SA Server   In Production
 
Provide 2 Factor Authentication to protect pages of your web site, to allow mobile users accessing the corporate network, etc.  
 

SA Solutions gather available components needed to build your answer to strong authentication deployment.
Those elements rely on the open standard OATH.

Using SA Solutions, Enterprises can deploy strong authentication for a low total cost of ownership.
This is realized through packaged and plug and play solutions adaptable to existing networks and AAA servers.
Our wide range of hardware solutions embed smart card technology offering the highest level of security for two-factor authentication. You can choose a smart card or a token usable in a connected or an unconnected environment according to your architecture constraints.
Our software solutions are open, scalable and evolutive.

Features and Benefits

  • A wide range of authentication methods relying on open standards

You are not confined in a proprietary solutions. It exists 3rd party components compatible with Gemalto solutions.

  • A wide range of devices with various optional features

You'll probably find a device that fits your needs regarding the form factor, the authentication schemas, the secure storage and even the access control if needed.

  • A solution easy to provision

Beside the common provisioning file needed to recognize devices in the validation server, administrators can create new devices through the Customer Care Portal or using Web APIs, users can also create their own device at registration time.

  • A solution easy to install

In less than 30 minutes, you can deploy the server with predefined parameters to evaluate the solution and familiarize your prospect with the product notions..

  • A solution relying on a robust and scalable architecture

The validation server is designed to answer the need of millions users and devices for e-banking use cases but it can also be installed on a cost effective configuration to respond to the need of a dozen users.

  • A solution agnostic to customer existing infrastructure

The advanced installer allows to reuse prospect's existing IT components such a hardware configuration, a Web application server, a database, a LDAP, etc...

News

  • The download section has been updated (11.20.09)

Download\Sales & Marketing Presentation:
The presentation made during the EMEA Partner Webinar on November 5th is available.

  • The download section has been updated (11.16.09)

Download\Competition studies:
A presentation that highlights the Gemalto solutions competitive advantages compared to the competition products is available.

  • The download section has been updated. (10.15.09)

Download\Technical Document:
A new commissioning document about Microsoft IAG and SMS-OTP has been published.
All commissioning documents have been transferred in this section.
All commissioning documents are now published also on www.gemalto.com.

Download\Sales & Marketing Presentation:
An updated version of SA Solutions product features and benefits was published.
An SA Solution overview was published.

  • SA Server 4 is now the standard delivery for Evaluation and Commercial requests. (08-17-09)

SA Server 4 provides a set of new features comprising support for Time based devices compliant with OATH standard,  support for self-provisioning for empty devices, support for PIN activation to convert devices from "OTP+Password" to "PIN protected OTP only", support for an optional OTP only password replacing the LDAP one and support for Windows 2008.
The server upgrade also some existing features as the Web API, the configuration management, etc.
This version implement a license mechanism to control the number of active devices.

  • SA Server 3 Service Pack 1 is now the standard delivery for Evaluation and Commercial requests. (03-09-09)

The delivery contains SA Server 3 and SP1 add-on you should run on top of SA Server 3 (fresh install or upgrade).
The SP1 provides a new OTPTool to display locally the Device ID and OTP, upgrades the OTP Plug-in for Firefox 3, corrects a database connection pool issue, corrects a Web API threading issue and install a security patch to randomize password for internal accounts.

  • The packaging has been reviewed to decrease the size to download (03-09-09)

The delivery has been segmented in several packages to allow downloading only the parts you really need.

Technical Specifications
Authentication methods SA Server uses the following methods for main authentication:
   - OATH HOTP (Event based, Time based)
   - EMV CAP (OTP, challenge-response, transaction data signature).
      SA Server is CAP certified.
   - SMS OTP
Architecture

SA Server is a Web application relying on the following Web servers:
   - Apache Tomcat on Windows and Linux,
   - Web Sphere on AIX
   - Any other Web server could be supported through a specific validation.

The chosen architecture allow "High Availability" and "Fail-Over" configuration relying on operating systems, databases and monitoring mechanisms.
Databases SA Server stores OTP related data and User data if needed (DB mode) in:
   - Firebird
   - MySQL
   - MS SQL
   - Oracle
   - IBM DB2 (Windows or AIX)
   - Any other SQL database could be supported through a specific development
User Repository SA Server can be connected to the following LDAP when Users account are managed externally (Mixed mode):
   - Microsoft Active Directory,
   - Novell eDirectory,
   - Sun One,
   - Open LDAP,
   - Any other LDAP could be supported through a specific development.
Authentication Services interface Authentication services are integrated using the following interfaces:
   - HTTP or HTTPS requests,
   - XML requests sent to Web API,
   - RADIUS requests through SA Server RADIUS agents for
        * Microsoft IAS or NPS (Windows Server 2008),
        * Juniper Steel Belted RADIUS,
        * FreeRADIUS
   - Proprietary request through SA Server Application agents for
        * Citrix Web Interface,
        * Microsoft OWA,
        * Microsoft ISA
        * Microsoft IAG
Security Modules The following security modules can be connected to the server:
   - nShield or payShield from NCipher,
   - Crypt2Pay from Bull - Support OATH and EMV-CAP,
   - Java Key Store software module,
   - Any other HSM could be supported through a specific development.
Compatibility
Arkoon      
VPN appliance   via Radius agent Validation through external partner
Cisco      
VPN appliance ASA 5510 V7.2 via RADIUS agent in Cisco VPN scenario IPSec and SSL  are covered
Citrix      
Application publishing Presentation Server 4.0 via CWI agent  
Presentation Server 4.2 via CWI agent  
Presentation Server 4.5 via CWI agent  
Presentation Server 5.0 via CWI agent  
Interface Web Interface 4.0 Dedicated CWI agent  
Web Interface 4.2 Dedicated CWI agent  
Web Interface 4.5 Dedicated CWI agent  
Web Interface 4.6 Dedicated CWI agent  
Web Interface 5.0 Dedicated CWI agent  
VPN Access Gateway Std. Ed. via RADIUS agent in CAG Standard scenario  
Access Gateway Adv. Ed. via RADIUS agent in CAG Advance scenario  
Access Gateway Ent. Ed. via RADIUS agent in CAG Enterprise scenario  
SSO Password Manager Not applicable  
Checkpoint      
VPN appliance Checkpoint NGX R65 via RADIUS agent in Checkpoint VPN scenario IPSec and SSL  are covered
Evidian      
Software clustering SafeKit In SafeKit scenario Fail-over cluster configuration sample
SSO E-SSO via RADIUS agent  
F5      
VPN appliance   via Radius agent Validation through external partner
IBM      
Database DB2   Windows or AIX
Juniper      
RADIUS Server Steell Belted Dedicated SB agent  
VPN appliance SA 700

SSG V5.4		 via RADIUS agent in Juniper SSL VPN scenario
via RADIUS agent in Juniper IPSec VPN scenario		  
Microsoft      
Operating System Server 2003 SA Server Fail-over cluster configuration sample
Server 2008 SA Server  
Database MS SQL SA Server  
LDAP Active Directory SA Server  
RADIUS Server IAS - Server 2003 32/64
NPS - Server 2008 32/64		 MS RADIUS Agent
MS RADIUS Agent

Solution compatible with MS-CHAP can be developed on demand.
Collaborative messaging server Exchange 2003
Exchange 2003
Exchange 2003
Exchange 2007 		MS RADIUS Agent in OWA scenario  
MS ISA Agent  
OWA-IIS agent  
MS ISA Agent OWA Access through ISA 2006 WITHOUT DOMAIN PASSWORD.
The two factor authentication is insured via PIN protected OTP.
Security Gateway ISA 2004
ISA 2006		 MS ISA Agent  
MS ISA Agent  
VPN Server 2003
Server 2003		 MS RADIUS Agent in training samples  
MS ISA Agent  
IAG
IAG		 MS RADIUS Agent  
MS IAG Agent  
Novell      
LDAP eDirectory    
Open Source      
Database Firebird SA Server  
MySQL SA Server  
LDAP Open LDAP SA Server  
RADIUS Server Free Radius 32/64 Dedicated FR agent  
Oracle      
Database Oracle    
Red Hat      
Operating System Red Hat Linux SA Server  
Sun      
LDAP Sun One SA Server  
Suse      
Operating System Suse 10 SA Server  
Sonicwal      
VPN appliance   via Radius agent Validation through external partner
Next Steps

Exclusive Information for Gemalto Enterprise Partners

Additional information about this product is available exclusively to Gemalto Enterprise Partners.
Click here to access it through the Enterprise Partner Portal.

Demos

To access to the demonstration site, be sure to have a sample device and click here.