Web Single Sign-On and Access Management

A Complete Single Sign-On Solution for Federated, Non-Federated, and Mobile Applications




Requiring users to prove who they are to receive access to a resource or an application they are trying to accessing defines the work of secure authentication. Single Sign-On (SSO) technologies make it possible for users to securely authenticate into all of their applications after providing their username and password just once, reducing the cost and effort of managing multiple usernames and passwords. For organizations looking to cut costs, or to encourage adoption and improve traffic to their platforms, SSO is an essential technology.



The typical organization uses a very diverse range of applications – from modern Cloud applications like Office 365 that can support current federation protocols, to older legacy applications that cannot be made to leverage these standards. Many SSO products are limited to applications that support federation protocols, but this is not a practical approach for the most organizations where these represent the majority of their applications.


EmpowerID solves the many challenges to successful single sign-on by offering the broadest range of SSO enabling technologies, including:


  • Federation with open standards like SAML, WS-Federation, WS-Trust, OpenID, and OAuth
  • Web Access Management for legacy SSO using web agents and a reverse proxy server
  • Centralized authentication with a built-in LDAP Virtual Directory and RADIUS server
  • A flexible multi-factor authentication server supporting OATH tokens and SMS of one-time passwords

Key Components of the EmpowerID SSO Platform Include:

SSO Application Dashboard

With a single company login, employees gain simple one-click access to all their cloud applications from their smartphones, tablets and computers. EmpowerID embraces Responsive Web Design to deliver a better user experience than every other competing application and platform. Built on HTML5 to handle the era of “Bring Your Own Device”, EmpowerID screens don’t just resize, they are reflowed to be attractive and to offer high usability on any platform on which they appear, whether a PDA, tablet, laptop or full-sized display. Users can claim accounts, register for accounts and have a simple click-to-authenticate to all on-premise and Cloud applications. Users don’t need to know whether you are federating, using Web Access Management or password vaulting; all they are required to know is just one username and password at one screen for access to all their federated applications.

Standards-Based Federation Server

The EmpowerID Federation server functions as an authentication hub allowing users to sign-in once with a user account in any trusted source (e.g. Active Directory, Azure Active Directory, SalesForce.com, Google, Facebook, Amazon, etc.) and then access participating applications without having to remember additional usernames and passwords. EmpowerID is a Cloud Single Sign-On and Identity Federation platform that supports all of the standard identity protocols – SAML, OpenID, WS-Trust, WS-Federation, and OAuth. The EmpowerID Federation server also includes a Security Token Service (STS) and an OAuth Server. The STS issues security tokens as defined in the WS-Security specification enabling the propagation of identity and security context between web services. The OAuth Server supports issuing OAuth 2.0 tokens for mobile application and API security.

Active Directory Integration

EmpowerID leverages Microsoft’s Integrated Windows Authentication to seamlessly authenticate users that are already authenticated with their Windows domain. EmpowerID provides a lightweight authentication utility that integrates Active Directory without the need for an installation of EmpowerID on remote networks. EmpowerID also provides full-feature Active Directory management and user provisioning services for organizations wanting to fully automate management of their corporate Active Directory.

SharePoint SSO and Access Management

EmpowerID federated single sign-on and role-based access control for Microsoft SharePoint. EmpowerID plugs into the claims-based authentication support in SharePoint to act as the Claims Provider in the SharePoint security model controlling authentication and authorization. EmpowerID also inventories all SharePoint sites and groups allowing centralized role and workflow-based access control with built-in access recertification and separation of duties enforcement.

Web Access Management

Web Access Management (WAM) provides single sign-on and policy-based access control to web resources for applications that do not support Federation. EmpowerID’s WAM solution gives you a powerful tool to achieve SSO for non-federated web applications. EmpowerID WAM supports SSO via the use of agents that run on the Java and .NET application servers and intercept each request for a web resource or by the use of the EmpowerID Reverse Proxy which stands in front of the web application and services end user requests. In each case, requests are intercepted and access is authorized by the powerful EmpowerID Role-Based and Attribute-Based authorization policies.

Policy-Based Access Control

EmpowerID centralizes the management of user authorization for customers, partners and employees across all web applications through a shared service. EmpowerID’s advanced policy engine allows organizations to define a user’s access to a diverse set of corporate and cloud-hosted resources via flexible role and attribute-based access control rules. This centralized authorization service greatly reduces development costs by allowing developers to focus on the application’s business logic instead of programming security policies into application code.

Password Vaulting

Password vaulting provides a secure way to access those applications that don’t support a password-free single sign-on protocol like SAML. EmpowerID stores the passwords securely server-side and injects them into an application’s login page during sign-on. A common usage for password vaulting is Shared Credentials. EmpowerID enables users to securely share logins for applications that don’t natively support multiple users without having to disclose the password.

Identity Warehouse and Sync Services

EmpowerID is a complete platform that offers comprehensive facilities including Identity Warehouse, virtual directory, Role-Based Access Control and workflow automation services, all built from the same codebase. EmpowerID’s Identity Warehouse is multi-tenanted directory service that stores the relationship of a Person to the accounts they own for both traditional identity management as well single sign-on. The Identity Warehouse is a key component in any SSO solution architecture enabling organizations to house external identities without compromising internal AD security. External users can securely authenticate against the EmpowerID Identity Warehouse using single or multi-factor authentication and gain access to only the applications you want to grant to them. The Identity Warehouse provides full self-service and delegated administration capabilities that allow end users to manage their passwords and identity associations. With additional modules and connectors, EmpowerID can provision users into almost any type of system or directory and it can manage them from a single console.

LDAP Virtual Directory

The EmpowerID Virtual Directory unifies all of the different directories in your organization into a single access point exposed as an LDAP directory. Many applications and operating systems support using an LDAP directory for centralized authentication and authorization, but only support the use of a single directory. Since most enterprise architectures maintain separate directories for internal and external users, a virtual directory solves this integration challenge. A virtual directory also addresses the challenge of delegated authentication by allowing internal users to authenticate directly against Active Directory, while separately authenticating external users against the EmpowerID Identity Warehouse or another specific store for this purpose, eliminating the need to synchronize passwords.

RADIUS Server

The integrated EmpowerID RADIUS Server provides RADIUS strong authentication to firewalls, network devices and VPN servers within your network infrastructure. EmpowerID verifies the credentials against the Identity Warehouse or connected directories like Active Directory and enforces strong authentication policies requiring multi-factor authentication.

Multi-Factor Authentication Server

Multi-factor authentication can be enabled as a requirement by policy or users may opt in to increase their personal security. Multi-factor authentication options include device authentication, one time passwords sent to mobile phones, knowledge-based authentication (Q&A), and a standards compliant OATH server for issuing hardware or software one time password tokens. Multi-factor authentication services are leveraged for all types of authentication including web SSO, LDAP, and RADIUS and can be enabled for adaptive authentication when users are accessing specific applications or other conditions are met.

Key Features and Benefits:

  • A complete solution for Single Sign-On and application access control
  • A simplified user experience by offering Single Sign-On to ALL of your applications
  • Strengthened security by providing adaptive authentication based on user role and application security level
  • Increased productivity by giving users easy dashboard to access applications
  • Decreased help desk cost by reducing password calls
  • Reduced complexity by offering authentication to both Cloud and on-premise applications

Call Toll Free:
1.877-996-4276