Identity and Access Management Solution Overview

1
Identity and Access Management Solution Overview
2
The Netegrity Solution
The Netegrity Identity and Access Management
Solution
Access Management SiteMinder
Web Services Access Mgmt TransactionMinder
Enforcement
Administration
User Administration IdentityMinder, Web Edition
Resource Provisioning IdentityMinder,
Provisioning Edition
For Legacy, Web and Service-Oriented Architectures
3
The Application Silo Challenge

• High security administration costs
• Expensive coding and maintenance
• Poor user experience

• No centralized security enforcement
• No standardized security process
• No central auditing capability

Customers
Employees
Partners
Customer Self-Service
Partner Extranet
CRM
ERP
HR
SCM
E-Commerce
Security Layer
J_Doe1211960
John DoeA23JJ4
John Doe
John_D
Johnd
Mobile Phone
PKI Cert
Application Layer
User Store
Oracle OID
Oracle RDBMS
Active Directory
SQL 2000
SunONE LDAP
Oracle
LDAP
Operating System
4
SiteMinder in Action
Web Server With SiteMinder Agent
SiteMinder Policy Server
Authentication Scheme
jdoe

1) Is Resource Protected?
2) Is User Authenticated?
Firewall
Firewall
3) Is User Authorized?
5
Native Directory Enabled

• Map to existing user stores
• No embedded database required
• Eliminates user store synchronization issues
• Separate authentication authorization stores
• Chain directories
• Supports multiple user directories
• Including databases mainframes

NT, LDAP, AD ODBC, RACF
No User Data Stored inSiteMinder
Users
DMZ
Authorization Namespace
Authentication Namespace
Web Server With SiteMinder Agent
SiteMinder Policy Server
6
Single Sign-On Microsoft Environment
Windows Integrated Security Authenticate to your
desktop access all your enterprise web
applications
Outlook Web Access
MS IIS Web Server SiteMinder Agent
Active Directory
mycompany.com
SiteMinderPolicy Server
Microsoft Application Login
SQLServer
Web Server on Unix SiteMinder Agent
7
Single Sign-On Netegrity Secure Proxy Server
Firewalls DMZ
Backend Resources

• Turnkey Proxy Solution
• SSO
• Mini cookie
• SSL-ID
• URL rewrite
• Enhanced security
• Define target destination servers
• Deployed at VISA VOL

Users
Destination Web Servers
Firewalls
Proxy Server
User Entitlement Stores
SiteMinder Policy Server
8
Single Sign-on Application Server Environment
Firewalls
Backend Resources

• J2EE Application Server Agents
• IBM WebSphere BEA WebLogic
• Enables SSO across the enterprise
• Including J2EE application server based
  applications
• Leverages SiteMinders broad range of
  authentication system support
• Centralized authorization management audit
  services

Users
J2EE ApplicationServer
Firewalls
Web Server
User Entitlement Stores
SiteMinder Policy Server
9
Single Sign-on Enterprise Applications
Firewalls

• Enables SSO across the enterprise, including
  ERP/CRM systems
• SAP, Siebel, Peoplesoft, Oracle
• Leverages SiteMinders broad range of integrated
  authentication systems
• Provides centralized authorization management
  audit services

Users
Enterprise Applications
Firewalls
Web Server
User Entitlement Stores
Netegrity Policy Server
10
Authentication Management
Broad Support for Authentication Systems

• Methods
• Passwords
• Two factor tokens
• X.509 certificates
• Passwords over SSL
• Smart cards
• SAML
• Combination of methods
• Forms-based
• Custom methods
• Full CRL OCSP support
• Biometric devices
• Management
• Authentication Levels
• Directory chaining
• Configured fallbacks to other authentication
  schemes

11
Authentication Management
Password Management

• Expiration with warning grace period
• Composition rules
• Max/Min lengths, repeating characters, case
  sensitivity, reusability
• Difference () measures between before after
  passwords
• Editable password dictionary to prohibit certain
  word use
• Prohibition of use of user profile attributes
  (name, address etc)
• Account Management Auditing
• Forgotten password support
• Redirects
• Password Login history
• Lock-out
• Permanently
• Successive failed passwords
• Inactivity
• Until or after certain date
• Login before a specific date
• Disable field in MS AD Sun One

12
Authorization ManagementCentralized Policy
Management
Response or Response Group
SiteMinder Policy
Rule or Rule Group
Users or Groups In a Directory
Active Response
eTelligent Rule
Time
IP Address
e






1.2.3.4
IP addressthat the policy applies to
User, Groups Exclusions,Roles
Expressionusing ContextualData, Web Services
Allows ordenies access to a resource
Action thatoccurs whena rule fires
Time when the policy can or cannot fire
Dynamic extension of the policy (optional)
Option(s)

• Restrict access by user, role, groups, dynamic
  groups, or exclusions
• Controlled impersonation of users by other
  users
• Fine-grained authorization at the file, page, or
  object level
• Determine access based on location and time
• Policies
• Send static, dynamic (SQL queries), or profile
  attributes in responses
• Redirect users based on type of authentication or
  authorization failure
• Can have global or local policies

13
Federated Security Services
www.PartnerA.com

• SAML Producer
• SAML Consumer
• SAML Affiliate Agent

SSO
SAA
www. SiteMinder.com Authenticate
Internet
User
www. PartnerB.com
SSO
SAA
14
Federated Security ServicesSAML Producer with
SAML Affiliate Agent (SAA)
www.PartnerA.com

• SiteMinder site conducts authentication
• User profile must exist at www.SiteMinder.com
• Light-weight Web plug-in at partners
• Security product/SAML support not required at
  partners
• Converts SAML attribute assertions into HTTP
  header variables
• Provides user profile information to Web
  application
• Synchronized session between sites
• Single sign-on/off
• Centralized auditing reporting
• Event notification services

SSO
SAA
www. SiteMinder.com Authenticate
Internet
User
www. PartnerB.com
SSO
SAA
15
Federated Security Services SAML Producer
www.PartnerA.com

• SiteMinder site conducts authentication
• User profile must exist at www.SiteMinder.com
• Generates SAML artifact
• SAML Consumer capability required at Partners
• SiteMinder or equivalent capability
• Competitive IAM system, toolkit, standards
  compliant platform
• Functionality available to partners dependent on
  capability of local security tool
• No Netegrity software required at partners

SSO
www. SiteMinder.com Authenticate
Internet
User
www. PartnerB.com
SSO
16
Federated Security Services SAML Consumer
www.PartnerA.com

• Security product at PartnerA/B conducts
  authentication
• May or may not be SiteMinder
• Could be competitive IAM system, toolkit, or
  standards compliant platform
• SiteMinder conducts SAML-based authorization
  SSO
• Partner-user to SiteMinder-user mapping is
  flexible
• One-to-one (account-to-account)
• Many-to-one

Authenticate
www. SiteMinder.com
SSO
Internet
User
www. PartnerB.com
Authenticate
17
Enterprise Class ManageabilityAuditing
Reporting
  Access Reports Hourly Rollup Access
Report Daily Rollup Access Report Hourly
Authentication Access Report Daily Authentication
Access Report Hourly Authorization Access
Report Daily Authorization Access Report Hourly
Administrator Access Report Daily Administrator
Access Report   Activity Reports Activity Rollup
Report User Activity Report Agents Activity
Report Resource Usage/Activity Report   Intrusion
Reports Intrusion Rollup Report Intrusion by User
Report Intrusion by Agent Report   Audit
Reports Audit Rollup Report Audit by Resource
Report Audit by Administrator Report

• Managers need reports to
• Fine tune infrastructure
• Show compliance with security policies
  regulations
• SiteMinder provides
• Schema for reporting RDBMS
• Stored procedures which can be used to generate
• Access reports
• Activity reports
• Intrusion reports
• Audit reports

18
High Performance Architecture
Web Server Web Agent w/Cache
Web Server Web Agent w/Cache
Web Server Web Agent w/Cache

• Automatic fail-over
• Cluster-to-cluster fail-over (SM 6.0)
• Agent to Policy Server dynamic load balancing
• Policy Server to directory server load balancing
  failover
• 2-level caching in Policy Server agents
• 8 processor support (SM 6.0)

128 Bit RC4encryption
Policy Server
Policy Server
Audit Log(ODBC)
RulesCache
RulesCache
PolicyCache
PolicyCache
Replication
Directory Server
Directory Server
19
Broad Platform Support
Leverages Existing Investments
UserDirectories
Authentication Systems
Platforms
Other Systems

• Web Agents
• Microsoft IIS
• Sun ONE
• Apache
• HP Apache
• Lotus Domino
• IBM HTTP
• Oracle HTTP
• Domino Go
• Policy Server
• MS NT/Win 2000/Win2003
• Sun Solaris
• HP-UX
• Red Hat Enterprise Linux

• Sun Java System Directory Server
• NT Domains
• Microsoft Active Directory
• IBM Directory Server
• Novell eDirectory
• MS SQL Server
• Oracle RDBMS
• Siemens DirX
• Oracle Internet Directory
• Critical Path Directory Server
• Lotus Domino LDAP
• CA eTrust

• Passwords
• Passwords over SSL
• Forms-based
• X.509 certificates
• Full CRL OSCP support
• Smart cards
• Two factor tokens
• Method Chaining
• SAML
• Custom methods
• Biometric devices
• Combination of methods

• Application Servers
• BEA WebLogic
• IBM WebSphere
• ERP/CRM
• Peoplesoft
• Siebel
• SAP
• Oracle
• RADIUS Network Access Devices
• Firewalls
• Communication Servers

20
Solution Modules

• Mobile Authentication Module
• Authentication by passcodes delivered wirelessly
  to your handled devices
• User Context Gateway
• Provides SSO to Microsoft applications like OWA
  and Citrix NFuse
• Limit Concurrent Login
• Prevents users from authenticating twice and
  accessing the site from two or more browsers
  simultaneously
• Impersonation (SM 5.x OOB in SM 6.0)
• Allows one user to impersonate another while
  still maintaining control, security and the
  ability to audit
• SmFTP Server
• SiteMinder enabled FTP server

21
TransactionMinder Key Features

• Deployed at VISA ROL and CCDR
• Centralized policy-based authentication,
  authorization, and audit
• Provides single point of access control and
  administration for the whole enterprise
• Synchronized sessioning
• Enables single sign-on across multiple Web
  services used in the same transaction
• Shared Web services security platform
• Avoids creation of an isolated island of
  security Web services are one of many resources
  that must be secured by the enterprise
• Seamless integration with existing
  SiteMinder-enabled sites
• Open, platform-neutral architecture
• Support all major relevant web services standards
  (XML/SOAP, WS-Security, SAML, XML Signature)
• No investment in proprietary technologies is
  required.

Provisioningand User Administration
Authentication Access Management
User Administration
Resource Provisioning
TransactionMinder The industrys first
policy-based solution to protect access to Web
services
22
Introducing TransactionMinder
Complete Web services security solution
Web Services Provider

• Designed to provide secure access to Web services
  
• Authentication based on message content and Web
  services standards such as WS-Security, SAML, XML
  Signature
• Runtime authorization rules based on the content
  of a business payload, e.g., a purchase order
• Centralized authentication, authorization, audit,
  and federation services
• Leverages and extends the core Netegrity Policy
  Server
• Delivers security policy as a shared service
• Support for industry-leading Web services
  frameworks and standards

Web Service(s)
TransactionMinder XML Agent
Back-end Application
Internet
Netegrity Policy Server
Policies define - Authentication -
Authorization - Audit - Federation - Session Mgt
Web Services Consumer
User Directories
23
TransactionMinder Features

• Content-based Authentication
• XML Document Credentials Collector (DCC)
• XML Signature
• Sessioning (expressed as a SAML session
  assertion)
• WS-Security (supporting three security tokens
  password digest, X.509 certs, and SAML
  assertions)
• XML Encryption (New in TransactionMinder v6.0)
• New Policy Server XML response types
• SAML session assertion generation (in SOAP
  envelope, HTTP header, or cookie)
• WS-Security header generation (supporting three
  security tokens password digest, X.509 certs,
  and SAML assertions)
• Dynamic Authorization Policy Model
• eTelligent Rules using TransactionMinder-specific
  variables in policy expressions

24
WS-Security Authentication Scheme

• Producing and consuming three WS-Security-bound
  security tokens (WSSE)
• Password digest
• X.509 certificates
• SAML 1.1 assertions
• WS-Security utilities (WSU)
• Digital signatures (using TransactionMinder
  v6.0s key database functionality)
• Message timestamps
• WS-Security Encryption (Production Consumption)
  (New in TransactionMinder v6.0)
• Encryption / decryption of tokens and message
  elements that are included in SOAP messages using
  WS-Security

25
TransactionMinder Deployments Based on the
Netegrity Reference Architecture

• Simple Direct Deployment
• Simple Proxy Deployment
• IAM / WSM Deployment with Security Appliance

26
Simple Direct Deployment
NetworkFirewall
NetworkFirewall
Legacy
.NET
TxMinder XML Agent
Web Service Container (IIS, iPlanet, Apache)
SOAP
J2EE
Netegrity Policy Server
User Stores (LDAP, RDBMS, etc.)
27
Simple Proxy Deployment
NetworkFirewall
NetworkFirewall
Legacy
Proprietary Security
Reverse Proxy Server
SOAP
.NET
.NET Security
SOAP
J2EE
Container Security
TxMinder XML Agent
Netegrity Policy Server
User Stores (LDAP, RDBMS, etc.)
28
IAM/WSM Deployment w/ Security Appliance
NetworkFirewall
NetworkFirewall
Legacy
Propriatary Security
Proxy
WSM Agt
.NET
TxM Agt
SOAP
Security Appliance(2)
WSM (1)
SOAP SAML
SOAP
TxM Agt
WSM Agt
J2EE
TxMinder XML Agent
Netegrity Policy Server
WSM Policies
User Stores (LDAP, RDBMS, etc.)
Notes Dotted lines materialize integration
between TransactionMinder and Netegrity partners
(1) Web Services Management (2) XML Firewall
providing wire speed XML processing (parsing,
transformation, crypto math, etc.)
29
Integration with Complementary Third-Party
Offerings

• Purpose
• Create a TransactionMinder ecosystem that
  provides more complete customer solutions
• Integration Approach
• Based on Netegritys Reference Architecture
• Use of TransactionMinders Agent API
• Integration of XML Gateways with TxMinder
• Vendors involved Forum, Reactivity, Sarvega,
  Layer7
• Customer Benefits
• Intrusion detection (XML Gateway)
• Accelerated, first-level, entry point
  authentication (XML Gateway)
• Integration with Enterprise infrastructure
  (TransactionMinder)
• Centralized security policies, multiple-factor
  user stores, etc.
• Web services federation, sessioning
  (TransactionMinder)
• Integration of Web Services Management (WSM)
  Platforms with TxMinder
• Vendors involved Digital Evolution, Actional,
  Amberpoint, Blue Titan
• Customer Benefits
• Provides SLA and business policies management
  (WSM Platform)
• Integration with Enterprise infrastructure
  (TransactionMinder)
• Centralized security policies, multiple-factor
  user stores, etc.

30
IdentityMinder Features Overview
Deployed at VISA DPS, Risk Mgmt

• Stuctured Administration
• Leverage administrator roles, groups,
  organizations, attributes to maximize
  administrative productivity control
• Enable role-based access control (RBAC)
• Integrated Workflow
• Improve security and reduce costs through on-line
  workflows
• On-line requests, approvals, notifications
• Delegated User Administration
• Improve efficiency by distributing administration
• To partners internal administrators
• Auditing Reporting
• Improve security through comprehensive auditing
  and management reporting
• User Self-Service
• Reduce costs by allowing end-users to manage
  their own profiles, passwords, entitlements

J2EE application that provides a customizable
interface for delegating user administration and
granting users entitlements. IMWE leverages the
power of SiteMinder including support for
role-based access control.
31
Key Functionality

• Self-Service
• Integrated Workflow Approvals
• Delegation
• Role-based Entitlement Support
• Auditing and Reporting
• Customizable Interface
• Extensibility
• Scalable Architecture
• Integrated Provisioning

32
Self Service
Reduces administrative cost and improves user
experience
3
1
4
SelfRegister to NeteAuto Name Jsmith Pwd
xyz Email jsmith_at_os.com Enter Code x23z Sign Me
Up Free Stuff Credit Line

• NeteAuto WebSite
• Welcome Jsmith
• Select One
• Edit My Profile
• Reset My Password
• Change Memberships

• User Self registers
• Requests access to applications and group
  memberships
• Workflow approval is conditionally triggered for
  group assignments
• The user object is created
• The user can now change profile and password
  attributes and memberships

33
Self-Registration

• Support for multiple self-registration schemes
• Multiple user communities (Partners vs.
  Contractors)
• Multiple languages
• Options for customizing self-registration
• Use default form
• Redesign form using the form designer
• Prompts, Fields, Hints, Layout, Branding,
  Formatting
• For additional customization, generate WSDL for
  fully customized web service interface

Default form
34
Self Management

• Benefits
• Reduce administrative costs
• Speed delivery of service to users
• Improved user experience
• Forgotten Password Support
• Multiple Challenge/Response questions
• Integration with SiteMinder password policy
• Self Management options
• Modify specific attributes
• View Group and Role memberships
• Request additional entitlements
• Subscribe to self-subscribing groups
• Change password

35
Key Functionality

• Self-Service
• Integrated Workflow Approvals
• Delegation
• Role-based Entitlement Support
• Auditing and Reporting
• Customizable Interface
• Extensibility
• Scalable Architecture
• Integrated Provisioning

36
Integrated Workflow

• Worklist for COO
• Approve gold status for I. Supply
• Approve

Supplierregistersfor Goldstatus
A
Is Credit ratingA or B
B
NO
YES
COOapproves
Name I. Supply Status bronze
Name I. Supply Status gold
TO I. Supply CC Supplier Mgr

• Configurable Workflow Engine Supports
• Multi-step, non-linear approvals
• Design workflow process variants
• Create Contractor vs Create Partner
• Customizable rules defining approvers
• Member of role or group, meets filter condition,
  custom
• AutoApprove if no approvers are assigned
• Customizable rules to identify who is notified
• Customizable e-mail templates
• Approved, pending, completed, rejected
• Workflow API enables integration with other user
  management processes

37
Workflow Customization

1. Copy Create User Approve process to generate
   Create Contactor Approve process
2. Specify HR group as approver
3. Specify Contractor Supervisor as approver

38
Key Functionality

• Self-Service
• Integrated Workflow Approvals
• Delegation
• Role-based Entitlement Support
• Auditing and Reporting
• Customizable Interface
• Extensibility
• Scalable Architecture
• Integrated Provisioning

39
Delegation

• Delegation is based on IdentityMInder roles and
  tasks
• IM Admin roles allow management of users, groups,
  orgs, roles
• Roles contain granular tasks (Modify User)
• Create new roles by re-combining tasks
• Create new tasks to meet business needs (Create
  Contractor)

40
Delegation Creating Admin Roles

• During role creation, specify ALL the rules about
  the role
• What are the tasks associated with this role?
• HelpDeskAdmin has Enable/disable User, Reset User
  Password, Modify User
• Who are the role members?
• Can initiate the tasks of the role
• While performing this role, what users, groups,
  
  orgs are in scope?
• Who are the role administrators?
• Can delegate the role to others
• While delegating this role, what users are in
  scope?
• Who are the role owners?
• Can modify the role using this interface

• Each role may have multiple member policies
• People in HelpAdmin group
• TitleITManager
• All role metadata stored in Policy Store

41
Delegation Membership Rule Examples
Member Requirement Rule Type Example
Must match one attribute value User Users where title starts with senior
Must match multiple attribute values User Users where titlemgr and localityltgteast
Must be a member of another role User Users in admin role helpdeskadmin
Must belong to named org(s) Org Users in org sales and lower
Must belong to org(s) which meet a condition specified by attribute(s) on the org Org Users in orgs where Business Typegold or Business Typeplatinum
Must belong to specific org(s) and match specific user attributes Org User Users where titlemgr and localityeast and who are in org sales or org marketing
Must belong to specific group(s) Group Users who are members of group ORGADMIN
Must belong to group(s) which meet a condition specified by attribute(s) on the group Group Users who are members of groups where ownerCIO
Must meet some condition which is beyond scope of rule syntax Query Users returned by the query ldap_query
42
Delegation Managing User Store Objects

• Delegate responsibility for managing segments of
  the user store to the best qualified individuals
• Non-intrusive support for the corporate user
  store
• User stores supported
• Relational Database
• Single/multiple table based objects
• Objects retrieved by stored procedures
• Database generated unique identifier
• Delimited or row-based multiple values
• Native database datatypes
• LDAP v3
• Hierarchical, Flat structure
• Auxiliary classes
• Groups

43
Delegation Managing Groups

• Delegated group management provides for
  separation of duties
• Group Manager
• Create/modify/delete group
• Assign Group Admin(s)
• Group Admin
• Manage group membership
• Can manage groups regardless of organizational
  context
• Group management can be hidden behind role
  assignment
• Membership rule is a group
• Support for
• Self-subscribing groups
• Nested groups
• Dynamic groups
• For example All technicians (employeetype) with
  cell phones (mobile)
• ldap///ouNeteAuto,osecurity.com??sub?(employee
  type technician) (!mobileNULL)

44
Key Functionality

• Self-Service
• Integrated Workflow Approvals
• Delegation
• Role-based Entitlement Support
• Auditing and Reporting
• Customizable Interface
• Extensibility
• Scalable Architecture
• Integrated Provisioning

45
RBAC Support in SiteMinder
Step 1 Use SM UI to link Access rolesto
security policies
46
RBAC Support in SiteMinder
Step 2 User defined variable
Application name (optional)

• SiteMinder generated attributes
• SM_User_Application_Roles
• SM_User_Application_Tasks

• Response returns users roles/tasks for
  authorization
• Role Task names are passed to the Application

47
Why RBAC?

• SiteMinder role based policies secure
  applications
• Efficiency, scalability, flexibility
• Reduces administrative cost
• Coexist with user based policies

Delegated User Admins
Security Policy Admins
Employees
Sales Support Role
Contractors
Partners
48
Key Functionality

• Self-Service
• Integrated Workflow Approvals
• Delegation
• Role-based Entitlement Support
• Auditing and reporting
• Customizable Interface
• Extensibility
• Scalable Architecture
• Integrated Provisioning

49
Auditing Reporting

• Configurable auditing logged to relational DB
• Which objects?
• User Store objects User, Org, Group
• IdentityMinder objects Roles, Tasks
• Which state transitions?
• Approve, reject, executing, pending, completed,
  cancel, done
• What data?
• Old values, new values, or both
• Reports can be derived from audit data
• Report types
• Auditing (for example, what changes were made
  to UserB)
• Administrative (for example, what roles can
  AdminA grant?)
• Control access through the delegation model
• Specify which users can access which reports

50
Key Functionality

• Self-Service
• Integrated Workflow Approvals
• Delegation
• Role-based Entitlement Support
• Auditing and Reporting
• Customizable interface
• Extensibility
• Scalable Architecture
• Integrated Provisioning

51
Customization Options

• Rebrand, change look and feel of the IM UI
• Provide interfaces for users in different
  geographies
• Fully internationalized and localized to support
  multi-national companies
• Reduce clicks for administrators with few
  responsibilities
• Assure that IM administrators first screen is
  optimized
• Redesign forms used by delegated admins
• Significant opportunities for customizing the
  interface using the IM interface
• Use web services interface (WSDL)
• Generate WDSL files then perform additional
  customization if necessary
• Enables embedding in the company portal

52
Customizing Look Feel

• Skin has components that may be edited to change
  look and feel
• Headers and footers
• Images
• Colors and fonts
• IM supports multiple skins, each consisting of
• Cascading Style Sheet
• Images (.jpeg, .gif, .png)
• A .properties file that defines the components of
  a skin
• Addresses accessibility requirements specified in
  Section 508 of the Rehabilitation Act

53
Tailoring the First Screen
1
2

• First screen may vary by user
• Few tasks Listed in left nav
• Many tasks Categories in left nav
• Workflow approver sees worklist first

54
Creating Custom Tasks for Admins

• Tasks - the building blocks of custom views
• Supports fine grained delegation
• Use IM task designer to create new tasks
• Copying and modifying existing tasks
• Copy all or parts of tasks

User Mgmt Create User Modify User View User
Employee Info Name Employee ID Department Sup
ervisor
User Object cn EmployeeNumber departmentNumber ma
nager employeeType
Contractor Mgmt Modify Contractor View Contractor
Contractor Profile Name Dealer
ID Classification
55
Design Custom Forms with IM

• Rebrand, add links, text, etc
• Add/remove/rename tabs
• Remove the Org search
• Re-label prompts
• Add field hints

56
Key Functionality

• Self-Service
• Integrated Workflow Approvals
• Delegation
• Role-based Entitlement Support
• Auditing and Reporting
• Customizable Interface
• Extensibility
• Scalable Architecture
• Integrated Provisioning

57
Web Service Support

• Business Case
• IM is web service enabled
• Enables additional customization beyond
  what is supported
  through the IM interface
• Support embedding into corporate portal
• Support industry standard - WSDL
• Steps
• Identity which tasks will be enabled as web
  service
• Customize those tasks as much as possible using
  IM interface
• Export WSDL
• Modify WSDL to complete customization
• Use tools such as Apache Axis to generate web
  clients

58
IdentityMinder APIs

• Logical Attribute API Enables you to display an
  attribute differently than how it is stored
  physically in a user directory.
• Business Logic Task Handler API Allows you to
  perform custom business logic during data
  validation or transformation operations.
• Workflow API Provides information to a custom
  script in a workflow process. The script
  evaluates the information and determines the path
  of the workflow process accordingly.
• Participant Resolver API --Enables you to specify
  the list of participants who are authorized to
  approve a workflow activity.
• Event Listener API Enables you to create a
  custom event listener that listens for a specific
  IdentityMinder event or group of events. When the
  event occurs, the event listener can perform
  custom business logic.
• Notification Rule API Lets you determine the
  users who should receive an email notification.
• Email Template API Includes event-specific
  information in an email notifi-cation.

59
Key Functionality

• Self-Service
• Integrated Workflow Approvals
• Delegation
• Role-based Entitlement Support
• Auditing and Reporting
• Customizable Interface
• Extensibility
• Secure Scalable
• Integrated Provisioning

60
Secure Architecture
61
Scalability for Fault Tolerant Deployment
WS-3
J2EE Cluster
WS-2
SiteMinder Policy Server
Load Balancer
WS-1
User Store
Data Tier
Browser
Web Tier
Application Tier
62
Supported Platforms

• Leverages enterprise architecture
• User store
• LDAP Directories (SunOne, MS AD/ADAM, Novell
  eDirectory, Oracle OID, IBM SecureWay, Siemens
  DirX, InJoin Critical Path)
• Relational Databases (Oracle, MS SQL Server)
• Application Servers
• IBM WebSphere
• BEA WebLogic
• JBoss
• OS Support Windows, Solaris

63
Integrated Identity and Access Management