Identity and Access Management Solution Overview - PowerPoint PPT Presentation

Loading...

PPT – Identity and Access Management Solution Overview PowerPoint presentation | free to download - id: 6021d0-ZWIyN



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Identity and Access Management Solution Overview

Description:

... to other authentication schemes Authentication Management Expiration ... SAML session assertion) WS-Security ... to regular password authentication. – PowerPoint PPT presentation

Number of Views:243
Avg rating:3.0/5.0
Slides: 64
Provided by: bestitdoc
Learn more at: http://www.bestitdocuments.com
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Identity and Access Management Solution Overview


1
Identity and Access Management Solution Overview
2
The Netegrity Solution
The Netegrity Identity and Access Management
Solution
Access Management SiteMinder
Web Services Access Mgmt TransactionMinder
Enforcement
Administration
User Administration IdentityMinder, Web Edition
Resource Provisioning IdentityMinder,
Provisioning Edition
For Legacy, Web and Service-Oriented Architectures
3
The Application Silo Challenge
  • High security administration costs
  • Expensive coding and maintenance
  • Poor user experience
  • No centralized security enforcement
  • No standardized security process
  • No central auditing capability

Customers
Employees
Partners
Customer Self-Service
Partner Extranet
CRM
ERP
HR
SCM
E-Commerce
Security Layer
J_Doe1211960
John DoeA23JJ4
John Doe
John_D
Johnd
Mobile Phone
PKI Cert
Application Layer
User Store
Oracle OID
Oracle RDBMS
Active Directory
SQL 2000
SunONE LDAP
Oracle
LDAP
Operating System
4
SiteMinder in Action
Web Server With SiteMinder Agent
SiteMinder Policy Server
Authentication Scheme
jdoe

1) Is Resource Protected?
2) Is User Authenticated?
Firewall
Firewall
3) Is User Authorized?
5
Native Directory Enabled
  • Map to existing user stores
  • No embedded database required
  • Eliminates user store synchronization issues
  • Separate authentication authorization stores
  • Chain directories
  • Supports multiple user directories
  • Including databases mainframes

NT, LDAP, AD ODBC, RACF
No User Data Stored inSiteMinder
Users
DMZ
Authorization Namespace
Authentication Namespace
Web Server With SiteMinder Agent
SiteMinder Policy Server
6
Single Sign-On Microsoft Environment
Windows Integrated Security Authenticate to your
desktop access all your enterprise web
applications
Outlook Web Access
MS IIS Web Server SiteMinder Agent
Active Directory
mycompany.com
SiteMinderPolicy Server
Microsoft Application Login
SQLServer
Web Server on Unix SiteMinder Agent
7
Single Sign-On Netegrity Secure Proxy Server
Firewalls DMZ
Backend Resources
  • Turnkey Proxy Solution
  • SSO
  • Mini cookie
  • SSL-ID
  • URL rewrite
  • Enhanced security
  • Define target destination servers
  • Deployed at VISA VOL

Users
Destination Web Servers
Firewalls
Proxy Server
User Entitlement Stores
SiteMinder Policy Server
8
Single Sign-on Application Server Environment
Firewalls
Backend Resources
  • J2EE Application Server Agents
  • IBM WebSphere BEA WebLogic
  • Enables SSO across the enterprise
  • Including J2EE application server based
    applications
  • Leverages SiteMinders broad range of
    authentication system support
  • Centralized authorization management audit
    services

Users
J2EE ApplicationServer
Firewalls
Web Server
User Entitlement Stores
SiteMinder Policy Server
9
Single Sign-on Enterprise Applications
Firewalls
  • Enables SSO across the enterprise, including
    ERP/CRM systems
  • SAP, Siebel, Peoplesoft, Oracle
  • Leverages SiteMinders broad range of integrated
    authentication systems
  • Provides centralized authorization management
    audit services

Users
Enterprise Applications
Firewalls
Web Server
User Entitlement Stores
Netegrity Policy Server
10
Authentication Management
Broad Support for Authentication Systems
  • Methods
  • Passwords
  • Two factor tokens
  • X.509 certificates
  • Passwords over SSL
  • Smart cards
  • SAML
  • Combination of methods
  • Forms-based
  • Custom methods
  • Full CRL OCSP support
  • Biometric devices
  • Management
  • Authentication Levels
  • Directory chaining
  • Configured fallbacks to other authentication
    schemes

11
Authentication Management
Password Management
  • Expiration with warning grace period
  • Composition rules
  • Max/Min lengths, repeating characters, case
    sensitivity, reusability
  • Difference () measures between before after
    passwords
  • Editable password dictionary to prohibit certain
    word use
  • Prohibition of use of user profile attributes
    (name, address etc)
  • Account Management Auditing
  • Forgotten password support
  • Redirects
  • Password Login history
  • Lock-out
  • Permanently
  • Successive failed passwords
  • Inactivity
  • Until or after certain date
  • Login before a specific date
  • Disable field in MS AD Sun One

12
Authorization ManagementCentralized Policy
Management
Response or Response Group
SiteMinder Policy
Rule or Rule Group
Users or Groups In a Directory
Active Response
eTelligent Rule
Time
IP Address
e






1.2.3.4
IP addressthat the policy applies to
User, Groups Exclusions,Roles
Expressionusing ContextualData, Web Services
Allows ordenies access to a resource
Action thatoccurs whena rule fires
Time when the policy can or cannot fire
Dynamic extension of the policy (optional)
Option(s)
  • Restrict access by user, role, groups, dynamic
    groups, or exclusions
  • Controlled impersonation of users by other
    users
  • Fine-grained authorization at the file, page, or
    object level
  • Determine access based on location and time
  • Policies
  • Send static, dynamic (SQL queries), or profile
    attributes in responses
  • Redirect users based on type of authentication or
    authorization failure
  • Can have global or local policies

13
Federated Security Services
www.PartnerA.com
  • SAML Producer
  • SAML Consumer
  • SAML Affiliate Agent

SSO
SAA
www. SiteMinder.com Authenticate
Internet
User
www. PartnerB.com
SSO
SAA
14
Federated Security ServicesSAML Producer with
SAML Affiliate Agent (SAA)
www.PartnerA.com
  • SiteMinder site conducts authentication
  • User profile must exist at www.SiteMinder.com
  • Light-weight Web plug-in at partners
  • Security product/SAML support not required at
    partners
  • Converts SAML attribute assertions into HTTP
    header variables
  • Provides user profile information to Web
    application
  • Synchronized session between sites
  • Single sign-on/off
  • Centralized auditing reporting
  • Event notification services

SSO
SAA
www. SiteMinder.com Authenticate
Internet
User
www. PartnerB.com
SSO
SAA
15
Federated Security Services SAML Producer
www.PartnerA.com
  • SiteMinder site conducts authentication
  • User profile must exist at www.SiteMinder.com
  • Generates SAML artifact
  • SAML Consumer capability required at Partners
  • SiteMinder or equivalent capability
  • Competitive IAM system, toolkit, standards
    compliant platform
  • Functionality available to partners dependent on
    capability of local security tool
  • No Netegrity software required at partners

SSO
www. SiteMinder.com Authenticate
Internet
User
www. PartnerB.com
SSO
16
Federated Security Services SAML Consumer
www.PartnerA.com
  • Security product at PartnerA/B conducts
    authentication
  • May or may not be SiteMinder
  • Could be competitive IAM system, toolkit, or
    standards compliant platform
  • SiteMinder conducts SAML-based authorization
    SSO
  • Partner-user to SiteMinder-user mapping is
    flexible
  • One-to-one (account-to-account)
  • Many-to-one

Authenticate
www. SiteMinder.com
SSO
Internet
User
www. PartnerB.com
Authenticate
17
Enterprise Class ManageabilityAuditing
Reporting
  Access Reports Hourly Rollup Access
Report Daily Rollup Access Report Hourly
Authentication Access Report Daily Authentication
Access Report Hourly Authorization Access
Report Daily Authorization Access Report Hourly
Administrator Access Report Daily Administrator
Access Report   Activity Reports Activity Rollup
Report User Activity Report Agents Activity
Report Resource Usage/Activity Report   Intrusion
Reports Intrusion Rollup Report Intrusion by User
Report Intrusion by Agent Report   Audit
Reports Audit Rollup Report Audit by Resource
Report Audit by Administrator Report
  • Managers need reports to
  • Fine tune infrastructure
  • Show compliance with security policies
    regulations
  • SiteMinder provides
  • Schema for reporting RDBMS
  • Stored procedures which can be used to generate
  • Access reports
  • Activity reports
  • Intrusion reports
  • Audit reports

18
High Performance Architecture
Web Server Web Agent w/Cache
Web Server Web Agent w/Cache
Web Server Web Agent w/Cache
  • Automatic fail-over
  • Cluster-to-cluster fail-over (SM 6.0)
  • Agent to Policy Server dynamic load balancing
  • Policy Server to directory server load balancing
    failover
  • 2-level caching in Policy Server agents
  • 8 processor support (SM 6.0)

128 Bit RC4encryption
Policy Server
Policy Server
Audit Log(ODBC)
RulesCache
RulesCache
PolicyCache
PolicyCache
Replication
Directory Server
Directory Server
19
Broad Platform Support
Leverages Existing Investments
UserDirectories
Authentication Systems
Platforms
Other Systems
  • Web Agents
  • Microsoft IIS
  • Sun ONE
  • Apache
  • HP Apache
  • Lotus Domino
  • IBM HTTP
  • Oracle HTTP
  • Domino Go
  • Policy Server
  • MS NT/Win 2000/Win2003
  • Sun Solaris
  • HP-UX
  • Red Hat Enterprise Linux
  • Sun Java System Directory Server
  • NT Domains
  • Microsoft Active Directory
  • IBM Directory Server
  • Novell eDirectory
  • MS SQL Server
  • Oracle RDBMS
  • Siemens DirX
  • Oracle Internet Directory
  • Critical Path Directory Server
  • Lotus Domino LDAP
  • CA eTrust
  • Passwords
  • Passwords over SSL
  • Forms-based
  • X.509 certificates
  • Full CRL OSCP support
  • Smart cards
  • Two factor tokens
  • Method Chaining
  • SAML
  • Custom methods
  • Biometric devices
  • Combination of methods
  • Application Servers
  • BEA WebLogic
  • IBM WebSphere
  • ERP/CRM
  • Peoplesoft
  • Siebel
  • SAP
  • Oracle
  • RADIUS Network Access Devices
  • Firewalls
  • Communication Servers

20
Solution Modules
  • Mobile Authentication Module
  • Authentication by passcodes delivered wirelessly
    to your handled devices
  • User Context Gateway
  • Provides SSO to Microsoft applications like OWA
    and Citrix NFuse
  • Limit Concurrent Login
  • Prevents users from authenticating twice and
    accessing the site from two or more browsers
    simultaneously
  • Impersonation (SM 5.x OOB in SM 6.0)
  • Allows one user to impersonate another while
    still maintaining control, security and the
    ability to audit
  • SmFTP Server
  • SiteMinder enabled FTP server

21
TransactionMinder Key Features
  • Deployed at VISA ROL and CCDR
  • Centralized policy-based authentication,
    authorization, and audit
  • Provides single point of access control and
    administration for the whole enterprise
  • Synchronized sessioning
  • Enables single sign-on across multiple Web
    services used in the same transaction
  • Shared Web services security platform
  • Avoids creation of an isolated island of
    security Web services are one of many resources
    that must be secured by the enterprise
  • Seamless integration with existing
    SiteMinder-enabled sites
  • Open, platform-neutral architecture
  • Support all major relevant web services standards
    (XML/SOAP, WS-Security, SAML, XML Signature)
  • No investment in proprietary technologies is
    required.

Provisioningand User Administration
Authentication Access Management
User Administration
Resource Provisioning
TransactionMinder The industrys first
policy-based solution to protect access to Web
services
22
Introducing TransactionMinder
Complete Web services security solution
Web Services Provider
  • Designed to provide secure access to Web services
  • Authentication based on message content and Web
    services standards such as WS-Security, SAML, XML
    Signature
  • Runtime authorization rules based on the content
    of a business payload, e.g., a purchase order
  • Centralized authentication, authorization, audit,
    and federation services
  • Leverages and extends the core Netegrity Policy
    Server
  • Delivers security policy as a shared service
  • Support for industry-leading Web services
    frameworks and standards

Web Service(s)
TransactionMinder XML Agent
Back-end Application
Internet
Netegrity Policy Server
Policies define - Authentication -
Authorization - Audit - Federation - Session Mgt
Web Services Consumer
User Directories
23
TransactionMinder Features
  • Content-based Authentication
  • XML Document Credentials Collector (DCC)
  • XML Signature
  • Sessioning (expressed as a SAML session
    assertion)
  • WS-Security (supporting three security tokens
    password digest, X.509 certs, and SAML
    assertions)
  • XML Encryption (New in TransactionMinder v6.0)
  • New Policy Server XML response types
  • SAML session assertion generation (in SOAP
    envelope, HTTP header, or cookie)
  • WS-Security header generation (supporting three
    security tokens password digest, X.509 certs,
    and SAML assertions)
  • Dynamic Authorization Policy Model
  • eTelligent Rules using TransactionMinder-specific
    variables in policy expressions

24
WS-Security Authentication Scheme
  • Producing and consuming three WS-Security-bound
    security tokens (WSSE)
  • Password digest
  • X.509 certificates
  • SAML 1.1 assertions
  • WS-Security utilities (WSU)
  • Digital signatures (using TransactionMinder
    v6.0s key database functionality)
  • Message timestamps
  • WS-Security Encryption (Production Consumption)
    (New in TransactionMinder v6.0)
  • Encryption / decryption of tokens and message
    elements that are included in SOAP messages using
    WS-Security

25
TransactionMinder Deployments Based on the
Netegrity Reference Architecture
  • Simple Direct Deployment
  • Simple Proxy Deployment
  • IAM / WSM Deployment with Security Appliance

26
Simple Direct Deployment
NetworkFirewall
NetworkFirewall
Legacy
.NET
TxMinder XML Agent
Web Service Container (IIS, iPlanet, Apache)
SOAP
J2EE
Netegrity Policy Server
User Stores (LDAP, RDBMS, etc.)
27
Simple Proxy Deployment
NetworkFirewall
NetworkFirewall
Legacy
Proprietary Security
Reverse Proxy Server
SOAP
.NET
.NET Security
SOAP
J2EE
Container Security
TxMinder XML Agent
Netegrity Policy Server
User Stores (LDAP, RDBMS, etc.)
28
IAM/WSM Deployment w/ Security Appliance
NetworkFirewall
NetworkFirewall
Legacy
Propriatary Security
Proxy
WSM Agt
.NET
TxM Agt
SOAP
Security Appliance(2)
WSM (1)
SOAP SAML
SOAP
TxM Agt
WSM Agt
J2EE
TxMinder XML Agent
Netegrity Policy Server
WSM Policies
User Stores (LDAP, RDBMS, etc.)
Notes Dotted lines materialize integration
between TransactionMinder and Netegrity partners
(1) Web Services Management (2) XML Firewall
providing wire speed XML processing (parsing,
transformation, crypto math, etc.)
29
Integration with Complementary Third-Party
Offerings
  • Purpose
  • Create a TransactionMinder ecosystem that
    provides more complete customer solutions
  • Integration Approach
  • Based on Netegritys Reference Architecture
  • Use of TransactionMinders Agent API
  • Integration of XML Gateways with TxMinder
  • Vendors involved Forum, Reactivity, Sarvega,
    Layer7
  • Customer Benefits
  • Intrusion detection (XML Gateway)
  • Accelerated, first-level, entry point
    authentication (XML Gateway)
  • Integration with Enterprise infrastructure
    (TransactionMinder)
  • Centralized security policies, multiple-factor
    user stores, etc.
  • Web services federation, sessioning
    (TransactionMinder)
  • Integration of Web Services Management (WSM)
    Platforms with TxMinder
  • Vendors involved Digital Evolution, Actional,
    Amberpoint, Blue Titan
  • Customer Benefits
  • Provides SLA and business policies management
    (WSM Platform)
  • Integration with Enterprise infrastructure
    (TransactionMinder)
  • Centralized security policies, multiple-factor
    user stores, etc.

30
IdentityMinder Features Overview
Deployed at VISA DPS, Risk Mgmt
  • Stuctured Administration
  • Leverage administrator roles, groups,
    organizations, attributes to maximize
    administrative productivity control
  • Enable role-based access control (RBAC)
  • Integrated Workflow
  • Improve security and reduce costs through on-line
    workflows
  • On-line requests, approvals, notifications
  • Delegated User Administration
  • Improve efficiency by distributing administration
  • To partners internal administrators
  • Auditing Reporting
  • Improve security through comprehensive auditing
    and management reporting
  • User Self-Service
  • Reduce costs by allowing end-users to manage
    their own profiles, passwords, entitlements

J2EE application that provides a customizable
interface for delegating user administration and
granting users entitlements. IMWE leverages the
power of SiteMinder including support for
role-based access control.
31
Key Functionality
  • Self-Service
  • Integrated Workflow Approvals
  • Delegation
  • Role-based Entitlement Support
  • Auditing and Reporting
  • Customizable Interface
  • Extensibility
  • Scalable Architecture
  • Integrated Provisioning

32
Self Service
Reduces administrative cost and improves user
experience
3
1
4
SelfRegister to NeteAuto Name Jsmith Pwd
xyz Email jsmith_at_os.com Enter Code x23z Sign Me
Up Free Stuff Credit Line
  • NeteAuto WebSite
  • Welcome Jsmith
  • Select One
  • Edit My Profile
  • Reset My Password
  • Change Memberships
  • User Self registers
  • Requests access to applications and group
    memberships
  • Workflow approval is conditionally triggered for
    group assignments
  • The user object is created
  • The user can now change profile and password
    attributes and memberships

33
Self-Registration
  • Support for multiple self-registration schemes
  • Multiple user communities (Partners vs.
    Contractors)
  • Multiple languages
  • Options for customizing self-registration
  • Use default form
  • Redesign form using the form designer
  • Prompts, Fields, Hints, Layout, Branding,
    Formatting
  • For additional customization, generate WSDL for
    fully customized web service interface

Default form
34
Self Management
  • Benefits
  • Reduce administrative costs
  • Speed delivery of service to users
  • Improved user experience
  • Forgotten Password Support
  • Multiple Challenge/Response questions
  • Integration with SiteMinder password policy
  • Self Management options
  • Modify specific attributes
  • View Group and Role memberships
  • Request additional entitlements
  • Subscribe to self-subscribing groups
  • Change password

35
Key Functionality
  • Self-Service
  • Integrated Workflow Approvals
  • Delegation
  • Role-based Entitlement Support
  • Auditing and Reporting
  • Customizable Interface
  • Extensibility
  • Scalable Architecture
  • Integrated Provisioning

36
Integrated Workflow
  • Worklist for COO
  • Approve gold status for I. Supply
  • Approve

Supplierregistersfor Goldstatus
A
Is Credit ratingA or B
B
NO
YES
COOapproves
Name I. Supply Status bronze
Name I. Supply Status gold
TO I. Supply CC Supplier Mgr
  • Configurable Workflow Engine Supports
  • Multi-step, non-linear approvals
  • Design workflow process variants
  • Create Contractor vs Create Partner
  • Customizable rules defining approvers
  • Member of role or group, meets filter condition,
    custom
  • AutoApprove if no approvers are assigned
  • Customizable rules to identify who is notified
  • Customizable e-mail templates
  • Approved, pending, completed, rejected
  • Workflow API enables integration with other user
    management processes

37
Workflow Customization
  1. Copy Create User Approve process to generate
    Create Contactor Approve process
  2. Specify HR group as approver
  3. Specify Contractor Supervisor as approver

38
Key Functionality
  • Self-Service
  • Integrated Workflow Approvals
  • Delegation
  • Role-based Entitlement Support
  • Auditing and Reporting
  • Customizable Interface
  • Extensibility
  • Scalable Architecture
  • Integrated Provisioning

39
Delegation
  • Delegation is based on IdentityMInder roles and
    tasks
  • IM Admin roles allow management of users, groups,
    orgs, roles
  • Roles contain granular tasks (Modify User)
  • Create new roles by re-combining tasks
  • Create new tasks to meet business needs (Create
    Contractor)

40
Delegation Creating Admin Roles
  • During role creation, specify ALL the rules about
    the role
  • What are the tasks associated with this role?
  • HelpDeskAdmin has Enable/disable User, Reset User
    Password, Modify User
  • Who are the role members?
  • Can initiate the tasks of the role
  • While performing this role, what users, groups,

    orgs are in scope?
  • Who are the role administrators?
  • Can delegate the role to others
  • While delegating this role, what users are in
    scope?
  • Who are the role owners?
  • Can modify the role using this interface
  • Each role may have multiple member policies
  • People in HelpAdmin group
  • TitleITManager
  • All role metadata stored in Policy Store

41
Delegation Membership Rule Examples
Member Requirement Rule Type Example
Must match one attribute value User Users where title starts with senior
Must match multiple attribute values User Users where titlemgr and localityltgteast
Must be a member of another role User Users in admin role helpdeskadmin
Must belong to named org(s) Org Users in org sales and lower
Must belong to org(s) which meet a condition specified by attribute(s) on the org Org Users in orgs where Business Typegold or Business Typeplatinum
Must belong to specific org(s) and match specific user attributes Org User Users where titlemgr and localityeast and who are in org sales or org marketing
Must belong to specific group(s) Group Users who are members of group ORGADMIN
Must belong to group(s) which meet a condition specified by attribute(s) on the group Group Users who are members of groups where ownerCIO
Must meet some condition which is beyond scope of rule syntax Query Users returned by the query ldap_query
42
Delegation Managing User Store Objects
  • Delegate responsibility for managing segments of
    the user store to the best qualified individuals
  • Non-intrusive support for the corporate user
    store
  • User stores supported
  • Relational Database
  • Single/multiple table based objects
  • Objects retrieved by stored procedures
  • Database generated unique identifier
  • Delimited or row-based multiple values
  • Native database datatypes
  • LDAP v3
  • Hierarchical, Flat structure
  • Auxiliary classes
  • Groups

43
Delegation Managing Groups
  • Delegated group management provides for
    separation of duties
  • Group Manager
  • Create/modify/delete group
  • Assign Group Admin(s)
  • Group Admin
  • Manage group membership
  • Can manage groups regardless of organizational
    context
  • Group management can be hidden behind role
    assignment
  • Membership rule is a group
  • Support for
  • Self-subscribing groups
  • Nested groups
  • Dynamic groups
  • For example All technicians (employeetype) with
    cell phones (mobile)
  • ldap///ouNeteAuto,osecurity.com??sub?(employee
    type technician) (!mobileNULL)

44
Key Functionality
  • Self-Service
  • Integrated Workflow Approvals
  • Delegation
  • Role-based Entitlement Support
  • Auditing and Reporting
  • Customizable Interface
  • Extensibility
  • Scalable Architecture
  • Integrated Provisioning

45
RBAC Support in SiteMinder
Step 1 Use SM UI to link Access rolesto
security policies
46
RBAC Support in SiteMinder
Step 2 User defined variable
Application name (optional)
  • SiteMinder generated attributes
  • SM_User_Application_Roles
  • SM_User_Application_Tasks
  • Response returns users roles/tasks for
    authorization
  • Role Task names are passed to the Application

47
Why RBAC?
  • SiteMinder role based policies secure
    applications
  • Efficiency, scalability, flexibility
  • Reduces administrative cost
  • Coexist with user based policies

Delegated User Admins
Security Policy Admins
Employees
Sales Support Role
Contractors
Partners
48
Key Functionality
  • Self-Service
  • Integrated Workflow Approvals
  • Delegation
  • Role-based Entitlement Support
  • Auditing and reporting
  • Customizable Interface
  • Extensibility
  • Scalable Architecture
  • Integrated Provisioning

49
Auditing Reporting
  • Configurable auditing logged to relational DB
  • Which objects?
  • User Store objects User, Org, Group
  • IdentityMinder objects Roles, Tasks
  • Which state transitions?
  • Approve, reject, executing, pending, completed,
    cancel, done
  • What data?
  • Old values, new values, or both
  • Reports can be derived from audit data
  • Report types
  • Auditing (for example, what changes were made
    to UserB)
  • Administrative (for example, what roles can
    AdminA grant?)
  • Control access through the delegation model
  • Specify which users can access which reports

50
Key Functionality
  • Self-Service
  • Integrated Workflow Approvals
  • Delegation
  • Role-based Entitlement Support
  • Auditing and Reporting
  • Customizable interface
  • Extensibility
  • Scalable Architecture
  • Integrated Provisioning

51
Customization Options
  • Rebrand, change look and feel of the IM UI
  • Provide interfaces for users in different
    geographies
  • Fully internationalized and localized to support
    multi-national companies
  • Reduce clicks for administrators with few
    responsibilities
  • Assure that IM administrators first screen is
    optimized
  • Redesign forms used by delegated admins
  • Significant opportunities for customizing the
    interface using the IM interface
  • Use web services interface (WSDL)
  • Generate WDSL files then perform additional
    customization if necessary
  • Enables embedding in the company portal

52
Customizing Look Feel
  • Skin has components that may be edited to change
    look and feel
  • Headers and footers
  • Images
  • Colors and fonts
  • IM supports multiple skins, each consisting of
  • Cascading Style Sheet
  • Images (.jpeg, .gif, .png)
  • A .properties file that defines the components of
    a skin
  • Addresses accessibility requirements specified in
    Section 508 of the Rehabilitation Act

53
Tailoring the First Screen
1
2
  • First screen may vary by user
  • Few tasks Listed in left nav
  • Many tasks Categories in left nav
  • Workflow approver sees worklist first

54
Creating Custom Tasks for Admins
  • Tasks - the building blocks of custom views
  • Supports fine grained delegation
  • Use IM task designer to create new tasks
  • Copying and modifying existing tasks
  • Copy all or parts of tasks

User Mgmt Create User Modify User View User
Employee Info Name Employee ID Department Sup
ervisor
User Object cn EmployeeNumber departmentNumber ma
nager employeeType
Contractor Mgmt Modify Contractor View Contractor
Contractor Profile Name Dealer
ID Classification
55
Design Custom Forms with IM
  • Rebrand, add links, text, etc
  • Add/remove/rename tabs
  • Remove the Org search
  • Re-label prompts
  • Add field hints

56
Key Functionality
  • Self-Service
  • Integrated Workflow Approvals
  • Delegation
  • Role-based Entitlement Support
  • Auditing and Reporting
  • Customizable Interface
  • Extensibility
  • Scalable Architecture
  • Integrated Provisioning

57
Web Service Support
  • Business Case
  • IM is web service enabled
  • Enables additional customization beyond
    what is supported
    through the IM interface
  • Support embedding into corporate portal
  • Support industry standard - WSDL
  • Steps
  • Identity which tasks will be enabled as web
    service
  • Customize those tasks as much as possible using
    IM interface
  • Export WSDL
  • Modify WSDL to complete customization
  • Use tools such as Apache Axis to generate web
    clients

58
IdentityMinder APIs
  • Logical Attribute API Enables you to display an
    attribute differently than how it is stored
    physically in a user directory.
  • Business Logic Task Handler API Allows you to
    perform custom business logic during data
    validation or transformation operations.
  • Workflow API Provides information to a custom
    script in a workflow process. The script
    evaluates the information and determines the path
    of the workflow process accordingly.
  • Participant Resolver API --Enables you to specify
    the list of participants who are authorized to
    approve a workflow activity.
  • Event Listener API Enables you to create a
    custom event listener that listens for a specific
    IdentityMinder event or group of events. When the
    event occurs, the event listener can perform
    custom business logic.
  • Notification Rule API Lets you determine the
    users who should receive an email notification.
  • Email Template API Includes event-specific
    information in an email notifi-cation.

59
Key Functionality
  • Self-Service
  • Integrated Workflow Approvals
  • Delegation
  • Role-based Entitlement Support
  • Auditing and Reporting
  • Customizable Interface
  • Extensibility
  • Secure Scalable
  • Integrated Provisioning

60
Secure Architecture
61
Scalability for Fault Tolerant Deployment
WS-3
J2EE Cluster
WS-2
SiteMinder Policy Server
Load Balancer
WS-1
User Store
Data Tier
Browser
Web Tier
Application Tier
62
Supported Platforms
  • Leverages enterprise architecture
  • User store
  • LDAP Directories (SunOne, MS AD/ADAM, Novell
    eDirectory, Oracle OID, IBM SecureWay, Siemens
    DirX, InJoin Critical Path)
  • Relational Databases (Oracle, MS SQL Server)
  • Application Servers
  • IBM WebSphere
  • BEA WebLogic
  • JBoss
  • OS Support Windows, Solaris

63
Integrated Identity and Access Management
About PowerShow.com