● before platform independent
● concurrent user licensed
● idP class SSO (Single Sign on) solution
● browser independent
● the world fastest SSO/SLO/RELOGIN - browser independent
● versatile and very easy to implement
OES client for Windows is fully supported in 2 ways. First - once the user authenticates to OES environment, KeyShield proves the user's eDirectory identity with a signed token and authenticates the user automatically. Any change (logout, login) is recognized and followed (if the user logs out from OES, KeyShield does the same). Second - KeyShield SSO client is able to control the OES client - when user authenticates to KeyShield manually or 2FA with a HW token, KeyShield client initiates complete OES client authentication incl. login script processing. If the user logs out from KeyShield, KeyShield client initiates OES client log out. This is very useful for shared computers, kiosks and special application Windows workstations. This is designed for hospitals, schools, government organizations etc.
domain (AD) environment is fully supported in various ways. KeyShield client can read user's identity, use NTLM2 and use Kerberos. Kerberos is also supported on MacOSX registered to domain. Regardless the method used, any change (logout, login) is recognized and followed. Next generation of KeyShield client for Windows is able to authenticate the user and map the user's home directory.
This is designed for shared computers, kiosks and special application Windows workstations used often by hospitals, schools, government organizations.
eDirectory, Active Directory, ApacheDS and OpenLDAP are natively supported. eDirectory is controlled directly through the LDAP interface, customized PowerShell script is generated for Active Directory. Apache DS is a part of the KeyShield server distribution with simplified configuration and user/group management tool. This can be used for external users, development, testing etc without affecting production directory or consuming licenses.
if the user authenticates to VPN or WiFi for example, KeyShield can accept Radius Accounting packets from such devices and authenticate users seamlessly. This work similar to Microsoft or MicroFocus environment integration - once the user authenticates to VPN, KeyShield authentication is automatic and user can acess directly any integrated system.
is today's widely adopted standard for network appliance SSO/SLO - supported by firewalls, web content managers, WiFi controllers, proxy servers etc. KeyShield can login and logout your users to virtually unlimited number of appliances by sending them Radius Accounting packets. Authentication includes transfer of group membership - KeyShield can map directory group membership to firewall group in order to control user's access to the internet for example.
"KeyShieldSSO has become our main SSO solution"
How KeyShield SSO Works
Once you’re authenticated to your favourite directory(eDirectory, Active Directory or LDAP), KeyShield keeps information about your IP address and full name.
KeyShield is faster than other SSO solutions and much faster than the classic authentication methods used by portals. The number of users that other systems can handle in minutes, we are able to handle in seconds. Save the valuable time of your employees – don’t let them wait while they log in.
It doesn’t matter whether you access your application through a web browser or whether it is running on your desktop, KeyShield can pass your user identity to the application regardless. Because we support many major desktop platforms (Windows, Linux and Mac) and have clients for most major mobile operating systems (Android, iOS and Blackberry), it doesn’t matter what kind of device you use.
You can set up KeyShield to authenticate you against your directory – we support eDirectory, Active Directory and OpenLDAP. You can even connect multiple directories and KeyShield will then perform load balancing to distribute queries among them. If you do not have any directory, you can use KeyShield’s embedded directory service.
You can download plugins for many popular applications and systems, for example, GWAVA, Filr, Vibe, Drupal, WordPress and many others. Here’s a complete list of available integrations.
Support for other systems can be programmed very easily and efficiently using our RESTful API. We also offer SAML conformity for systems supporting it (like Google Apps or Microsoft Office 365). In most cases, your programmer should be able to implement KeyShield for your system within one working day.
For an additional layer of security, you can require users to place a hardware card into a card reader while they log in. This two-factor authentication can be switched on for selected services.
KeyShield can act as a RADIUS Accounting client – we inform active network elements (FortiGate, Cyberoam, SonicWall, SmoothWall, LightSpeed, LiteSpeed, etc.) about the identity of the user. KeyShield can also act as a RADIUS Accounting server – in which it obtains information about the identity of the user from a firewall or Wi-Fi access point after successful authentication into a VPN.
So-called yellow message functionality can deliver prompts to the screens of logged-in users. Such a message is hard to miss and does not go away until the user accepts it. The addressee of the message can be a specific user or a whole subnet. This function is especially suitable for sending information about network maintenance, etc.