Documentum Single Sign On
Introduction
Solfit provides a Kerberos-based single-sign-on (SSO) solution for Documentum (DCTM). We do this by using your existing Microsoft Active Directory (AD) environment. We use your Windows credentials and the secure AD Kerberos environment to authenticate to Documentum.Our solution is being used today by thousands of satisfied users spread around the globe (customers in life sciences, finance, travel & transport, chemicals, oil & gas etc).
In 2006 we had our solution successfully accredited by Documentum/EMC and we support all of the current DCTM client applications.
Why Kerberos and Active Directory?
- Traditional authentication methods send passwords across the network in clear text format.
- The Kerberos authentication system supports strong authentication on such networks.
- Active Directory uses Kerberos as its de facto authentication mechanism.
- You already have Active Directory so NO new infrastructure is required.
- Using AD credentials for DCTM authentication means identity administration is done centrally, in AD.
- You automatically have all the advantages that AD offers, i.e. centrally control/block users’ usage of DCTM, password aging etc.
Business Benefits
- Users are more productive. Multiple passwords and forgotten passwords decrease user productivity.
- Helpdesk costs are lowered due to fewer password resets.
Technical Benefits
- No additional infrastructure costs. Get more from your investment in Active Directory and simplify identity management based on an existing and stable infrastructure.
- No new expertise in AD, Kerberos, Windows/UNIX or DCTM required.
- No additional synchronization required, other than normal DCTM LDAP_Sync Job.
Security and Compliance Benefits
- No more passwords in clear text. This is a major cause of failed audits. True end-to-end Kerberos authentication satisfies security auditors.
- No Cookies
- No proprietary protocols
- No superuser and passwords are required. They are a security risk.
Key Features
- Ability to mix different authentication methods, by repository, by user or by application.
- Silent SSO (i.e. automatic with no user interaction) OR
- Single Identity OR
- In-line (etc/passwd for DCTM) OR
- A mixture of all of the above i.e. WebTop to use Silent SSO while DA will force the user to login.
- This is important because with Netegrity, ClearTrust or super-user trust, all users must have the same authentication method.
- End-to-end Kerberos (no super-user)
- This is important because a super-user trust relationship is a security liability
- No need for deep knowledge of:
- Kerberos
- DCTM
- AD
- This is important because an in-house build and in-house maintenance of a Kerberos authentication mechanism is expensive.
- No need to maintain multiple operating system versions
- No need to maintain at every application and content server upgrade
- Support of Windows Multi Domain/Forest
Solution Overview
Solfit’s Single Sign On solution for Documentum allows users from the applications listed below to automatically log-on to repositories:- Web (Webtop, DCM, App Connectors, DAM, DCO, Web Publisher, TaskSpace, etc)
- WebDAV, CenterStage, DFS (thick and web clients)
- SharePoint (through Documentum Content Services for SharePoint)
Our solution is based on Kerberos (Microsoft default authentication scheme since Windows 2000), which is a proven and secure method to provide the necessary tight security for authentication.
SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) and JAAS/WSE are used respectively by web and DFS users to exchange Kerberos token between the client and the web server.
GSSAPI/SSPI is used to authenticate the user in the content server through Solfit external authentication plug-in
Authentication Process
To request more information, please click here.
To view the EMC DFD accreditation press release, please click here.
Top
