Title: Identity and Access Management Solution Overview
1Identity and Access Management Solution Overview
2The Netegrity Solution
The Netegrity Identity and Access Management
Solution
Access Management SiteMinder
Web Services Access Mgmt TransactionMinder
Enforcement
Administration
User Administration IdentityMinder, Web Edition
Resource Provisioning IdentityMinder,
Provisioning Edition
For Legacy, Web and Service-Oriented Architectures
3The Application Silo Challenge
- High security administration costs
- Expensive coding and maintenance
- Poor user experience
- No centralized security enforcement
- No standardized security process
- No central auditing capability
Customers
Employees
Partners
Customer Self-Service
Partner Extranet
CRM
ERP
HR
SCM
E-Commerce
Security Layer
J_Doe1211960
John DoeA23JJ4
John Doe
John_D
Johnd
Mobile Phone
PKI Cert
Application Layer
User Store
Oracle OID
Oracle RDBMS
Active Directory
SQL 2000
SunONE LDAP
Oracle
LDAP
Operating System
4SiteMinder in Action
Web Server With SiteMinder Agent
SiteMinder Policy Server
Authentication Scheme
jdoe
1) Is Resource Protected?
2) Is User Authenticated?
Firewall
Firewall
3) Is User Authorized?
5Native Directory Enabled
- Map to existing user stores
- No embedded database required
- Eliminates user store synchronization issues
- Separate authentication authorization stores
- Chain directories
- Supports multiple user directories
- Including databases mainframes
NT, LDAP, AD ODBC, RACF
No User Data Stored inSiteMinder
Users
DMZ
Authorization Namespace
Authentication Namespace
Web Server With SiteMinder Agent
SiteMinder Policy Server
6Single Sign-On Microsoft Environment
Windows Integrated Security Authenticate to your
desktop access all your enterprise web
applications
Outlook Web Access
MS IIS Web Server SiteMinder Agent
Active Directory
mycompany.com
SiteMinderPolicy Server
Microsoft Application Login
SQLServer
Web Server on Unix SiteMinder Agent
7Single Sign-On Netegrity Secure Proxy Server
Firewalls DMZ
Backend Resources
- Turnkey Proxy Solution
- SSO
- Mini cookie
- SSL-ID
- URL rewrite
- Enhanced security
- Define target destination servers
- Deployed at VISA VOL
Users
Destination Web Servers
Firewalls
Proxy Server
User Entitlement Stores
SiteMinder Policy Server
8Single Sign-on Application Server Environment
Firewalls
Backend Resources
- J2EE Application Server Agents
- IBM WebSphere BEA WebLogic
- Enables SSO across the enterprise
- Including J2EE application server based
applications - Leverages SiteMinders broad range of
authentication system support - Centralized authorization management audit
services
Users
J2EE ApplicationServer
Firewalls
Web Server
User Entitlement Stores
SiteMinder Policy Server
9Single Sign-on Enterprise Applications
Firewalls
- Enables SSO across the enterprise, including
ERP/CRM systems - SAP, Siebel, Peoplesoft, Oracle
- Leverages SiteMinders broad range of integrated
authentication systems - Provides centralized authorization management
audit services
Users
Enterprise Applications
Firewalls
Web Server
User Entitlement Stores
Netegrity Policy Server
10Authentication Management
Broad Support for Authentication Systems
- Methods
- Passwords
- Two factor tokens
- X.509 certificates
- Passwords over SSL
- Smart cards
- SAML
- Combination of methods
- Forms-based
- Custom methods
- Full CRL OCSP support
- Biometric devices
- Management
- Authentication Levels
- Directory chaining
- Configured fallbacks to other authentication
schemes
11Authentication Management
Password Management
- Expiration with warning grace period
- Composition rules
- Max/Min lengths, repeating characters, case
sensitivity, reusability - Difference () measures between before after
passwords - Editable password dictionary to prohibit certain
word use - Prohibition of use of user profile attributes
(name, address etc) - Account Management Auditing
- Forgotten password support
- Redirects
- Password Login history
- Lock-out
- Permanently
- Successive failed passwords
- Inactivity
- Until or after certain date
- Login before a specific date
- Disable field in MS AD Sun One
12Authorization ManagementCentralized Policy
Management
Response or Response Group
SiteMinder Policy
Rule or Rule Group
Users or Groups In a Directory
Active Response
eTelligent Rule
Time
IP Address
e
1.2.3.4
IP addressthat the policy applies to
User, Groups Exclusions,Roles
Expressionusing ContextualData, Web Services
Allows ordenies access to a resource
Action thatoccurs whena rule fires
Time when the policy can or cannot fire
Dynamic extension of the policy (optional)
Option(s)
- Restrict access by user, role, groups, dynamic
groups, or exclusions - Controlled impersonation of users by other
users - Fine-grained authorization at the file, page, or
object level - Determine access based on location and time
- Policies
- Send static, dynamic (SQL queries), or profile
attributes in responses - Redirect users based on type of authentication or
authorization failure - Can have global or local policies
13Federated Security Services
www.PartnerA.com
- SAML Producer
- SAML Consumer
- SAML Affiliate Agent
SSO
SAA
www. SiteMinder.com Authenticate
Internet
User
www. PartnerB.com
SSO
SAA
14Federated Security ServicesSAML Producer with
SAML Affiliate Agent (SAA)
www.PartnerA.com
- SiteMinder site conducts authentication
- User profile must exist at www.SiteMinder.com
- Light-weight Web plug-in at partners
- Security product/SAML support not required at
partners - Converts SAML attribute assertions into HTTP
header variables - Provides user profile information to Web
application - Synchronized session between sites
- Single sign-on/off
- Centralized auditing reporting
- Event notification services
SSO
SAA
www. SiteMinder.com Authenticate
Internet
User
www. PartnerB.com
SSO
SAA
15Federated Security Services SAML Producer
www.PartnerA.com
- SiteMinder site conducts authentication
- User profile must exist at www.SiteMinder.com
- Generates SAML artifact
- SAML Consumer capability required at Partners
- SiteMinder or equivalent capability
- Competitive IAM system, toolkit, standards
compliant platform - Functionality available to partners dependent on
capability of local security tool - No Netegrity software required at partners
SSO
www. SiteMinder.com Authenticate
Internet
User
www. PartnerB.com
SSO
16Federated Security Services SAML Consumer
www.PartnerA.com
- Security product at PartnerA/B conducts
authentication - May or may not be SiteMinder
- Could be competitive IAM system, toolkit, or
standards compliant platform - SiteMinder conducts SAML-based authorization
SSO - Partner-user to SiteMinder-user mapping is
flexible - One-to-one (account-to-account)
- Many-to-one
Authenticate
www. SiteMinder.com
SSO
Internet
User
www. PartnerB.com
Authenticate
17Enterprise Class ManageabilityAuditing
Reporting
Access Reports Hourly Rollup Access
Report Daily Rollup Access Report Hourly
Authentication Access Report Daily Authentication
Access Report Hourly Authorization Access
Report Daily Authorization Access Report Hourly
Administrator Access Report Daily Administrator
Access Report Activity Reports Activity Rollup
Report User Activity Report Agents Activity
Report Resource Usage/Activity Report Intrusion
Reports Intrusion Rollup Report Intrusion by User
Report Intrusion by Agent Report Audit
Reports Audit Rollup Report Audit by Resource
Report Audit by Administrator Report
- Managers need reports to
- Fine tune infrastructure
- Show compliance with security policies
regulations - SiteMinder provides
- Schema for reporting RDBMS
- Stored procedures which can be used to generate
- Access reports
- Activity reports
- Intrusion reports
- Audit reports
18 High Performance Architecture
Web Server Web Agent w/Cache
Web Server Web Agent w/Cache
Web Server Web Agent w/Cache
- Automatic fail-over
- Cluster-to-cluster fail-over (SM 6.0)
- Agent to Policy Server dynamic load balancing
- Policy Server to directory server load balancing
failover - 2-level caching in Policy Server agents
- 8 processor support (SM 6.0)
128 Bit RC4encryption
Policy Server
Policy Server
Audit Log(ODBC)
RulesCache
RulesCache
PolicyCache
PolicyCache
Replication
Directory Server
Directory Server
19Broad Platform Support
Leverages Existing Investments
UserDirectories
Authentication Systems
Platforms
Other Systems
- Web Agents
- Microsoft IIS
- Sun ONE
- Apache
- HP Apache
- Lotus Domino
- IBM HTTP
- Oracle HTTP
- Domino Go
- Policy Server
- MS NT/Win 2000/Win2003
- Sun Solaris
- HP-UX
- Red Hat Enterprise Linux
- Sun Java System Directory Server
- NT Domains
- Microsoft Active Directory
- IBM Directory Server
- Novell eDirectory
- MS SQL Server
- Oracle RDBMS
- Siemens DirX
- Oracle Internet Directory
- Critical Path Directory Server
- Lotus Domino LDAP
- CA eTrust
- Passwords
- Passwords over SSL
- Forms-based
- X.509 certificates
- Full CRL OSCP support
- Smart cards
- Two factor tokens
- Method Chaining
- SAML
- Custom methods
- Biometric devices
- Combination of methods
- Application Servers
- BEA WebLogic
- IBM WebSphere
- ERP/CRM
- Peoplesoft
- Siebel
- SAP
- Oracle
- RADIUS Network Access Devices
- Firewalls
- Communication Servers
20Solution Modules
- Mobile Authentication Module
- Authentication by passcodes delivered wirelessly
to your handled devices - User Context Gateway
- Provides SSO to Microsoft applications like OWA
and Citrix NFuse - Limit Concurrent Login
- Prevents users from authenticating twice and
accessing the site from two or more browsers
simultaneously - Impersonation (SM 5.x OOB in SM 6.0)
- Allows one user to impersonate another while
still maintaining control, security and the
ability to audit - SmFTP Server
- SiteMinder enabled FTP server
21TransactionMinder Key Features
- Deployed at VISA ROL and CCDR
- Centralized policy-based authentication,
authorization, and audit - Provides single point of access control and
administration for the whole enterprise - Synchronized sessioning
- Enables single sign-on across multiple Web
services used in the same transaction - Shared Web services security platform
- Avoids creation of an isolated island of
security Web services are one of many resources
that must be secured by the enterprise - Seamless integration with existing
SiteMinder-enabled sites - Open, platform-neutral architecture
- Support all major relevant web services standards
(XML/SOAP, WS-Security, SAML, XML Signature) - No investment in proprietary technologies is
required.
Provisioningand User Administration
Authentication Access Management
User Administration
Resource Provisioning
TransactionMinder The industrys first
policy-based solution to protect access to Web
services
22Introducing TransactionMinder
Complete Web services security solution
Web Services Provider
- Designed to provide secure access to Web services
- Authentication based on message content and Web
services standards such as WS-Security, SAML, XML
Signature - Runtime authorization rules based on the content
of a business payload, e.g., a purchase order - Centralized authentication, authorization, audit,
and federation services - Leverages and extends the core Netegrity Policy
Server - Delivers security policy as a shared service
- Support for industry-leading Web services
frameworks and standards
Web Service(s)
TransactionMinder XML Agent
Back-end Application
Internet
Netegrity Policy Server
Policies define - Authentication -
Authorization - Audit - Federation - Session Mgt
Web Services Consumer
User Directories
23TransactionMinder Features
- Content-based Authentication
- XML Document Credentials Collector (DCC)
- XML Signature
- Sessioning (expressed as a SAML session
assertion) - WS-Security (supporting three security tokens
password digest, X.509 certs, and SAML
assertions) - XML Encryption (New in TransactionMinder v6.0)
- New Policy Server XML response types
- SAML session assertion generation (in SOAP
envelope, HTTP header, or cookie) - WS-Security header generation (supporting three
security tokens password digest, X.509 certs,
and SAML assertions) - Dynamic Authorization Policy Model
- eTelligent Rules using TransactionMinder-specific
variables in policy expressions
24WS-Security Authentication Scheme
- Producing and consuming three WS-Security-bound
security tokens (WSSE) - Password digest
- X.509 certificates
- SAML 1.1 assertions
- WS-Security utilities (WSU)
- Digital signatures (using TransactionMinder
v6.0s key database functionality) - Message timestamps
- WS-Security Encryption (Production Consumption)
(New in TransactionMinder v6.0) - Encryption / decryption of tokens and message
elements that are included in SOAP messages using
WS-Security
25TransactionMinder Deployments Based on the
Netegrity Reference Architecture
- Simple Direct Deployment
- Simple Proxy Deployment
- IAM / WSM Deployment with Security Appliance
26Simple Direct Deployment
NetworkFirewall
NetworkFirewall
Legacy
.NET
TxMinder XML Agent
Web Service Container (IIS, iPlanet, Apache)
SOAP
J2EE
Netegrity Policy Server
User Stores (LDAP, RDBMS, etc.)
27Simple Proxy Deployment
NetworkFirewall
NetworkFirewall
Legacy
Proprietary Security
Reverse Proxy Server
SOAP
.NET
.NET Security
SOAP
J2EE
Container Security
TxMinder XML Agent
Netegrity Policy Server
User Stores (LDAP, RDBMS, etc.)
28IAM/WSM Deployment w/ Security Appliance
NetworkFirewall
NetworkFirewall
Legacy
Propriatary Security
Proxy
WSM Agt
.NET
TxM Agt
SOAP
Security Appliance(2)
WSM (1)
SOAP SAML
SOAP
TxM Agt
WSM Agt
J2EE
TxMinder XML Agent
Netegrity Policy Server
WSM Policies
User Stores (LDAP, RDBMS, etc.)
Notes Dotted lines materialize integration
between TransactionMinder and Netegrity partners
(1) Web Services Management (2) XML Firewall
providing wire speed XML processing (parsing,
transformation, crypto math, etc.)
29Integration with Complementary Third-Party
Offerings
- Purpose
- Create a TransactionMinder ecosystem that
provides more complete customer solutions - Integration Approach
- Based on Netegritys Reference Architecture
- Use of TransactionMinders Agent API
- Integration of XML Gateways with TxMinder
- Vendors involved Forum, Reactivity, Sarvega,
Layer7 - Customer Benefits
- Intrusion detection (XML Gateway)
- Accelerated, first-level, entry point
authentication (XML Gateway) - Integration with Enterprise infrastructure
(TransactionMinder) - Centralized security policies, multiple-factor
user stores, etc. - Web services federation, sessioning
(TransactionMinder) - Integration of Web Services Management (WSM)
Platforms with TxMinder - Vendors involved Digital Evolution, Actional,
Amberpoint, Blue Titan - Customer Benefits
- Provides SLA and business policies management
(WSM Platform) - Integration with Enterprise infrastructure
(TransactionMinder) - Centralized security policies, multiple-factor
user stores, etc.
30IdentityMinder Features Overview
Deployed at VISA DPS, Risk Mgmt
- Stuctured Administration
- Leverage administrator roles, groups,
organizations, attributes to maximize
administrative productivity control - Enable role-based access control (RBAC)
- Integrated Workflow
- Improve security and reduce costs through on-line
workflows - On-line requests, approvals, notifications
- Delegated User Administration
- Improve efficiency by distributing administration
- To partners internal administrators
- Auditing Reporting
- Improve security through comprehensive auditing
and management reporting - User Self-Service
- Reduce costs by allowing end-users to manage
their own profiles, passwords, entitlements
J2EE application that provides a customizable
interface for delegating user administration and
granting users entitlements. IMWE leverages the
power of SiteMinder including support for
role-based access control.
31Key Functionality
- Self-Service
- Integrated Workflow Approvals
- Delegation
- Role-based Entitlement Support
- Auditing and Reporting
- Customizable Interface
- Extensibility
- Scalable Architecture
- Integrated Provisioning
32Self Service
Reduces administrative cost and improves user
experience
3
1
4
SelfRegister to NeteAuto Name Jsmith Pwd
xyz Email jsmith_at_os.com Enter Code x23z Sign Me
Up Free Stuff Credit Line
- NeteAuto WebSite
- Welcome Jsmith
- Select One
- Edit My Profile
- Reset My Password
- Change Memberships
- User Self registers
- Requests access to applications and group
memberships - Workflow approval is conditionally triggered for
group assignments - The user object is created
- The user can now change profile and password
attributes and memberships
33Self-Registration
- Support for multiple self-registration schemes
- Multiple user communities (Partners vs.
Contractors) - Multiple languages
- Options for customizing self-registration
- Use default form
- Redesign form using the form designer
- Prompts, Fields, Hints, Layout, Branding,
Formatting - For additional customization, generate WSDL for
fully customized web service interface
Default form
34Self Management
- Benefits
- Reduce administrative costs
- Speed delivery of service to users
- Improved user experience
- Forgotten Password Support
- Multiple Challenge/Response questions
- Integration with SiteMinder password policy
- Self Management options
- Modify specific attributes
- View Group and Role memberships
- Request additional entitlements
- Subscribe to self-subscribing groups
- Change password
35Key Functionality
- Self-Service
- Integrated Workflow Approvals
- Delegation
- Role-based Entitlement Support
- Auditing and Reporting
- Customizable Interface
- Extensibility
- Scalable Architecture
- Integrated Provisioning
36Integrated Workflow
- Worklist for COO
- Approve gold status for I. Supply
- Approve
Supplierregistersfor Goldstatus
A
Is Credit ratingA or B
B
NO
YES
COOapproves
Name I. Supply Status bronze
Name I. Supply Status gold
TO I. Supply CC Supplier Mgr
- Configurable Workflow Engine Supports
- Multi-step, non-linear approvals
- Design workflow process variants
- Create Contractor vs Create Partner
- Customizable rules defining approvers
- Member of role or group, meets filter condition,
custom - AutoApprove if no approvers are assigned
- Customizable rules to identify who is notified
- Customizable e-mail templates
- Approved, pending, completed, rejected
- Workflow API enables integration with other user
management processes
37 Workflow Customization
- Copy Create User Approve process to generate
Create Contactor Approve process - Specify HR group as approver
- Specify Contractor Supervisor as approver
38Key Functionality
- Self-Service
- Integrated Workflow Approvals
- Delegation
- Role-based Entitlement Support
- Auditing and Reporting
- Customizable Interface
- Extensibility
- Scalable Architecture
- Integrated Provisioning
39Delegation
- Delegation is based on IdentityMInder roles and
tasks - IM Admin roles allow management of users, groups,
orgs, roles - Roles contain granular tasks (Modify User)
- Create new roles by re-combining tasks
- Create new tasks to meet business needs (Create
Contractor)
40Delegation Creating Admin Roles
- During role creation, specify ALL the rules about
the role - What are the tasks associated with this role?
- HelpDeskAdmin has Enable/disable User, Reset User
Password, Modify User - Who are the role members?
- Can initiate the tasks of the role
- While performing this role, what users, groups,
orgs are in scope? - Who are the role administrators?
- Can delegate the role to others
- While delegating this role, what users are in
scope? - Who are the role owners?
- Can modify the role using this interface
- Each role may have multiple member policies
- People in HelpAdmin group
- TitleITManager
- All role metadata stored in Policy Store
41Delegation Membership Rule Examples
Member Requirement Rule Type Example
Must match one attribute value User Users where title starts with senior
Must match multiple attribute values User Users where titlemgr and localityltgteast
Must be a member of another role User Users in admin role helpdeskadmin
Must belong to named org(s) Org Users in org sales and lower
Must belong to org(s) which meet a condition specified by attribute(s) on the org Org Users in orgs where Business Typegold or Business Typeplatinum
Must belong to specific org(s) and match specific user attributes Org User Users where titlemgr and localityeast and who are in org sales or org marketing
Must belong to specific group(s) Group Users who are members of group ORGADMIN
Must belong to group(s) which meet a condition specified by attribute(s) on the group Group Users who are members of groups where ownerCIO
Must meet some condition which is beyond scope of rule syntax Query Users returned by the query ldap_query
42Delegation Managing User Store Objects
- Delegate responsibility for managing segments of
the user store to the best qualified individuals - Non-intrusive support for the corporate user
store - User stores supported
- Relational Database
- Single/multiple table based objects
- Objects retrieved by stored procedures
- Database generated unique identifier
- Delimited or row-based multiple values
- Native database datatypes
- LDAP v3
- Hierarchical, Flat structure
- Auxiliary classes
- Groups
43Delegation Managing Groups
- Delegated group management provides for
separation of duties - Group Manager
- Create/modify/delete group
- Assign Group Admin(s)
- Group Admin
- Manage group membership
- Can manage groups regardless of organizational
context - Group management can be hidden behind role
assignment - Membership rule is a group
- Support for
- Self-subscribing groups
- Nested groups
- Dynamic groups
- For example All technicians (employeetype) with
cell phones (mobile) - ldap///ouNeteAuto,osecurity.com??sub?(employee
type technician) (!mobileNULL)
44Key Functionality
- Self-Service
- Integrated Workflow Approvals
- Delegation
- Role-based Entitlement Support
- Auditing and Reporting
- Customizable Interface
- Extensibility
- Scalable Architecture
- Integrated Provisioning
45RBAC Support in SiteMinder
Step 1 Use SM UI to link Access rolesto
security policies
46RBAC Support in SiteMinder
Step 2 User defined variable
Application name (optional)
- SiteMinder generated attributes
- SM_User_Application_Roles
- SM_User_Application_Tasks
- Response returns users roles/tasks for
authorization - Role Task names are passed to the Application
47Why RBAC?
- SiteMinder role based policies secure
applications - Efficiency, scalability, flexibility
- Reduces administrative cost
- Coexist with user based policies
Delegated User Admins
Security Policy Admins
Employees
Sales Support Role
Contractors
Partners
48Key Functionality
- Self-Service
- Integrated Workflow Approvals
- Delegation
- Role-based Entitlement Support
- Auditing and reporting
- Customizable Interface
- Extensibility
- Scalable Architecture
- Integrated Provisioning
49Auditing Reporting
- Configurable auditing logged to relational DB
- Which objects?
- User Store objects User, Org, Group
- IdentityMinder objects Roles, Tasks
- Which state transitions?
- Approve, reject, executing, pending, completed,
cancel, done - What data?
- Old values, new values, or both
- Reports can be derived from audit data
- Report types
- Auditing (for example, what changes were made
to UserB) - Administrative (for example, what roles can
AdminA grant?) - Control access through the delegation model
- Specify which users can access which reports
50Key Functionality
- Self-Service
- Integrated Workflow Approvals
- Delegation
- Role-based Entitlement Support
- Auditing and Reporting
- Customizable interface
- Extensibility
- Scalable Architecture
- Integrated Provisioning
51Customization Options
- Rebrand, change look and feel of the IM UI
- Provide interfaces for users in different
geographies - Fully internationalized and localized to support
multi-national companies - Reduce clicks for administrators with few
responsibilities - Assure that IM administrators first screen is
optimized - Redesign forms used by delegated admins
- Significant opportunities for customizing the
interface using the IM interface - Use web services interface (WSDL)
- Generate WDSL files then perform additional
customization if necessary - Enables embedding in the company portal
52Customizing Look Feel
- Skin has components that may be edited to change
look and feel - Headers and footers
- Images
- Colors and fonts
- IM supports multiple skins, each consisting of
- Cascading Style Sheet
- Images (.jpeg, .gif, .png)
- A .properties file that defines the components of
a skin - Addresses accessibility requirements specified in
Section 508 of the Rehabilitation Act
53Tailoring the First Screen
1
2
- First screen may vary by user
- Few tasks Listed in left nav
- Many tasks Categories in left nav
- Workflow approver sees worklist first
54Creating Custom Tasks for Admins
- Tasks - the building blocks of custom views
- Supports fine grained delegation
- Use IM task designer to create new tasks
- Copying and modifying existing tasks
- Copy all or parts of tasks
User Mgmt Create User Modify User View User
Employee Info Name Employee ID Department Sup
ervisor
User Object cn EmployeeNumber departmentNumber ma
nager employeeType
Contractor Mgmt Modify Contractor View Contractor
Contractor Profile Name Dealer
ID Classification
55Design Custom Forms with IM
- Rebrand, add links, text, etc
- Add/remove/rename tabs
- Remove the Org search
- Re-label prompts
- Add field hints
56Key Functionality
- Self-Service
- Integrated Workflow Approvals
- Delegation
- Role-based Entitlement Support
- Auditing and Reporting
- Customizable Interface
- Extensibility
- Scalable Architecture
- Integrated Provisioning
57Web Service Support
- Business Case
- IM is web service enabled
- Enables additional customization beyond
what is supported
through the IM interface - Support embedding into corporate portal
- Support industry standard - WSDL
- Steps
- Identity which tasks will be enabled as web
service - Customize those tasks as much as possible using
IM interface - Export WSDL
- Modify WSDL to complete customization
- Use tools such as Apache Axis to generate web
clients
58IdentityMinder APIs
- Logical Attribute API Enables you to display an
attribute differently than how it is stored
physically in a user directory. - Business Logic Task Handler API Allows you to
perform custom business logic during data
validation or transformation operations. - Workflow API Provides information to a custom
script in a workflow process. The script
evaluates the information and determines the path
of the workflow process accordingly. - Participant Resolver API --Enables you to specify
the list of participants who are authorized to
approve a workflow activity. - Event Listener API Enables you to create a
custom event listener that listens for a specific
IdentityMinder event or group of events. When the
event occurs, the event listener can perform
custom business logic. - Notification Rule API Lets you determine the
users who should receive an email notification. - Email Template API Includes event-specific
information in an email notifi-cation.
59Key Functionality
- Self-Service
- Integrated Workflow Approvals
- Delegation
- Role-based Entitlement Support
- Auditing and Reporting
- Customizable Interface
- Extensibility
- Secure Scalable
- Integrated Provisioning
60Secure Architecture
61Scalability for Fault Tolerant Deployment
WS-3
J2EE Cluster
WS-2
SiteMinder Policy Server
Load Balancer
WS-1
User Store
Data Tier
Browser
Web Tier
Application Tier
62Supported Platforms
- Leverages enterprise architecture
- User store
- LDAP Directories (SunOne, MS AD/ADAM, Novell
eDirectory, Oracle OID, IBM SecureWay, Siemens
DirX, InJoin Critical Path) - Relational Databases (Oracle, MS SQL Server)
- Application Servers
- IBM WebSphere
- BEA WebLogic
- JBoss
- OS Support Windows, Solaris
63Integrated Identity and Access Management