Introducing SecureLogin
Effortless Single-Sign-On to Drew applications from your desktop

Computing and Network Services is pleased to offer Novell SecureLogin to the Drew community. SecureLogin eliminates the need to repeatedly enter usernames and passwords to access Drew University services from your desktop. For several years, we have used iChain to provide single-sign-on to web-based applications such as Blackboard, CampusWeb, and GroupWise WebAccess. SecureLogin extends single-sign-on to desktop applications, such as GroupWise, Novell Messenger, and administrative applications like Ad-Astra. In addition, SecureLogin connects desktop single-sign-on with the web by providing automatic sign-on to Drew's web-based services whenever you start your web browser.

Obtaining and Installing SecureLogin

SecureLogin is provided as a standard component on Drew-issued computers starting in February 2008. If your machine does not have the SecureLogin client, you may install it via the Application Explorer:

• From your desktop, browse to Application Explorer > DREW > Install Software > Networking > Novell SecureLogin 6 SP1. Click Yes when prompted. You will need to restart your computer after installing SecureLogin.

Because SecureLogin is tightly integrated with the Drew computing environment it will only be made available on Drew-standard PCs. SecureLogin should not be installed on personally-owned PCs.

How SecureLogin Works

Once installed, SecureLogin will operate seamlessly in the background, automatically logging you into Drew applications as they are accessed. Your indication that SecureLogin is operating is an icon that will appear in the lower-right corner of your Windows task bar:

	SecureLogin task bar icon

You may right-click on the SecureLogin icon to access additional options. Un checking Active will temporarily disable SecureLogin. Selecting Close will shut down SecureLogin for this session. You may restart SecureLogin by browsing to Start > All Programs > Novell SecureLogin > Novell SecureLogin.

SecureLogin manages your uLogin ID and password in the background and releases it to applications as needed. Computing and Network Services staff develop scripts that govern how SecureLogin interacts with applications running on your desktop. While SecureLogin runs on your desktop, it is managed centrally by CNS. New application definitions and policies are distributed automatically whenever your computer is attached and logged into the network.

Logging into Drew web sites automatically with SecureLogin and iChain

SecureLogin complements our existing iChain single-sign-on solution. iChain provides seamless single-sign-on to all Drew University web sites and web applications. When accessing Drew web-based services, you need only log in once and iChain will automatically log into sites such as CampusWeb, Blackboard, Community Forums, and GroupWise WebAccess as you access them. With SecureLogin installed on your desktop, you are automatically logged into iChain whenever you start your web-browser and load the Drew start page or any other iChain protected page.

Allowing someone else to temporarily access Drew web sites from your computer:

SecureLogin only logs into iChain automatically once per browser session. If you need to allow someone to quickly use your web-browser to check email via WebAccess or use some other service, simply click Logout on the Drew start page. SecureLogin will not interfere when that user manually logs into iChain. To log back in again as yourself, simply restart the browser. SecureLogin will automatically log into iChain.

Logging into iChain without restarting your web browser:

SecureLogin normally only triggers a login when your web-browser starts and loads the Drew start page. If you log out of iChain or your session expires, SecureLogin will not automatically log you in until you restart your web-browser. You can optionally add a "QuickLogin" button to your browser that will allow you to force SecureLogin to log in to iChain at any time. To add a QuickLogin button to your browser, drag the link below to your browser's QuickLinks or Favorites toolbar.

Using SecureLogin While Off-Campus

SecureLogin may be used off-campus with a Drew notebook PC. You must log into the network at least once on-campus with SecureLogin installed so that it can create an encrypted cache file on your computer's hard drive. It is strongly recommended that you use the laptop on-campus periodically while connected to the network so that your SecureLogin settings can be refreshed with new application definitions and policies created by CNS. You must use the "On-campus network" option when logging in to your computer on-campus in order for SecureLogin to be updated.

When using SecureLogin off-campus you will see an additional password prompt when logging into your computer. Since you did not log into the network, SecureLogin prompts you for your password to unlock the encrypted cache file on your computer's hard drive.

To continue, simply enter your password. The password used to unlock SecureLogin will match the Windows password used to log into your computer. Note that under some circumstances your computer's Windows password may be different than your uLogin password. This occurs if you have changed your uLogin password since taking your laptop off-campus. In that case, you will continue to use your previous password to log into your laptop, until you return to campus and your computer's password once again resynchronizes with the network. The same password is used to unlock SecureLogin.

Password Changes and SecureLogin

Because SecureLogin provides automatic login to Drew network applications, it is essential that SecureLogin stay in sync with changes to your uLogin password. This will happen automatically in most cases, depending upon how your uLogin password is changed. Note that no matter which method you use to change your uLogin password, SecureLogin is always updated with your current uLogin password whenever you log into the network on campus.

There are three ways to change your uLogin password:

• When logging into your computer in response to a password expiration message (on-campus only): If your uLogin password has expired and must be changed, your computer will prompt you to do so when you log into the network. When changing your uLogin password in this manner, SecureLogin will detect the change and update its cache automatically.
   
• By using the Windows change password feature (on-campus only): You may change your uLogin password at any time by pressing Control-Alt-Delete and clicking the Change Password button. When you change your uLogin password in this manner, SecureLogin is notified of the password change. The next time you start your web-browser or open a SecureLogin enabled application, SecureLogin will update its cache with your current uLogin password.
   
• By using password.drew.edu (on or off-campus): You may change your uLogin password at any time over the web by browsing to password.drew.edu. In addition, iChain will prompt you to change your password when logging into any Drew web site if your uLogin password has expired. When changing your password through the web, SecureLogin will intercept the request and display its own password change dialog box:
   
  
   
  When this dialog box appears, simply enter your desired new uLogin password as prompted. Your uLogin password and SecureLogin will be updated simultaneously. If instead you click Cancel and use the web form, SecureLogin will not be updated.

What happens if SecureLogin and my uLogin password become out of sync?

While we have attempted to anticipate all common password change scenarios, there may be circumstances under which a password changes causes SecureLogin to become out of sync with your uLogin password.

If SecureLogin is out of sync with your uLogin password, SecureLogin will receive an error when it attempts to automatically log into Drew services on your behalf. When this occurs, SecureLogin will detect the error and prompt you to correct the password. Note the screen shot below in which SecureLogin has failed to log into GroupWise Messenger because it is attempting to use an out-of-date password:

When this occurs, simply enter your current uLogin password and click OK. SecureLogin will then be updated with your current uLogin password.

Security Considerations with SecureLogin

SecureLogin utilizes strong encryption for the local cache files and data stored in Novell eDirectory to protect your single-sign-on credentials. In addition, as per CNS policy, all applications which utilize the uLogin password for authentication send the password over an encrypted channel. The introduction of SecureLogin does not change this requirement.

Some security concerns may be raised about the use of Single-Sign-On technology itself. Computing and Network Services maintains that SSO technology does not introduce security risk factors when users follow proper computer security best practices. CNS strongly recommends that users lock their workstations when leaving their machine unattended. Screen savers should be enabled with a reasonably short time-out period (under 10 minutes) and the password protection option should be enabled. We encourage users to carefully consider the risk associated with leaving a workstation unattended and unlocked--whether Single-Sign-On technology is in use or not. Consider the sensitive documents that might be available in your My Documents folder or departmental network space. Consider the sensitive material that could be found in your email inbox, which is most likely open and available at all times during the workday. Any perceived risks associated with single-sign-on technology pale in comparison to the actual risk of leaving a workstation unlocked and unattended.