Postal Service delivers single sign-on

The most famous person on the U.S. Postal Service's payroll - six-time Tour de France champion Lance Armstrong - is known for his singular focus, a trait that appears to be rubbing off on his colleagues who handle the government agency's IT services.

The focus in IT isn't on a bicycle race, but on single sign-on (SSO), a way to ease password management for IT staff and end users alike, and help slash by 10% the monthly slog of password reset calls to the help desk.

The USPS' IT department is enjoying the first fruit of a nearly two-year effort that has resulted in the rollout of SSO capabilities to nearly 150,000 users who access nearly 1,000 applications on the agency's network.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The most famous person on the U.S. Postal Service's payroll - six-time Tour de France champion Lance Armstrong - is known for his singular focus, a trait that appears to be rubbing off on his colleagues who handle the government agency's IT services.

The focus in IT isn't on a bicycle race, but on single sign-on (SSO), a way to ease password management for IT staff and end users alike, and help slash by 10% the monthly slog of password reset calls to the help desk.

The USPS' IT department is enjoying the first fruit of a nearly two-year effort that has resulted in the rollout of SSO capabilities to nearly 150,000 users who access nearly 1,000 applications on the agency's network.

"We believe single sign-on improves our user experience. It reduces costs and it actually improves security," says Wayne Grimes, manager of customer care operations for IT at the USPS. Grimes is based in Raleigh, N.C., the hub of the USPS' distributed infrastructure.

"If you have 15 or 20 identities or passwords for your legacy applications you have to have those written down someplace or stored in a file. It might be a Post-It note on the terminal, or it might be on a piece of paper in someone's wallet, or it might be in a file on the computer. None of those places are acceptable," Grimes says. "So SSO and streamlining the number of passwords that users have has absolutely improved our security."

Grimes says the USPS has a three-pronged attack to meet its goal of having users log on once and not have to enter another user ID or password to gain access to network applications or partner Web sites. He says the ultimate implementation of that goal is SSO, but something he calls single logon, which requires the user to re-enter the same password at each application, is another acceptable implementation.

The USPS' three-part plan uses V-GO SSO from Passlogix, which provides quick SSO capabilities to end users without having to modify applications; Oblix NetPoint to provide SSO for external users coming onto the USPS network; and a massive multi-year project to modify internally developed business applications for SSO using Kerberos and Microsoft's Active Directory. To date, the USPS has modified 700 applications.

"There is no single technology solution to solve single sign-on. If there was, the whole world would be clamoring for it," Grimes says.

But the USPS uses Passlogix as the baseline for its SSO strategy and to bridge the gap while it modifies some applications for native SSO, Grimes says.

V-GO SSO works from a user's desktop by keeping an encrypted file of access credentials for every application available to that user. V-GO SSO is first activated when a user logs on to an application. The software asks the user if he wants V-GO to manage access to that application. If the user agrees, the password is stored in the V-GO file.

Next time the user logs on to that application, V-GO intercepts the application's logon request, grabs the appropriate credentials from its profile store and presents it to the application. The only password users need is their desktop logon.

"Ideally, from a central management standpoint, we don't have to put pre-defined user definitions out on these 1,000 applications," Grimes says. "That would almost be like a Y2K effort to go out and identify all those applications."

Grimes says there are other benefits, including a Passlogix logging feature that details who accesses applications and how often, data that helps determine if applications are still of value, especially mainframe applications.

"If you have a ROI for applications and you are getting ready to enhance that application and you find you only have 10 users and it will cost you $300,000 to upgrade, well we now have more information on whether it would be better to retire that application," he says.