Skip to main content

RFID Single Sign-On

RFID SSO overview

Get started quickly?

Check our page with quick-start guides so that you can set up RFID Single Sign-On for domain-joined or local workstations and test the platform.

Quick-start guides
In this post you will find links to quick-start guides, so that you can get started with idemeum services depending in your use case, such as RFID SSO, Passwordless MFA, Cloud Directory and more.

What is RFID Single Sign-On?

RFID SSO allows you to access any company resource with an RFID badge. Tap and go experience is simple and seamless - tap an RFID badge and access workstations, applications, and virtual desktops without passwords.

Idemeum supports RFID SSO into various company resources:

Workstation Tap an RFID badge and login into domain-joined or local Windows workstation
Web application Tap a badge, login into Windows workstation, and then get credentials automatically filled into Web application such as Office 365
Native application Tap a badge, login into Windows workstaion anf then get credentials filled into native Windows application such as EHR or EMR system
RDP client Tap a badge, login into WIndows workstation and then get credentials filled into an RDP client to access remote resources

At idemeum we work with many industry verticals, including healthcare, manufacturing, and pharmaceuticals. For instance, clinicians regularly need to remember eight or more application passwords. Security best practices require those passwords be unique, strong and frequently changed. In the absence of RFID access solutions clinicians will have to type passwords multiple times a day, as often 45 min per day on average. Instead they can tap an existing badge on the reader connected to a workstation and have immediate access to workstation as well as Electronic Health Records (EHR) application.

Solution components

Idemeum RFID SSO is a cloud service, therefore there is minimal footprint for you to deploy and manage.

  • idemeum cloud - idemeum cloud will serve as a management plane for RFID access, where you can manage users, workstations, as well as entitlements to define who has access to what.
  • Desktop application - idemeum application will need to be installed on every workstation. Once installed and paired with idemeum cloud tenant, idemeum application will register as credential provider on Windows and will start processing all login requests with RFID card. You can perform a manual installation for a quick deployment, or you can push the application with silent installer.
  • User source - when authenticating users with RFID badge, idemeum needs to know what user account is associated with what badge ID. For this mapping, idemeum can rely on external user source, such as Azure Active Directory, or maintain this mapping in the local directory.
  • Domain controller (for domain-joined machines) - idemeum desktop application will authenticate users with domain controller and will log the user into workstation either with named domain account or shared account.

Sample login flow

Here is the generic user login flow that is performed when the RFID badge is scanned on a domain-joined workstation.

  1. User taps the RFID badge on the badge reader that is connected to a Windows computer over USB port. idemeum desktop application is integrated with the reader, it detects badge tap event and is able to extract that badge number.
  2. idemeum desktop application communicates with the idemeum tenant that it is registered with, submits the badge number for user look up, and conducts the entitlement check to see if the user has permission to access workstation.
  3. idemeum cloud connects to user source to validate the badge number and look up user corporate email address that will be used to login into a domain environment (can be local directory or external user source).
  4. Once the user email is found, it is passed back to idemeum desktop application that in turn will log the user into a domain-joined workstation.