Jump to content Japan - English
HP Japan Home Products & Services Support & Drivers Solutions How to Buy
»  Contact Us
HP Japan home
Software (Japanese)  >  Security (Japanese)

HP IceWall SSO

STEP 2: What is HP IceWall SSO?
» 

HP IceWall SSO

Product Basics

» What's Single Sign-On?
» What's HP IceWall SSO?
» Benefits

Learn More
» Case Studies
» Product brochure
» FAQ

Product Features, Functions, and Operating Environment
» HP IceWall SSO
» Agent Option
» Japanese
FAQ
HP IceWall SSO is a joint development product of HP Japan and SCC, Ltd.
(Last Update : 2007.02.21)
Step 1:
What is Single
Sign-On?
Step 2:
What is HP IceWall
SSO?
 Step 3:
Benefits of HP IceWall SSO 		 

  
This page offers an easy-to-understand explanation of HP IceWall SSO basic architecture and functions.

» What is HP IceWall SSO?
» One-minute guide to HP IceWall SSO functions
» The role of the HP IceWall SSO modules
» Reverse proxy
» The authorization function (access control)
» Single Sign-On
» User data distribution function (information inheritance function)
» Works with mobile phones and with agent-type authentication.

What is HP IceWall SSO?
  • HP IceWall SSO is a Web Single Sign-On solution first developed by HP Japan in 1997.
  • Web Single Sign-On provides greater convenience for the user, and through integration with HP infrastructure technology, a more secure system environment.
  • Through ver.7.0 SP2, over 30 million user licenses sold. Product enjoys the number one share in the access control market.*
*Based on shipped product revenue 31.1% (MIC Research Institute, August 2004)

One-minute guide to HP IceWall SSO functions
Web Single Sign-On enables users to login to multiple Web applications with a single authentication, while also providing integration of security and the “4As of Access Control.” (see Diagram 1 below).

*1 4As of Access Control
1 4As of Access Control
 
  Features of HP IceWall SSO

Basic architecture of HP IceWall SSO
The two primary components of IceWall
  • IceWall Server (forwarder)
    Located on the network (DMZ) along with the public server, acts as a reverse proxy to relay messages between the Web client and backend applications
  • Certification Server (certification module)
    Certification service manages user sessions. Connects to the database to manage IceWall user information.

HP IceWall SSO does not require any modules to be distributed to the client or the backend Web applications. Backend Web applications can be based on any OS or Web product.

The role of the HP IceWall SSO modules
The roles of the IceWall server and the certification module are outlined in the diagram below.

Reverse proxy
‘Proxy’ means a surrogate of the client, and ‘reverse proxy’ means a surrogate for the server. A common system structure is for access to an external resource from inside to be done via proxy, while access from the outside to an inside resource is done via reverse proxy.
The reverse proxy method has the following characteristics:
  • From the client side, only the IceWall server is visible (concealing function)
  • The firewall should also allow communication only with the IceWall server
  • Only the IceWall server needs server certificates. (the reverse proxy function is available as a stand-alone product)

The authorization function (access control)
The authorization function (access control) is used to control which users (or groups) are allowed to access which URLs (applications).

Single Sign-On
‘Single Sign-On’ refers to enabling users to login to multiple applications with a single authentication. Once the user logs in to the IceWall server, the IceWall server then does a ‘browser emulation’ and thereafter logs in to each Web application automatically on behalf of the user. IceWall can handle 11 different methods and 48 different patterns of form authentication.
Following are the Single Sign-On functions that IceWall provides.
  • Login function
    To initiate access to content on a backend Web server, the user first logs in to IceWall. The user cannot access any backend server content without first logging in. The login function verifies the account authentication data against a directory service or database.

  • Logout function
    To close their access to content on a backend Web server, the user logs out from IceWall. Once they’ve logged out, they can no longer access any of the backend Web services or servers without logging in again.

  • Password change function
    This function enables users to request a password change with the IceWall server, with the change then reflected in the directory service or database. IceWall also enables users to configure a variety of password policies.

  • Logging function
    This function maintains a record of any access to backend Web services made through IceWall, making it possible to analyze user access frequency and activity

  • External authentication function
    In addition to supporting certification via user name and password, by incorporating proprietary customer programs, IceWall can support a wide variety of certification types, including one-time passwords and even biometrics such as fingerprint authentication.

User data distribution function (Information inheritance function)
The user data distribution function (the ‘information inheritance function) takes user attribute information (such as the user’s full name) from the certification database and passes it to the Web application using the header of your choice.
You can configure which information is to be sent for each Web application, with the Web application side easily obtaining the user data from the environment variable.

Works with mobile phones and with agent-type authentication.
Because IceWall includes the following components, even mobile devices that do not use cookies can be supported.
  • Ability to embed the session ID in the URL
  • Templates for mobile devices (HTML)
IceWall also supports agent-type authentication.
When selecting agent-type authentication, you install the HP IceWall SSO agent module on your existing Web server, making it possible to access Web applications without going through the reverse proxy.
The latest version of the HP IceWall SSO agent module includes agent’s versions that support HP-UX (including Itanium), Red Hat Linux, Windows, Solaris, and JavaServlet, enabling you to create much more flexible certification architecture.
previous Return to Step 1: What is Single Sign-On?
next
↑ top
Printable version
Privacy statement Using this site means you accept its terms  
Please note: all of the links on this page navigate you to pages in Japanese.
© 2009 Hewlett-Packard Development Company, L.P.