Legacy Single Sign-On: Novell, Evidian, IBM, PassGo, or Computer Associates?

  • Written By:
  • Published:

Executive Summary

As the complexity of enterprise systems increases, users are often forced to remember more and more passwords. As the demand on users increases, many users choose to write down their passwords, and by doing so, jeopardize security. Even if the users never do anything to compromise the organization's security, they are more likely to forget passwords when multiple passwords are required. The resulting constant password resets can amount to an unprecedented cost. The solution to this problem is for organizations to implement single sign-on software across the enterprise. In this article, I'll be comparing five leading non-web based single sign-on products to see which is the best.

What is Legacy Single Sign-On?

Like Web single sign-on, legacy single sign-on is a technology that allows a user to use a single password to access all resources that are available to them. However, while Web single sign-only controls Web based applications, legacy single sign-on extends the single sign-on functionality to other types of applications and network resources, typically within an organization's own intranet. For example applications running in terminal emulators or Windows GUI based applications.

The Issues

Comparing software products is rarely as simple as just picking the product that seems to work the best. Usually, as is the case in this comparison, there are a plethora of issues that must be compared. In the sections that follow, I've explained the most important issues that anyone who's considering buying a single sign-on product should consider.

Supported Platforms

The first issue that must be taken into account is the issue of compatibility with the existing infrastructure. Not all single sign-on products will work with all server platforms or with all client platforms. Additionally, not all legacy single sign-on products are able to perform authentication for every application.

Scalability and high availability

The next issue that you must consider is scalability. Traditionally, many single sign-on products simply don't scale well for larger organizations. Although each single sign-on vendor publishes some sort of scalability information, I've found that it's just as important, if not more so, to examine real world deployments as it is to look at the manufacturer's scalability information. Although the information isn't available for each product, I've included some information on the largest real world deployment for some of the products later in this document. High availability is also essential. SSO is a business critical application, because employees are not able to respond to enquiries when a non-highly available SSO is down. Therefore, SSO high availability is a critical feature !

Smart Card Support

If used improperly, single sign-on products can actually weaken an organization's security. After all, if an intruder happens to figure out a user's single sign-on password, they will gain access to everything that the user has access to, regardless of other password check points that may be in place.

One way of helping to counter potential vulnerabilities is to combine single sign-on technology with smart card technology. Therefore, when making a purchasing decision, it's wise to check to see if the product that you're considering supports smart cards, and if so, then which smart card vendors are supported. Likewise, some single sign-on products offer PKI and biometric support.


Although not an essential feature from a functionality standpoint, personalization features disserve some level of consideration. Personalization features vary from product to product, but are typically aimed at making a user's experience easier. Some personalization features provide the user with a custom desktop or application list composed only of resources that they have access to. Other personalization features might include support for roaming profiles in a single sign-on environment.


Any time that you're making a purchasing decision for an organization, price should be a consideration. Most single sign-on products require the purchase of a server license and of client licenses for each user who will be using the single sign-on product.

Although this review focuses solely on the cost of the software itself, you must remember that you'll need at least one server (and often two servers, for highly available configurations) on which to run and administer the single sign-on backend installation. Therefore, when building a single sign-on product into your budget, be sure to plan on purchasing the necessary hardware.

Ease of Deployment and Management

Another major issue when purchasing single sign-on products is ease of deployment. Some single sign-on products require you to install an agent or a client component onto each workstation. It's important to determine ahead of time if this is an automated or a manual process, as manually deploying the product can really cut into your implementation budget. Many products also require you to write complicated scripts that link the single sign-on database to the legacy applications. An other important feature is the SSO solution capability, once deployed, to securely, easily and automatically transfer the existing users passwords into its SSO repository. Last but not least, once deployed, it's important that solution is able to monitor and report on user accesses and administrative activity. For example, identify security attacks, dormant accounts, etc. and issue alarms in case of suspicious activity. Does It Use True Password Synchronization?

Perhaps the most important issue to consider when comparing single sign-on products is whether the product performs password synchronization. The reason why this issue is so important is that password synchronization dramatically weakens security. For example, suppose that a user within an organization had ten different applications that required individual passwords. If this organization were to implement a form of single sign-on that relied on password synchronization, then each of these ten applications would have the same password as the user's primary network authentication password. This means that if someone were to figure out the password, e.g. through a sniffer or protocol analyzer from the Internet, they could manually log into the network or into any one of the applications!

Some single sign-on products allow each application to maintain a separate password. These passwords are stored in a protected database. When a user logs into a single sign-on client, the database is made available to them. When the user attempts to access an application that requires a password, the password is pulled from the database.

Multiple password single sign-on is much more secure than synchronized passwords, because in this scenario, the possibility of exposing all applications with one password theft or breach is eliminated. If someone happens to crack the password for one application, they won't have a password that works on every other application as well. Sure, if a rogue user were to figure out a user's single sign-on password, they would gain access to all password-protected applications, but that's why I recommend using smart cards in conjunction with single sign-on products.

Why Use Legacy Single Sign-On?

As you read through the various issues involved in acquiring and implementing a single sign-on solution, you've probably noticed that implementing a single sign-on solution is a big undertaking. First, single sign-on products are expensive, costing anywhere from about $200,000 to $400,000 in a 5000 user organization. These applications can also be difficult to deploy and can create some tricky security issues. With all of these factors working against single sign-on products, you may be wondering if implementing a single sign-on product is really worth the cost and effort.

What might not be obvious at first glance, implementing a single sign-on solution isn't just a way of making the user's lives easier. Single sign-on products can actually save enterprise class organizations signification operational costs over the long term.

Few people will deny that most helpdesks receive more phone calls for password resets than for any other issue. In fact, a report from Gartner Group indicates that in the year 2000, a full 30% of helpdesk calls were password related. The report went on to suggest that each password reset cost the average company about $32.

At first, $32 for a password reset seems like an excessively high figure. However, when you consider the amount of money that the company is paying the helpdesk staff and the person who needs their password, you can see how much money can be wasted on non-productive time. The time that the user spends trying to guess their password, phoning the helpdesk, and waiting for the reset can easily be translated into wasted money. Likewise, the time that the helpdesk staff spends dealing with the password reset could better be spent assisting others who currently are unable to be productive due to more serious issues. Other factors that lead to the $32 per password reset figure are business opportunities that may be lost while the users are waiting for help.

If you believe that $32 per password reset is an accurate figure, then you can see just how much money a company could lose over the course of a year. Most users will require a couple of password resets per year, and others chronically forget passwords every couple of weeks. If you figure that on average a user will need four password resets per year then an organization of 5000 users will waste $640,000 per year on password resets.

As you can see, purchasing a single sign-on product for a 5000 user organization costs less than continuing to reset passwords. However, if you do decide to purchase a single sign-on solution, don't expect the product to save your organization any money the first year, as roll out costs can be considerable. Some single sign-on products require an entire team of developers to link the product to the various applications. You can also expect to spend a considerable number of hours deploying the product to users, and further educating the users on how to use the product. Over time however, the return on the investment will surpass the operational loss of continuous password resets.

Product Leaders

At the time that this paper was written, there were five major players in the legacy single sign-on market. This list includes IBM, Novell, Evidian, Computer Associates, and PassGo Technologies. In the sections below, I'll discuss each company's respective product. The comparisons are made in a random order and don't reflect my preferences.


IBM brings a product called Tivoli Global Sign-on to the single sign-on game. A module of the large Tivoli security software family, Tivoli Global Sign-on is designed to work with other Tivoli products and supports AIX, Solaris, and Windows NT server platforms. On the client side, AIX, Solaris, Windows NT, Windows 2000 and Windows 9x are supported.

Given Tivoli Global Sign-on's $2000 per server and $75 per client license price tag, I had high hopes for this product. However, I found it extremely difficult to get information about Tivoli Global Sign-on. The Tivoli Web site is very vague, and most of my phone calls to IBM went unreturned. When I finally reached someone at IBM, they refused to give me any information and specifically requested that Tivoli not be included in my review.

Needless to say, after all of this I suspected that IBM had something to hide, but then I found the smoking gun right on IBM's Web site. The IBM Web site contained links to several third party reports that included incriminating evidence against Tivoli Global Sign-on. One such report at http://www.gartner.com/reprints/ibm/101623.html said "Customers began complaining about a lack of code reliability, sales force arrogance, poor customer support and implementation complexity/time-to-value. In fact, a substantial percentage of Tivoli's product sales were never deployed successfully." While this report speaks of the Tivoli product line in general rather than specifically discussing Tivoli Global Sign-on, it does raise some serious concerns about Tivoli.

More specifically, other contacts at large security integrators mentioned Tivoli Global Sign-On as a very complex and unstable product that often failed to be deployed successfully. As a result, my contacts said they continued to integrate many Tivoli security products, but had stopped to propose Global Sign-On to their customers. A further evidence that this product may not be a fully bullet-proof legacy SSO solution today.


Although I've never been a big Novell fan, I found Novell's SecureLogin to be one of the better products in my comparison. SecureLogin supports NetWare 5 or higher, Windows NT, Windows 2000, Solaris, and Linux server platforms. Windows 9x, Windows NT, Windows 2000, Windows XP, Linux, and Citrix are supported clients, as are thin terminal server clients

What's so impressive about Novell's single sign-on product is that the core product runs at the client end. Only the actual database runs on the server. According to Novell, this configuration means that there is no limit to the number of supported clients or to the number of passwords that can be stored. Additionally, SecureLogin is designed to be easy to deploy and many common applications are automatically recognized and integrated into the single sign-on software.

The product is also part of a large security offer, "Secure Access" recently launched by Novell. This product line includes user provisioning, access control, web SSO, firewall Novell obviously fights to raise its profile as a prominent security solution vendor.

The only real downfall to Novell's single sign-on solution is that it does not support the leading Unix flavors (AIX, Solaris) on the client side, and that - because the product does run on workstations rather than on a server- the product must be individually installed on every single workstation.. Additionally, the $79 per user price tag seems to be a little steep. This product is also primarily dedicated to users of Novell environments, including eDirectory. Many users have made the choice to rely on other directories such as Microsoft Active Directory or Sun ONE Directory. As a result, the Novell solution is a very good fit for existing Novell's customers, but others will have to consider migrating in the mid term to eDirectory if they chose this SSO product.


Evidian's legacy single sign-on product is called Access Master SSO (not to be confused with Access Master PortalXpert, the Web SSO product, with which it is interoperable). Access Master supports Windows NT, Windows 2000, UNIX, AIX and Solaris servers. The product also runs on Windows 9x, Windows NT, Windows 2000, Windows XP, Linux, AIX, Solaris and Citrix clients, in addition to supporting thin terminal clients. Smart card is supported on all types of client workstations, making it a very secure solution.

Access Master SSO's biggest claim to fame is that it provides seamless SSO for the entire application chain, from web to legacy, and offers native integration with user provisioning and PKI management (with modules called AccessMaster Security Policy and PKI Manager). It also benefits from drag-and-drop automated configuration tools that let the security administrator define SSO procedures without the scripting or specific developments that most other SSO products require.

AccessMaster has been deployed to dozens large customers and, for at least one of them, over 70,000 users in a real world, production environment. According to my research, no other single sign-on has been deployed to anywhere near this many users in a real world, PC environment. Evidian is able to achieve these large-scale deployments because of the unique way that Access Master SSO is designed. The product runs primarily on the server, and a self-learning mode helps Access Master SSO quickly detect applications and integrate the detected applications into its database. Although Access Master SSO does require a client component to run on the workstations, the client component can be simultaneously deployed to thousands of PCs with only a few mouse clicks. Once deployed, AccessMaster also performs security audit and tracking, and offers high availability and load balancing.

The downfall to Evidian's single sign-on solution is its low presence in the US market, compared to Novell, Tivoli or Computer Associates. Until today, the company developed mostly in Europe and Asia. However, some US security integrators now propose Evidian products.

Computer Associates

Computer Associates' single sign-on product is a member of the eTrust family, called eTrust Single Sign-on. eTrust is an impressive security offer that includes as many products as anti-virus, intrusion detection, user provisioning, PKI, firewall, VPN The e-Trust Single Sign-On product functions on UNIX (AIX, HP-UX, and Solaris), Windows NT, and Windows 2000 servers. The product supports Windows 9x and Windows NT clients.

One of the best features of eTrust was the fact that it supports load balancing to help achieve scalability and high availability. Except Evidian, none of the other products that I reviewed in this paper offer load balancing. Unfortunately, no data was available on eTrust's largest real world deployment.

Another thing that Computer Associates had going for it was one of the lowest price tags. eTrust Single Sign-on costs $50 per user for blocks of 1000 user licenses. Computer Associates drops the price to a mere $35 per user if the licenses are purchased in blocks of 10,000.

eTrust Single Sign-on's biggest downfall was its lack of support for UNIX applications. The product only supports single sign-on for text based UNIX. These applications must not be running in X-Windows mode.

I was somewhat disappointed in Computer Associates' customer service department. Computer Associates refused to answer any of my questions about eTrust Single Sign-on. They told me that I would only be able to get my questions answered by going through an independent sales representative. Once I explained that I was simply doing a product review rather than attempting to purchase the product, the representative from Computer Associates refused to give me the name or number of a sales person. Fortunately, I was able to locate a dealer through the Internet who was very helpful in supplying me with the information for this paper.

Still another problem with he Computer Associates product is that it's difficult to deploy and requires lots of complex scripting. The Computer Associates Web site recommends hiring an entire team of developers to assist with product deployment.


PassGo, from PassGo Technologies was previously a Symantec product. PassGo supports Windows NT, Windows 2000, and Solaris servers, along with the OS 390 mainframe. PassGo clients can run on Windows 9x, Windows XP, and Windows 2000. While PassGo's customer service department was first rate, the product left a lot to be desired.

The biggest problem with PassGo is that it doesn't do true single sign-on, but rather relies on password synchronization. Additionally, the product lacks any personalization features and doesn't have any support for UNIX clients. My personal feeling is that in a couple of years, PassGo might evolve into a more competitive security application, but presently lacks the maturity of some of the other existing products.

Figure 1. Features of Legacy Single Sign-On Products



Computer Associates

PassGo Technologies



Access Master

Tivoli Global

ETrust Single


Supported Server Platforms

Netware 5 or higher, Windows NT, Windows 2000, Solaris, Linux

Windows NT, Windows 2000, UNIX, AIX, Solaris

AIX, Solaris, Windows NT

UNIX (AIX, HP-UX, Solaris), Windows NT, Windows 2000

Windows NT, Windows 2000, Solaris, OS 390 Mainframe

Supported Client Platforms

Windows 98, Windows NT, Windows 2000, Windows XP

Windows 9x, Windows NT, Windows 2000, Windows XP, Terminal Server Clients, Linux, AIX, Solaris, Citrix

AIX, Solaris, Windows NT, Windows 2000, Windows 9x

Windows 9x and Windows NT are the primary clients. Only text based UNIX applications are supported and only in a non X-Windows environment.

Windows 9x, Windows XP, and Windows 2000


SecureLogin'score software runs on the client. Only the actual data is stored on the server. Novell claims that there is no limit to the number of passwords that can be used. No data is available about the largest real world deployment.

We were able to verify that Access Master has been deployed to over 70,000 users in their largest real world deployment.

Allegedly scales to millions of users. No data is available on the largest real world deployment.

eTrust supports load balancing as a means of providing scalability and high availability. No information was available as to the size of the largest real world deployment.

PassGo's largest real world deployment consists of30,000 users in a mainframe environment, and a few thousand users in a Windows Environment.

Smart Card Support








SecureLogin supports roaming desktops.

After logging on, the user is presented with either a custom desktop or a custom Web page containing only items that they have access to.

Provides self-care and full customization of the subscriber's personalized service environment.

Creates a Web page based menu that's personalized for each user. The menu contains links to the applications that the user has access to.

No personalization features




SecureLogin is priced at $79 per user.


$60 per user for up to 5000 users. Per user discounts are available for larger organizations.


 $2000 per server and $75 per client


$50 per seat for blocks of 1000 user licenses. Blocks of 10,000 user licenses are sold for $35 per seat.

$20,000 per SSO server (usually only a single server is required), plus $16,000 per 500 users

Is SSO Based on Password





No, but password synchronization is an option


Ease of Deployment

Very easy to deploy. Many applications are recognized automatically.

AccessMaster SSO client software can be instantly distributed to thousands of clients with just a few mouse clicks. Also includes a Self Learning mode to help it to quickly link to applications.

Quote from Gartner "In fact, a substantial percentage of Tivoli's product sales were never deployed successfully."

Deployment can be tricky and involves lots of scripting. However, the Computer Associates Web site indicates that the scripting can be taught at on site training sessions.

Application is completely server based for minimal deployment difficulties.








Summary of Findings

As you can see from my findings, each single sign-on product has its good and bad points. To help you to compare the various products and features more easily, I've created a table to guide you through the product feature sets.

Weighted Comparison

Although the table below outlines the good and bad points of each product, determining the best product isn't as simple as counting to see which product has the most points. The reason for this is that some features are more important than others and therefore disserve stronger consideration. The chart below is a weighted comparison of the products based on which features are the most important. In this analysis, each product has been given between one and five points for each area of comparison, with five representing the highest possible score. The product's score in each area is multiplied by its weight to determine the total number of points for the feature. At the end, all of the points are tallied together to determine a summary chart.

Figure 2. Weighted Scoring of Criteria

Feature Value

Weight x Score = Value

1 to 5
5 is Best

1 to 5
5 is Best

1 to 5
5 is Best

1 to 5
5 is Best

1 to 5
5 is Best
(50x5=250 possible points)
4 (200 Points)
5 (250 Points)
3 (150 Points)
4 (200 Points)
1 (50 Points)
Ease of Deployment
(20x5=100 possible points)
5 (100 Points)
5 (100 Points)
1 (20 Points)
2 (40 Points)
4 (80 Points)
(20x5=100 possible points)
5 (100 Points)
5 (100 Points)
3 (60 Points)
5 (100 Points)
3 (60 Points)
Cost for a 5,000 User Organization
(10x5=50 possible points)
3 (30 Points)
4 (40 Points)
(single Server)
3 (30 Points)
5 (50 Points)
(single server)
5 (50 Points)
Total Value of Possible Points=500
430 Points
490 Points
260 Points
390 Points
240 Points

As you can see from the weighted comparison, Evidian has come out on top, with Novell in a strong second place. IBM and PassGo were at the bottom of the list.

In summary, the final scoring indicated the below results:

Figure 3. Summary Scores of all Products Considered

Vendor and Product Name Summary Scoring
Novell 420
Evidian Access Master 490
IBM 260
Computer Associates 390
PassGo 240


The graph below helps to illustrate how much higher Evidian scored than its competitors.

Figure 4. Bar Chart of Legacy Single Sign-On Product Capabilities

Whichever legacy single sign-on product you end up selecting for your organization, don't forget to tally in the cost of implementation and support, which together reflect the total cost of ownership.

© Copyright 2002 Relevant Technologies, Inc. All rights reserved. This may not be published in a magazine, journal, newspaper, or on a Web site without prior permission. Making photocopies and electronic copies of this document are acceptable for educational purposes.

comments powered by Disqus