for advice.

Learn more about UNIFY Solutions.

UNIFY Solutions is a global Identity, Access and Security firm. UNIFY works with its customers to help them solve their most complex digital transformation and mobility challenges.