Frequently Asked Questions
v-GO® SSO
Administration
1. How do I manage v-GO SSO, enable applications and configure settings?
2. Is v-GO SSO deployable using software distribution tools?
3. Do I need to be an administrator to install v-GO SSO under 2000/NT?
4. Can I centrally control v-GO SSO administrative settings?
Authentication
5. Can I have different authentication methods with v-GO SSO?
6. Which smart cards does v-GO SSO support for strong authentication? What if I lose my card?
7. How can I authenticate myself to v-GO SSO?
Directory
9. How does v-GO SSO store data on my directory server(s)? Do you modify the base schema?
10. Will v-GO SSO slow down or impact the performance of my directory?
11. How much space will the v-GO SSO data take up on my directory?
Security
12. How does v-GO SSO encrypt and protect my logon credentials?
13. Is v-GO SSO FIPS 140-2 compliant?
Application Sign-on
15. What applications does v-GO SSO work with?
16. How does v-GO SSO provide SSO to Windows Applications?
17. How does v-GO SSO provide SSO to Mainframe/Host Applications?
18. How does v-GO SSO provide SSO to Web Applications?
19. How does v-GO SSO provide SSO to applications on Citrix MetaFrame or MS Terminal Server?
20. How does v-GO SSO handle application password policies?
21. How does v-GO SSO handle application password changes?
General
23. Is v-GO SSO a complete single sign-on solution?
24. Will v-GO SSO work with my Web browser?
25. What are the minimum system requirements for v-GO SSO client?
26. Where is the v-GO SSO documentation?
27. If I decide to stop using v-GO SSO, how do I access my password-protected applications?
Support
29. Auto-Recognize is not working on some of my Web sites. What should I do?
Administration
1. How do I manage v-GO SSO, enable applications and configure settings? v-GO SSO is designed so that your technical team does not need to engage in the time consuming and costly process of creating, implementing and administering proprietary connectors, scripts or agents. Thus, this ensures that the enterprise deployment of SSO can be managed in-house with current administrative resources. It allows your technical staff to: First run the v-GO SSO Administrative Console Logon Form Wizard against the application that you wish to have v-GO SSO clients recognize. The Administrative Console creates a configuration/signature for the targeted application. Then, using the Console, you simply publish that new application configuration to your repository. All of your v-GO SSO clients are then updated with the new application configuration. 2. Is v-GO SSO deployable using software distribution tools? 3. Do I need to be an administrator to install v-GO SSO under 2000/NT? 4. Can I centrally control v-GO SSO administrative settings? v-GO SSO does not need a dedicated server but instead leverages your existing infrastructure. 5. Can I have different authentication methods with v-GO SSO? Using the v-GO Authentication API, Passlogix can add support for virtually any means of authentication by writing a specific v-GO authenticator for that product. 6. Which smart cards does v-GO SSO support for strong authentication? What if I lose my card? The v-GO SSO smart card solution is delivered as a plug-in authenticator module that integrates seamlessly with our SSO product, including its usage as the primary authentication to v-GO and its inclusion in the v-GO setup process. The smart card authenticator supports a passphrase for cases where the user has lost a card and has been supplied a new card. The passphrase coupled with a standard domain credential logon can optionally be supported for those instances where the user has lost or forgotten a card. 7. How can I authenticate myself to v-GO SSO? 8. I have more than one PC or move among numerous PCs at different sites. How can I use v-GO SSO on all of my computers and get my credentials? v-GO SSO supports the following directories for synchronization: Sun ONE Directory, Novell NDS eDirectory, Microsoft Active Directory, Microsoft AD/AM, virtually any other LDAP v2 or v3 directory or any available Network File Server. 9. How does v-GO SSO store data on my directory server(s)? Do you modify the base schema? 10. Will v-GO SSO slow down or impact the performance of my directory? Passlogix stores each user's logon data in individual objects or records, which minimizes the impact of reading and writing data from/to the directory. This technique is designed around directory best practices for scalability and performance, since a directory is optimized for having many users read data and to only write the minimum amount of data necessary. Some companies append their SSO data directly to the user object as a continuous record, requiring the entire SSO data record to be read/written to from/to the directory when any one logon is changed or updated. This causes unnecessary network traffic in reading data from the directory, and even more troublesome, unnecessary writing of large amounts of data to the directory when only one logon credential is updated.
Passlogix provides you with the v-GO SSO Administrative Console, which is a GUI based, wizard-driven configuration console for v-GO SSO.
Example of an administrator adding a new application:
Back to top
Yes, v-GO SSO is deployable using any software distribution tool that is compatible with standard Windows applications. The v-GO SSO Administrative Console provides you an easy way customize the standard v-GO SSO MSI and customize a deployment package that is ready to be distributed with Microsoft's SMS or nearly any other distribution tool.
Back to top
As long as you have administrator rights to the 2000/NT workstation, you will be able to properly install v-GO SSO. You need only normal user rights to use v-GO on a day-to-day basis.
Back to top
Yes, v-GO SSO administrative settings are controlled using the Administrative Console's easy-to-use GUI. The settings can be centrally managed when using v-GO SSO with a Directory (MS Active Directory, Sun ONE Directory, Novell eDirectory or a network file share). You simply store the application definitions, password policies and v-GO configuration settings in the v-GO configuration objects on the directory and each v-GO SSO client will pull down the newest configuration data each time it starts up.
Back to topAuthentication
Yes, v-GO SSO currently supports the RSA SecureID, smartcards (i.e. GemPlus and Schlumberger), Signature Authentication, Proximity Cards, Iris Recognition, Tokens (i.e. SAFLINK, Entrust Entelligence, RSA Keon and NEC Touch Pass), Digital Client and Server Certificates, Magnetic Access Cards, Fingerprint Biometric, Facial Biometrics, Handprint Biometrics, Voice Print Biometric, LDAP as primary authentication method, Novell/NDS, Active Directory & Kerberos or Windows.
Back to top
The only hardware or software requirements for smart card support in v-GO SSO are that you have a smart card that supports MS CAPI, a reader that supports access via the MS Smartcard APIs, and any drivers or tools required to make the smartcard or reader functional on the OS.
Back to top
v-GO SSO allows for a variety of Primary/Front End Authentication methods. The product ships with authenticators for Windows Logon, Windows Domain Logon, Windows Active Directory Logon, LDAP, PKI System, smartcard/Token and Biometrics. In addition, Passlogix can enable support for virtually any specific authentication device that you require using our Authenticator API.
Back to topDirectory
v-GO SSO fully supports roaming users, defined as users who move from workstation to workstation within a corporate environment. Our Synchronization Support uses an existing Directory Server or Network File Server to provide each user with access to their unique credential repository from virtually any workstation with connectivity to the Directory Server. v-GO SSO will store an encrypted copy of each user's credentials in the configured directory.
Back to top
Passlogix has collaborated with leading suppliers of enterprise directories in designing our approach to supporting Directory Servers. Passlogix uses an effective class schema extension, which leaves your base schema intact as delivered by your directory vendor and creates a self-contained configuration object using our own object classes. By comparison, some companies make a base schema extension that modifies your base schema, specifically the user object, and appends SSO data to it. This causes you problems during directory upgrades, and directory replication as the user object is always replicated.
Back to top
A directory server is designed to store numerous objects and to have many users read data from those objects.
Back to top
| Credential size: 200 Bytes | Number of Apps 10 |
| Number of users | 1 | 10 | 100 | 1,000 | 10,000 | 100,000 |
| Space needed | 2 KB | 20 KB | 200 KB | 2 MB | 20 MB | 200 MB |
Another noteworthy design consideration is that v-GO SSO interacts with a directory server on a record-by-record level, so that the user is not required to synchronize their entire credential repository when only one 200-byte credential is updated due to a password change. Many competing SSO solutions are known to store their credential repository as an entire data entry, thus requiring unnecessary traffic between the directory server and the end user workstation.
Back to top
Security
12. How does v-GO SSO encrypt and protect my logon credentials?
v-GO SSO creates a unique primary symmetric key for each user to be used in encrypting the user's credentials. End-to-end encryption is provided between the v-GO SSO agent and the Directory using the selected encryption algorithm. v-GO's default encryption algorithm is the MS CAPI-provided Triple DES The SSO Administrator can also select MS CAPI-based 256-bit AES, RC4 and non-MS CAPI Blowfish, Cobra, Triple DES and AES. Credentials are stored encrypted on the PC, in transit and in the Directory. Credentials are not stored unencrypted in memory. The only time that sensitive data is not encrypted is the moment a specific piece of data (e.g., a credential) is requested for viewing (if permitted), or when it is submitted to an application for sign-on.
Back to top
13. Is v-GO SSO FIPS 140-2 compliant?
Yes, v-GO SSO uses the MS CAPI-based Triple DES, 256 Bit AES and RC4, which are certified to meet FIPS 140-2 requirements for United States Government customers.
Back to top
14. How does v-GO SSO prevent an Administrator from resetting the Windows password and impersonating a user to access the user's stored credentials? Windows Authenticator V1: In less than a minute, using the v-GO SSO Administrative Console, v-GO SSO can be configured to force a user to provide their previous Windows Password if v-GO detects that the password has been reset. Thus if the Administrator resets the Windows password, then in order to gain access to the stored credentials, the Administrator would need to know the user's previous Windows password prior to the reset. (This has obvious limitations in cases where the user legitimately forgot their password.) Windows Authenticator V2: This authenticator is configured to prompt the user for a passphrase during enrollment. The user must provide the passphrase whenever v-GO detects that the Windows Password has been reset. If the Administrator resets the Windows password, then in order to gain access to the stored credentials, the Administrator would need to know the user's secret passphrase. . The passphrase also protects your credentials in the event that your PC/laptop is ever lost or stolen.
To prevent the Administrator from impersonating a user in a Windows Authentication environment; there are two different deployment choices and configurations involving the authenticator type. V-GO SSO Windows Authenticator V2 is not subject to this type of vulnerability at all.
Back to top
Application Sign-on
15. What applications does v-GO SSO work with?
v-GO SSO works with virtually any application: Windows applications; commercial or homegrown Mainframe/Telnet applications; internal or external Web sites. Please reference the v-GO SSO Fact Sheet for more information.
Back to top
16. How does v-GO SSO provide SSO to Windows Applications? All credential requests in Windows have specific attributes: application name, window name, the control ID of the input field, and so on. v-GO SSO looks for the specific attributes of each application's logon and password-change dialogs and responds accordingly. The attributes for any application are easily identified and captured using the v-GO SSO Administrative Console and stored in the administrative configuration object on the directory or locally to a PC. v-GO SSO captures standard, OS-level Windows messages and analyzes them. When a specified application creates a dialog, v-GO SSO looks at the window title. If v-GO SSO recognizes the window title, it searches for the appropriate control ID(s). v-GO SSO submits credentials to most Windows applications via secure, standard, OS-level Windows messages. Thus, keyboard-sniffing utilities cannot intercept the credentials. Furthermore, since v-GO SSO does not use scripts or keystrokes, users cannot confuse the response by selecting and working in another application. 17. How does v-GO SSO provide SSO to Mainframe/Host Applications? All requests for credentials in Mainframe/Host applications have specific attributes: window title and various blocks of text (at specific coordinates for Mainframe applications), username/password field text, and so on. v-GO SSO looks for the specific attributes of each application's logon and password-change screens and responds accordingly. The attributes are easily identified and captured using the v-GO SSO Administrative Console and stored in the administrative configuration object on the directory or locally to a PC. The v-GO SSO monitors emulators, looking for the defined matches. When a new screen is presented, v-GO SSO reviews the text for matching fields. If all strings match, v-GO SSO submits the user credentials. v-GO SSO submits credentials to most emulators via HLLAPI. Thus, keyboard-sniffing utilities cannot intercept these credentials. Furthermore, since v-GO SSO does not use scripts or keystrokes for these emulators, users cannot confuse the response by selecting and working in another application. v-GO SSO also supports some emulators that have a scripting language capable of presenting a (hidden) pop-up dialog box for v-GO SSO to respond to. 18. How does v-GO SSO provide SSO to Web Applications? All credential requests in Web applications are either in forms or in pop-up dialogs. v-GO SSO Browser responds to the specific events of a web dialog popping up or of a web page rendering. The associated attributes are easily identified and captured using the v-GO SSO Administrative Console and stored in the administrative configuration object on the directory or locally to a PC. 19. How does v-GO SSO provide SSO to applications on Citrix MetaFrame or MS Terminal Server? 20. How does v-GO SSO handle application password policies? The Administrative Console lets the Administrator create a password policy with the following controls: 21. How does v-GO SSO handle application password changes? v-GO SSO detects a password change request just as it detects the initial application logon request. Passwords changes can be set to occur as frequently as desired because v-GO SSO detects the password change and handles it seamlessly for the user. When the application requires a new password, v-GO SSO can either generate a random password that conforms to the password policy that was created for the application, or allow the user to enter a new password. By using random password generation, users never need to know their passwords. You can allow your users to choose their own new password for some or all applications, v-GO SSO supplies their old password to the application when requested and prompt the user to enter a new password for the application. v-GO SSO saves the new password in the local data store as well as to the directory data store and then logs on to the application using the new password. 22. How mature is v-GO SSO? 23. Is v-GO SSO a complete single sign-on solution? v-GO SSO signs you on to any type of application: 24. Will v-GO SSO work with my Web browser? Please follow this link for the update: Microsoft Internet Explorer Web site, to update your current version of Microsoft® Internet Explorer®. 25. What are the minimum system requirements for v-GO SSO client? 26. Where is the v-GO SSO documentation? 27. If I decide to stop using v-GO SSO, how do I access my password-protected applications? 28. The application I want to use with v-GO SSO isn't listed in the New Logon Wizard. Can I still use v-GO SSO? 29. Auto-Recognize is not working on some of my Web sites. What should I do?
v-GO SSO responds to any and all requests for user credentials from Windows applications for both logons and password changes. It works out-of-the-box with all of the most widely used applications and can be configured in minutes to work with any other application.
Back to top
v-GO SSO responds to any and all requests for user credentials from Mainframe/Host applications. It works out-of-the-box with all of the most popular Mainframe/Host emulators and can be configured to work with others.
Back to top
v-GO SSO responds to any and all requests for user credentials from Web applications, whether in a form or via a pop-up dialog. Unlike most SSO products, v-GO SSO supports access to all Web applications, not just intranet applications. Most Web applications are supported out-of-the-box and new applications can be quickly added using the Administrative Console.
Back to top
v-GO SSO natively supports both MS Terminal Server and Citrix MetaFrame 1.8 and above. By installing v-GO SSO on the TS or Citrix server, any application that is launched on that server can be provided the same SSO functionality as an application launched on your desktop. Each user still receives their individual credential repository since v-GO SSO reads the user's SSO data from a directory server (AD or LDAP).
Back to top
v-GO SSO fully supports different password policies for each of your SSO enabled applications. Password policies can be easily configured to meet your requirements for each application. When you enable an application for single sign-on using the v-GO SSO Administrative Console, you also configure the password policies for the application.
You can then assign the policy as a default global password policy, to a specific application, or to several applications.
Back to top
v-GO SSO fully supports different password change behaviors for each of your SSO-enabled applications. Password changes can be easily configured to meet your requirements for each application. When you enable an application for single sign-on using the v-GO SSO Administrative Console, you also configure the password change for the application.
Back to topGeneral
v-GO SSO is a stable, mature product that has been steadily improved upon since its commercial introduction in 1998. v-GO SSO is deployed in numerous Fortune 500 corporations and government offices. It has a large, steadily increasing deployed user base, with the largest single implementation exceeding 130,000+ users.
Back to top
v-GO SSO is the Universal Single Sign-On Solution targeted to enterprise customer's needs.
v-GO SSO accommodates any type of user authentication:
v-GO SSO can work with any identity management infrastructure
v-GO SSO works in any mode
When using Windows Authentication, your v-GO SSO password and your existing Windows password are one and the same. Once you have authenticated to Windows, v-GO SSO logs you into all of your applications by providing each application with the username and password that they require. All management and configuration aspects of v-GO SSO can be easily accomplished using our wizard-based Administrative Console.
Back to top
v-GO SSO works with versions 5.5 SP2 and higher of Internet Explorer®.
Back to top
SSO Client Agent
SSO Administrative Console & Server
Back to top
Product documentation is now available in electronic form and is also provided as part of the Administrative Console's online help system. To access the detailed administrative guide simply select Help from the Administrative Console menu or press F1 for context-sensitive help. If you wish to read the Administrative Guide prior to installing v-GO SSO, simply open the documentation folder on the v-GO SSO CD and double-click the file named v-GO SSO Administrative Guide.chm. Of course, you can contact your support engineer if you need additional assistance.
Back to top
For Web sites, applications, and terminal emulators simply enter your traditional username/ID and passwords when prompted.
Back to topSupport
Yes, you will need to show v-GO where the logon boxes for username/ID and password are on the application logon screen.
Back to top
Check to see if the Web site's URL has changed. If it has, edit the site's logon information to reflect the new URL. To do this, click the v-GO SSO Tray Icon, point to Configuration then click Logon Manager. Select the logon, and click Properties. Enter the new URL and click OK.
Back to top
Related Documents
