Supporting the Identity Management Lifecycle with BMC Identity Management Suite 5.5

Size: px
Start display at page:

Download "Supporting the Identity Management Lifecycle with BMC Identity Management Suite 5.5"

Transcription

1 technical WHITE PAPER Supporting the Identity Management Lifecycle with BMC Identity Management Suite 5.5 An overview of the BMC Identity Management Suite architecture and the vision behind it

2 Table of Contents Abstract... 1 The promise of a business-oriented approach to identity management... 1 a new era of identity management challenges... 1 the identity management lifecycle... 2 employing audit and workflow to achieve business-oriented identity management... 4 the BMC Identity Management Architecture a new approach to identity management > BMC Identity Management Console Layer...5. > BMC Identity Management Service Layer Front end...5. > BMC Identity Management Service Layer Back end (Integration Tier for Identity.....Service Abstraction)...6. > BMC Identity Management Data Store Layer - Identity data repositories...6. > External applications...7 key highlights of the Identity Management Suite architecture > Alignment with emerging business needs...7. > Standards Support...7. > Openness...7. > Flexible Deployment...8. > Scalability and speed...8 BMC Identity User Administration Manager... 8 BMC Identity Web Access Manager... 9 BMC Identity Federation Manager BMC Identity Compliance Manager BMC Identity Directory Manager the benefits of an integrated product suite how does all this help your business? conclusion... 12

3 Abstract A unified architecture is characterized by a common service framework that exposes common services to clients in a standard manner, minimizing duplication and redundancy. In addition, such architecture abstracts application logic in a way that facilitates introduction or improvement of functions without unnecessarily affecting the application user interface (UI), thereby simplifying application maintenance and support. Unsurprisingly, an enterprise-class identity management solution is expected to facilitate introduction of feature enhancements, either by allowing additional components to be connected to the framework, or by allowing replacement of existing ones. The architecture model for such a solution should allow easy addition of new services to the feature set. Back in 2003, BMC introduced what has become the core foundation blueprint for a new generation of identity management services the Integrated Security Architecture, or ISA. ISA was all about openness, with a strong focus on ensuring smoother interoperability by embracing standards, such as J2EE and SPML, and adopting an open, modular approach to address identity management connectivity, service, process, and storage requirements. Openness is a key theme of the unified architecture requirements depicted in this document. The promise of a business-oriented approach to identity management A company s successful achievement of its business goals relies heavily on its deliverables, be they services, products, or both. As each deliverable is the product of a certain process, anything, and most significantly, anyone, capable of adversely affecting the process could pose a risk to attaining business objectives. Because people are the owners of company processes, their respective IT capabilities could expose the business to financial risk. Profiling the user s IT capabilities becomes therefore an imperative objective, as is the need to verify that IT capabilities are granted and revoked appropriately, so that users possess only the capabilities defined by their required roles. Since identity-related data is scattered across various systems, being able to correlate between the pertinent identity s pieces is critical. Inability to do so may result in a false sense of security and a lacking audit report that fails to surface information that might indicate alarming risks. Management of access rights is not a trivial process. Business agility warrants an approach to access management that supports quick, yet effective and secure, assignment of rights to users. Attaining this objective often calls for a process that may not be easy to implement using programmatic means alone. Furthermore, attaining regulatory compliance objectives warrants a process that attests to the validity of the control-based approach undertaken by the company. A comprehensive approach to identity management enables companies to correlate processes and actions to personnel, and enables them to verify that access rights to critical business resources are defined, granted, and enforced pursuant to company policies. A critical success factor of this approach lies in the ability to effectively identify and manage exceptions to the company s access policy so that corrective actions can be taken appropriately and promptly. A new era of identity management challenges As the scope of user activities expands, companies, applications, and users require enhanced control over the different identity-related records pertaining to a given person. Given that identity-related data is often scattered across various systems and domains, it is consequently governed by separate authorities, which makes it difficult to provide users with a seamless experience when accessing this information, as the user needs to authenticate multiple times. Furthermore, cross-domain application development is challenging, as each domain authority governs its data differently and exposes identity-related services in a unique way. With regulatory compliance requirements compelling an increasing number of companies to seek out novel ways to control and reduce financial risk, identity management has been recognized as a means that offers a significant contribution to the attainment of this objective. Concordantly, a comprehensive approach to identity management is required, one that warrants interoperability among applications. Such an approach should allow exchange of authentication, authorization, and other identityrelated attributes, as well as identity-related operation requests, in a standard and secure manner, thereby enabling users to get a personalized service experience without requiring them to store personal information centrally. Identity management solutions should therefore offer scalable, secure, and reliable services. However, in order to serve as a mainstay in the enterprise, there are several key requirements that the next-generationbusiness identity management solutions must satisfy: PA G E > 1

4 > Alignment with emerging business needs Identity-related software has traditionally been regarded an infrastructural challenge, mostly concerning system administrators. Today however, business process management has become the impetus driving the identity management evolution, highlighting issues, such as rule and role control and federated identity management. As the Internet continues to play a cardinal role in global commerce, the need to manage identity-related information securely and efficiently is accentuated. In the future, all identity management solutions must align with the requirements of enterprise business process management. > Standards support In today s business vista, standards represent a necessity rather than an option. Identity management solutions will never become a viable platform for identity-based applications unless they embrace standards. SAML (Security Assertion Markup Language) and SPML (Service Provisioning Markup Language) are two key identity-related standards that have made considerable progress over the past couple of years. SAML, an XML-based standard, enables applications to exchange security-related data by specifying a standard way to make assertions concerning the identity, attributes, and entitlements of a subject (e.g., a person). This makes SAML a key pillar for interoperable identity services. The SPML initiative was born to answer an urging business need a standard, expressive way to convey and exchange provisioning data and operations between communicating parties. SPML is thus designed to play a vital part in stimulating adoption of provisioning services interoperability. > Openness. The openness of an identity management solution reflects how easily parts of its architecture can be enhanced, or replaced altogether. Interoperability is critical to reach this objective. While interoperability means different things to different people, one way to realize it would be to let service requestors submit requests to an identity management service point with minimal (or no) concern with the particular provider s service implementation. Identity management openness also implies a degree of flexibility in design, permitting interchangeable components, utilization of best-of-breed vendor solutions as plug-in modules, and more. An enterprise-class identity management solution should permit broad platform support. It should also facilitate future enhancements, either by allowing additional components to be connected to the framework, or by allowing replacement of existing ones. The model should allow easy introduction of new services to the feature set. By embracing a modular design, system services are abstracted, componentized, and called via exposed interfaces. Such design permits the addition of new functionality with relative ease. > Flexible deployment The complexity inherent to management of identities should not be reflected in the procedure exercised for deploying related applications. Installing and configuring identity management applications should be smooth, coherent, and consistent, and deployment should be flexible to accommodate business needs. > Scalability and speed Scalability is an obvious requirement of contemporary business applications. Speed should be reflected both in performance and in development time by reducing overhead, eliminating redundant functionality, minimizing abstraction to appropriate levels, and optimizing computing-intensive components. The identity management lifecycle Identity management is a practice governing the complete lifecycle of the identities of people and resources across pertinent systems, encompassing a myriad of aspects relating to such identities, including their creation, management, suspension/renewal, and termination. Identity management software offers organizations considerable operational benefits by automating this practice and supporting a variety of related tasks, including password management, account provisioning, Web single sign-on, access management, and more. Over the years, many vendors have rushed to jump on the identity management bandwagon, often armed with merely a single application addressing a narrow, albeit important, area of interest. Consequently, the term identity management has become something of an umbrella term, used primarily to group together disparate applications under a single toolset, sharing a single common denominator a reference to user identity data. Organizations typically deploy dozens, if not hundreds, of applications that typically deal with sensitive data that needs to be protected. Users of the applications should therefore be authenticated and authorized for access, which in turn requires creating user accounts on each system that need to be secured, and specifying what rights the accounts possess. PA G E > 2

5 The key processes typically associated with common identity management implementations in organizations include: > People management (a.k.a. directory management) a process that governs the management of the data that constitutes the user s identity in the business (e.g., personal details, business properties, and more), including self-service. This typically entails processes governing definition, creation, and management of user records in a dedicated HR system and in a designated directory. Many companies employ a central directory (or multiple directories) for storing user records that may serve various identity management applications. > Entitlement Management a process that governs the definition and management of entitlements for resources across the company s systems. This typically entails definition and management of user accounts on systems to which the pertinent user should possess access rights, as well as the definition and management of roles, rules, and procedures pertinent to the management of access rights in those systems. > User Provisioning typically entails definition and management of a distinct enterprisewide account for each managed user, along with the definition and management of policies and processes that define how the user gets provisioned access rights to enterprise systems. While differing widely among vendors, provisioning is, at its core, both a security and a management solution that facilitates centralized and automated management of user entitlements on multiple systems. Significantly, provisioning solutions may feature a workflow service to facilitate human approval of provisioning-related actions, thereby addressing a critical business requirement. > Access management a process that governs the enforcement of access rights to enterprise IT resources across the company s systems. This entails a variety of processes and encompasses applications that facilitate management of access rights, such as single sign-on, password management, and Web access management. Single sign-on solutions enable a simplified login experience for users by enabling the user to authenticate once and subsequently gain access to passwordprotected applications without being required to reauthenticate. Password management solutions facilitate management of user passwords, while password synchronization solutions support synchronization of user passwords among managed systems. Web access management entails processes governing the definition and management of Web-based resources, as well as Web application roles and rules governing the assignment of user access rights to those resources. The boundaries of identity (and access) management are blurry and depend somewhat on how an identity is defined. Does an identity constitute a minimal set of attributes (required for identification of the pertinent principal) or does it virtually encompass all data relating to the principal (including data spanning companies)? This considerably affects the extent to which management of identities should reach. Nevertheless, identity management should not be considered an end in itself, but rather a supporting process for both management and execution of business processes. An enterprise approach to identity management should encompass the procedures and tools required to centrally administer any user s collective set of attributes distributed across enterprise systems, and to effectively manage the user s access to enterprise IT resources. Typically, each individual managed using such an identity management system has a corresponding identity record (a person account), specifying attributes that identify and characterize the individual. These attributes enable the identity management system to determine which actions to take with respect to the pertinent identity and help determine (if required) how to assign the individual appropriate access rights to enterprise resources. From a generic process standpoint, the identity management lifecycle is made up of three key phases modeling, deployment, and enforcement. It begins with a modeling phase that entails identity modeling (definition and management of the key identity record and related attributes), entitlement modeling (definition and management of roles and rules governing accessibility to resources), entitlement assignment modeling (definition and management of the association of entitlement definitions with identities), and trust modeling (definition and management of contracts with pertinent parties that affect the identity s scope). The modeling phase is followed by the deployment phase, which entails application of the definitions made at the modeling phase. The enforcement phase involves enforcement of the practices and policies defined at the modeling phase, employing the tools and data deployed at the deployment phase. In practice, however, once the overall identity management approach and methodology are set, the identity management lifecycle actually begins with the creation of an identity in the organization s HR system, where general information on the person associated with the identity (e.g., personal details, professional background, job title, etc.) is recorded. Data on the person is stored in a repository most often an LDAP directory (sometimes dubbed the corporate directory). Once the identity is created, it is possible to start assigning the person associated with the identity access rights to systems and resources with which she is entitled to work. Determining what access rights PA G E > 3

6 should be granted to a given person and the definition and management of the procedures employed for assigning them to identities constitutes a significant part of the entitlement management process described on page?. The application of access rights on each pertinent system is done either manually, separately for each system, or better, via an automated process (account provisioning) that communicates with pertinent systems, creates user accounts, sets the corresponding rights for the user account on each system, and reconciles system information without human intervention. The complete metadata describing provisioned rights pertaining to the user is stored in the identity management data base. Once user accounts and corresponding access rights are set, a process called Access Management can be established to enforce access rights based on the settings. Notwithstanding the significance of this process, it is the application of a workflow-enabled audit approach to identity management that adds to the identity management lifecycle the business-side sheen, so critically required for an effective attainment of business goals. Employing audit and workflow to achieve business-oriented identity management Effective identity management requires verifying that assignment of access rights conforms to company policies. Company policies are commonly defined to streamline processes by establishing standards for various operations. Notable examples of identity management audit policies include detection of excessive rights (a policy that looks for access rights that are assigned to a user directly, and not indirectly via roles) and separation of duties (a policy that verifies that a person is not assigned apparently conflicting rights such as rights to submit and approve the same request). Access rights that do not comply with company policies are labeled exceptions. The process of dealing with exceptions is called exception management and represents a key facet of a comprehensive auditing approach. Whether exceptions are approved by a business manager that is entitled to make such decisions, or are removed altogether, they should be handled nevertheless. Possible outcomes of exception management are policy updates or corrective actions. Significantly, given the importance associated with exception management, it warrants an appropriate approval process. Audit and Compliance Management entails the processes involved in ensuring that the company complies with regulations, such as Sarbanes-Oxley, HIPAA, Basel II, and more. Auditing, and significantly identity management auditing, is a key facet of compliance management. Within the BMC Identity Lifecycle approach, compliance management involves two aspects: attestation and automated policy check. Attestation is a practice where organizations require management to periodically perform an audit and attest that the people in each pertinent domain have access and IT privileges that comply with organization policies. Attestation has a few facets. Companies may elect to run an independent attestation process to periodically review the company s implemented authorization process and to have managers attest to the validity of access rights assigned to their team members. Automated policy check is a more automated approach than attestation, entailing definition of organizational and/or regulatory policies in a knowledge base (e.g., separation of duties ) and an ongoing periodical (or on demand) scanning of the identity database to trace exceptions to policies The common approach to auditing is frequently labeled an investigative audit, as it deals with actions that occurred in the past. This explains why it is applied on the system s access logs, thus providing an ability to review who did what. The audit process is started either manually by an approved application user (e.g., auditor), or can be triggered automatically, either by a scheduling application, or perhaps more appropriately following a designated event. If assignment of access rights were possible only from a single application, auditing could be centered on that application. In reality, however, companies deploy numerous applications and systems with their own security application; thereby assignments can be carried out from many places. As a result, auditing at one point in time may prove to be limited. A comprehensive approach to auditing concordantly suggests multiple points where the application of auditing is beneficial, thus complementing the ability to review what was done with an ability to detect access rights assignments before users exploit them: > Preventive control performed at the setup step of the implementation process. At this point, it is possible to prevent assignment of user access rights that do not comply with business policies. > Detective control performed immediately after the implementation process. At this point, it is possible to detect existing access rights assignments that do not comply with business policies. PA G E > 4

7 > Investigative control performed as part of the enforcement process. At this point, it is possible to investigate which users accessed which resources. Workflow enables organizations to implement another layer of control over the assignment of access rights, by answering a burgeoning requirement to implement a business-oriented approach to access rights assignment. Moreover, workflow enables association of a well-used and familiar business process with tasks that are unlikely to automatically be handled by IT or by the system. Exception management warrants an approval process. This is another significant area for workflow processes. Workflow software helps to streamline effective and efficient business decision-making by offering tools for modeling, automation, and monitoring of pertinent business processes. By employing workflow to model business processes, companies capture decisions and actions concerning a given request, thus facilitating analysis of the rationale behind the approval or rejection of a request. In the context of identity management, this potentially can be used to trace the actions leading to assignment of certain access rights. Regarding exceptions, workflow facilitates effective exception management by implementing the business process required to approve decisions related to exceptions. Using audit procedures to automatically trigger workflow processes under certain conditions is an example of employing workflow for enhanced auditing, which represents a fresh take on the traditional concept of auditing. Using auditing as a trigger for workflow processes enriches the identity management practice, and helps bridge the gap between IT and business, particularly in the area of role management. The BMC Identity Management Architecture a new approach to identity management The BMC Identity Management Architecture is the core architecture powering the new generation of BMC Identity Management solutions. This architecture builds upon the proven architecture of previous BMC Identity Management solutions, offering an effective and efficient melding of existing and new technologies. It elevates the solution into a higher echelon of capabilities, providing customers with the first true extensible identity management platform. The BMC Identity Management Architecture embeds years of BMC experience and expertise in developing and deploying on of the world s most successful provisioning platforms to date, providing a dynamic framework to support the customer s toughest requirements, today and tomorrow. The BMC Identity Management Suite is made up of the following layers and components: BMC Identity Management Console Layer > BMC Identity Management Web Console the Webbased console for BMC Identity Management applications that are deployed in the BMC Identity Management Service Layer front end, including BMC Identity Directory Manager, BMC Identity User Administration Manager, BMC Identity Compliance Manager, BMC Identity Password Manager, BMC IdentityWeb Access Manager, and more. Applications run within a common UI frame and share a common UI look and feel. > BMC Identity Management Windows Console a Windows-based console for provisioning management tasks. The main tool for managing person profiles, provisioning managed system configuration, system configuration, and authorization for system administrators. The Windows Console interacts directly with the BMC Identity Management Provisioning Engine (ESS Enterprise Security Station). BMC Identity Management Service Layer Front end > BMC Identity Management applications a slew of powerhouse Web-based, identity management applications. Applications expose the system s functionality to users via a compelling and consistent UI, leveraging services provided by the BMC Identity Management Common UI Services. > BMC Identity Management Common UI Services (Web) - a front end component that communicates with its counterpart in the back end, the BMC Identity Management Common UI Services (Core), to provide authentication, UI, and session management-related services to suite applications. The Common UI Services manages a tabbed page UI, within which each application is displayed. Notably, when BMC Web Access Manager is installed, the enforcement agent (see page?) interacts with the Common UI Services to ensure secure access to suite applications. > BMC Identity User Administration Manager an application for managing the complete lifecycle of identities, entailing automated creation, maintenance, and termination of accounts associated with a given person on a variety of operating systems, applications, and data sources. > BMC Identity Password Manager an application for management of passwords, entailing creation and management of password policies, password reset, and password synchronization. To fulfill requested services, BMC Identity Password Manager communicates with Open Services. PA G E > 5

8 > BMC Identity Compliance Manager an application that facilitates the implementation of identity auditing standards and the creation of reports demonstrating compliance with such standards. > BMC Identity Web Access Manager consolidates a variety of administrative functions that enable organizations to specify and manage user rights for accessing Web-based resources. > BMC Identity Directory Manager a full-featured environment for visualization of identity data stored in various repository types, as well as for content management and development of J2EE and workflowenabled identity management applications that can be deployed within the common UI framework of. the suite. > Reports - Reports is a BMC Identity Directory Manager application that enables the creation and management of reports, exposing Web Service interfaces for report-related services. > BMC Identity Request Manager (Workflow) Request Manager is a BMC Identity Directory Manager application that enables organizations to submit, approve, and manage workflow requests by exposing Web Service interfaces for workflowrelated services. These services are called (for example) by the BMC Identity Compliance Manager Services (see page?) to implement a corrective audit (a workflow process triggered by BMC Identity Compliance Manager whenever certain conditions concerning audit results are met). > BMC Identity Federation Manager a solution that facilitates establishment of trust relationship between business partners, which enables secure identity management across business domains. BMC Identity Management Service Layer Back end (Integration Tier for Identity Service Abstraction) > BMC Identity Management Open Services the Open Services layer constitutes a key part of the BMC Identity Management Suite s architecture. Open Services embed business logic supporting suite applicative requirements concerning authentication, authorization, role management, auditing, provisioning, password management, and more. > BMC Identity Compliance Manager Services responsible for performing the audit reporting and analysis tasks requested through the BMC Identity Compliance Manager application. > BMC Identity Management Common UI Services (Core) responsible for serving requests passed by the BMC Identity Management Common UI Services (Web). > Log Collector responsible for logging services requested by BMC Identity Web Access Management components. Stores related data in a relational database. > Enforcement Agent responsible for providing authentication, authorization, and single sign-on to. Web-based applications. Enforcement agents are installed as plug-ins to a Web or proxy server, and intercept HTTP/ HTTPS requests to access Web resources. They enforce Web access policies and access rights settings for. Web-based resources. > BMC Identity Service Providers > BMC Identity Management Provisioning Service Provider built on proven ESS (Enterprise Security Station) technology, the Provisioning Service Provider is responsible for some of the key security management capabilities of the BMC Identity Management Suite. It consists of the following elements: > BMC Identity Management Provisioning Engine - the Provisioning Engine serves as the control hub for plug-in provisioning modules - responsible for carrying out specific provisioning tasks. The Provisioning Engine enables centralized user and security system administration, centralized policy management and is responsible for supporting any provisioning service required by applications. > BMC Identity Management Service Manager the Service Manager is responsible for communicating provisioning commands generated by ESS to the pertinent managed system, via BMC Identity Management Provisioning Modules. > BMC Identity Management Provisioning Modules utilized for interaction between the Service Manager and the Managed System, including translation of Provisioning Engine commands into a command format that is understood by the managed system. The BMC Identity Management Suite boasts over 50 provisioning modules that support a broad range of target systems. BMC Identity Management Data Store Layer - Identity data repositories > The key repositories include - > Corporate Directory Identity repository the default repository for person data. In addition it is used by the BMC Identity Web Access Management system for storing identity-related metadata, policies, authentication credentials, and configuration data. PA G E > 6

9 > Identity Management repository the RDBMS-based repository for person-associated and system data. The repository includes data on persons (imported in part from the organization s authoritative HR data source during download), user groups, user profiles, and data on each managed system. Additional data includes system configuration parameters, audit records, password policies, and more. The Web Access Management system uses a relational database repository for storing logs. > Various Suite components have data and/or configuration details stored in special files, co-located on the component s machine. For example, glue-service-config. xml includes an entry for each supported authentication system; another example is that password dictionaries are represented as CSV files on the machine where the Open Services layer is. Access rights to these files are governed by the local file system. Sensitive data is stored encrypted. External applications > Custom applications external applications can access services provided by the BMC Identity Management suite as follows: > Services exposed by BMC Identity Management Open Services, via Java API, Web Service interfaces, or SPML. > Services exposed by BMC Identity Directory Manager-based applications, via published Web Service interfaces. > BMC Remedy Action Request System (AR System ) > The BMC Remedy AR System Plug-in enables access to BMC Identity Management Provisioning Services by any application built on BMC Remedy AR System, via Web Service interfaces exposed by the Open Services. This enables BMC Remedy AR System applications to perform identity-related operations and to issue provisioning-related requests to the Provisioning Services. > BMC Identity Discovery > Business Service Management (BSM) is the most effective approach for managing IT from the perspective of the business. Identity management plays a key part in BSM, as it provides critical information on the factor (people) responsible for running business processes. Such information may prove to be crucial for assessing, as an example, the impact of a system failure on the business. In order to make pertinent information quickly available to BSM applications, BMC Identity Discovery employs the Web Service interfaces exposed by the Open Services to extract identity management data from the BMC Identity Management Database and publish it in the BMC Atrium Configuration Management Database (CMDB) which serves as the central information store for BSM applications. > HR System > Most organizations manage information on people in an HR application or a corporate repository (typically a directory). As some of this information is of key importance for identity management using BMC Identity Management applications, these applications need to either interface with the HR system/ corporate directory or to support effective and easy synchronization with the authoritative data source. The BMC Identity Management Suite s provisioning setup entails a download of information in the enterprise HR system/corporate directory, in order to populate the database employed for provisioning management with the relevant people information. This process is called an HR Feed. Key highlights of the BMC Identity Management Suite Architecture Alignment with emerging business needs The suite exhibits a solid architecture foundation that builds on proven technologies that have been deployed in many environments, but also adds a rich array of services for comprehensive identity management tasks that support critical business requirements. The suite also supports custom development of powerful new applications leveraging these services. The user experience is improved thanks to a unified UI with a revised look and feel, a streamlined unified installation procedure, a unified login, and application integration with cross-application business process management (workflow). The integrated workflow service allows for extensive automation capabilities that help alignment with business objectives. Standards Support The architecture s standards-based approach lends itself well to accommodate integration requirements with external applications. The BMC Identity Management Suite supports identity management industry standards, such as SPML, SAML, Liberty ID-FF, WS-Federation, and others. The architecture also manifests a modular design and exposes a smorgasbord of APIs enabling custom extensions by customers. Openness The architecture s openness is reflected in its robust functionality, including: > Streamlined integration with a common workflow > Exposure of application services via Java interfaces, Web Services, SPML, and read access to provisioning metadata in the identity management database PA G E > 7

10 > Enabled connectivity with HR systems (SAP, PeopleSoft, Oracle) and help desk applications (Integrated BMC Remedy IT Service Management Suite) > SDKs enabling extension of various component functionality > Exposure of public APIs for programmatic extension of functionality > Implementation of user exits and pre/post procedures The architecture also boasts support for an extensive list of platforms, data stores, and managed systems: > Supported runtime platforms for identity management applications include WebLogic on Solaris, JBoss on Solaris and on Windows 2003 Server, and WebSphere on AIX. > Supported LDAP directories for authentication include Microsoft Active Directory, Novell edirectory, and Sun Java System Directory > Supported databases for the BMC Identity Management Suite include Oracle and Sybase. > Over 50 supported systems as provisioning targets and managed systems, including Windows, Linux, Solaris, AIX, HP-UX, IRIX, z/os, AS/400, VMS, Tandem, OS/2, Netware, and more. Flexible Deployment The architecture facilitates flexible deployment, including: > Flexible choice of deployment multitier or single tier > Local/remote deployment of connectors (agents) > Proxy and connector-based BMC Identity Web Access Manager deployment Scalability and speed Being J2EE-based, BMC Identity Management Suite applications (e.g., BMC Identity User Administration Manager, BMC Identity Password Manager, BMC Identity Web Access Manager, Workflow) and Open Services enjoy the scalability features offered by J2EE application servers. The BMC Identity Web Access Management services architecture leverages the scalability and robustness of directory deployments, such as Microsoft Active Directory. The design of the applications allows for effective administration scalability as well. The BMC Identity Management Database relies on the database scalability features and supports clustering for failover deployment scenarios. Scalability and speed are improved thanks to the special design of provisioning modules. Local agent deployment reduces network traffic between the managed system and the controlling provisioning service. In addition, the design of the Service Manager and Provisioning Modules supports better scalability via support for concurrent transaction execution. BMC Identity User Administration Manager BMC Identity User Administration Manager is an application for managing the complete lifecycle of identities, entailing automated creation, maintenance, and termination of accounts associated with a given person on a variety of operating systems, applications, and data sources. BMC Identity User Administration Manager enables comprehensive role management and features support for central and distributed management of over 50 target systems. To fulfill requested services, BMC Identity User Administration Manager communicates with Open Services, which calls the Provisioning Engine, which communicates with these systems via the Service Manager and Provisioning Modules. The Open Services layer is exposed to users via the BMC Identity Management applications, and to developers via programmatic interfaces, supporting major industry standards. Open Services can be accessed via Java interfaces and SPML. Open Services embed business logic supporting suite applicative requirements concerning authentication, authorization, role management, auditing, provisioning, password management, and more. This layer implements an architecture that facilitates enhancement and extension of services over time. Open Services provides support for authentication against the Provisioning Service, and also against external LDAP directories (e.g., Active Directory, Novell edirectory, Sun Java System Directory). With external authentication, a user is first authenticated against an LDAP directory and upon success, login information is used to login the user to the suite and the Provisioning Service, using mapping between LDAP and Suite users in the BMC Identity Management Database. For scalability, Open Services rely on the architecture of the J2EE application server. The BMC Identity Management Provisioning Service (Provisioning Engine) serves as the control hub for plugin provisioning modules - responsible for carrying out specific provisioning tasks. The Provisioning Engine enables centralized user administration, security system administration, and centralized policy management, and is responsible for supporting any provisioning service required by applications. The Provisioning Engine components include an application server that handles communication between the Provisioning Engine and client processes; an RDBMS-based repository (see BMC Identity Management Database) containing security administration data; one or more gateway processes communicating with instances of the Service Manager; and the router which is responsible for communication with the application server. J2EE applications can access the Provisioning Engine indirectly via Open Services. Provisioning Engine services are also accessible via the Windows Console. The Provisioning Engine supports a clustered deployment for failover. PA G E > 8

11 BMC Identity Management Service Manager is responsible for communicating provisioning commands generated by ESS to the pertinent managed system, via Provisioning Modules. Service Manager interacts with the managed system via Provisioning Modules. Multiple instances of Service Manager can be deployed, either on a single machine, or on several servers. Any number of instances can be active at a given time. With a few exceptions, each instance can manage several Provisioning Modules concurrently. BMC Identity Management Provisioning Modules are utilized for interaction between Service Manager and the Managed System, including translation of Provisioning Engine commands into a command format that is understood by the managed system. The BMC Identity Management Suite boasts over 50 Provisioning Modules that support a broad range of target systems including operating systems (Windows, AS/400, MF), applications (SAP), security systems (RACF, ACF2), directories (Active Directory, edirectory), relational databases (Oracle, Sybase) and more. Many Provisioning Modules feature an ability to intercept changes occurring at a managed target system, via special interceptors. The online interceptor enables timely detection of managed system events by subscribing to pertinent managed system change notification services; the offline interceptor enables the identification of managed system events by querying system logs (among other things); and the password interceptor enables the detection of password changes (on specific systems, such as Windows 2000). Additionally, all Provisioning Modules support the ability to initiate a download (retrieval of information from the managed system security repository) and an ability to initiate a synchronization process with the managed system s security repository. Provisioning Modules can be deployed together with Service Manager on the target system to be managed ( Local deployment); deployment options vary depending on the managed system. For instance, just one Provisioning Module for Windows 2000 is required to be installed on a server or a workstation in the domain tree, in order to manage the entire tree. Many Provisioning Modules can also be deployed on a machine remote to the managed system ( Remote deployment). Local deployment of Provisioning Modules helps reduce traffic and ensures that changes made to the managed system identity records are captured by the Service Manager even during a network failure. In contrast, remote deployment of provisioning modules reduces the administrative deployment effort. New Provisioning Modules can be created via the XModule Studio. The XModule Studio streamlines and simplifies the creation and deployment of custom provisioning and compliance modules (see BMC Identity Compliance Manager, page?), by employing a Wizard-like approach that guides component designers through the process of creating custom modules via a compelling, user-friendly UI. This eliminates the need to employ coding to address requirements, and reduces debugging considerably. BMC Identity Web Access Manager BMC Identity Web Access Manager combines several key components that together address salient Web access requirements. The BMC Identity Web Access Manager administration console consolidates a variety of administrative functions enabling organizations to specify and to manage user rights for accessing Web-based resources. The Enforcement Agent intercepts attempts to access Web resources and enforces the access rights according to the specified access rights. Responsible for providing authentication, authorization, and single sign-on to Web-based applications, the Enforcement Agent is installed as a plug in to a Web or proxy server, and intercepts HTTP/HTTPS requests to access Web resources. The Enforcement Agent supports multiple authentication types (e.g., basic authentication, X.509 certificate authentication) and enforces access policies and settings, ensuring secure access to Web-based resources, based on settings specified using the BMC Identity Web Access Manager. It supports a variety of systems, including major portals, application servers, and Microsoft products among others. Configuration data for the BMC Identity Web Access Manager and Enforcement Agent is stored in the directory. Significantly, the Enforcement Agent can also be deployed in a reverse proxy mode (see figure 13). For scalability, the BMC Identity Web Access Management architecture leverages the architecture of Web, directory, and J2EE application servers for optimal results. Additional features facilitating better scalability and superior performance include having the complete user session data contained in a cookie, and the implementation of caching. The BMC Identity Web Access Management services exposes a raft of administration APIs that enable organizations to secure custom applications without being required to resort to LDAP programming. BMC Identity Web Access Manager also supports an RBAC model for role management and employs cookies for session management. The BMC Identity Web Access Manager console serves for setting and maintaining the configuration of the services related to Web access management, single sign-on, and BMC Identity Web Access Manager administration. PA G E > 9

12 BMC Identity Federation Manager BMC Identity Federation Manager facilitates establishment of trust relationship between business partners, which enables secure identity management across business domains. Federated sign-on facilitates collaboration with business partners. BMC Identity Federation Manager interacts directly with the directory for retrieval and storage of data related to inbound and outbound communication. As federation takes great advantage of standards, BMC Identity Federation Manager comes with support for a raft of standards, including SAML 1.x and 2.0, WS-Federation, Liberty Identity Federation framework (ID-FF), Liberty ID-WSF 2.0 AuthN service, and Discovery service, among others. BMC Identity Federation Manager can be installed in two modes standalone, and suite integration. In standalone mode, the BMC Identity Federation Manager stores configuration in a flat file, and the configuration UI is protected by the application server on which it is installed. As an independent Web application, it can be also protected by the BMC Web Access Manager. Additionally, logging to a flat file is supported (logging to a database can be set via special customization). In suite integration mode, the configuration data is maintained by BMC Identity Federation Manager directly, either in a flat file or in an LDAP repository. However, in this mode, BMC Identity Federation Manager leverages the suite logging services. BMC Identity Compliance Manager BMC Identity Compliance Manager is an application that facilitates implementation of identity auditing standards, and creation of reports demonstrating compliance with such standards. BMC Identity Compliance Manager enables organizations to define identity management-related policies and test compliance with these policies, employing compliance modules (which define the type of audit operation applied on a data source), policies (implementation of a module, specifying pertinent testing criteria of the type of auditing), and activities (implementation of a policy, with settings specifying how the audit is run); this model highlights policy exceptions and triggers workflow processes whenever certain conditions are met. BMC Identity Compliance Manager also boasts features that facilitate effective attestation of user access rights. To fulfill requested services, BMC Identity Compliance Manager interacts with BMC Identity Compliance Manager Services - it does not call Open Services directly. BMC Identity Compliance Manager Services is responsible for performing the audit reporting and analysis tasks requested through the BMC Identity Compliance Manager application. BMC Identity Compliance Manager Services communicates with Open Services for operations requiring service by the Provisioning Engine, including authentication. BMC Identity Compliance Manager Services connects to the Provisioning Engine to support functionality of the Compliance Manager s Compliance and Reporting modules. For retrieval of data from the BMC Identity Management Database, BMC Identity Compliance Manager Services communicates directly with the BMC Identity Management Database (via JDBC). BMC Identity Compliance Manager s supported audited data sources include databases (e.g., Oracle, Sybase) and LDAP directories. Additional data sources can be supported via Java code in Compliance Manager Module plug ins. New modules can be added via the XModule Studio. BMC Identity Directory Manager BMC Identity Directory Manager is a full-featured environment for visualization of identity data stored in various repository types, as well as for content management and development of J2EE and workflow-enabled identity management applications that can be deployed within the common UI framework of the suite. The BMC Identity Directory Manager facilitates management of people data by enabling advanced data extraction operations, data synthesis and delivery of rich data display. Key components of BMC Identity Directory Manager include the engine, the console, and the studio. The engine manages the execution of application logic, connections with LDAP directories (login, connection pool management, and security), and access management to data and other BMC Identity Directory Manager services (data, session, and Web services management; task scheduling and event logging). The console serves as the configuration environment for applications, directory connections, load balancing, and failover, among other things. The studio is the central environment for application development. PA G E > 10

13 BMC Identity Directory Manager presents a UI that enables interaction with data on directories and other data sources supported by the suite. BMC Identity Directory Manager employs a UI framework that is compliant with established accessibility standards (e.g., Section 508, WCAG 1.0) and is based on a service-oriented architecture approach. Application designers can create new logical data models based on physical data, and build applications that leverage the models and display content in custom-created visual forms. Access rights to application-related data are defined using an RBAC model. Applications are implemented on an application server by using application server tools to deploy a J2EE.war file that is generated from the BMC Identity Directory Manager console. Applications developed with previous versions of BMC Identity Directory Manager (3.0 and above) can be imported and there is support for an automatic migration process. BMC Identity Directory Manager provides seamless access to data on a myriad of repositories, including databases (through JDBC and JDBC/ODBC bridges) from Oracle, Sybase, DB2, MySQL, and SQL Server and to LDAPenabled repositories (through JNDI), such as SunOne Directory Server, iplanet Directory Server, Active Directory, OpenLDAP, Netscape Directory Server, and more. It enables applications to manipulate data through Web Services. Applications can expose Web Service interfaces that are called by other applications. Application scalability (e.g., via load balancing) and high availability generally rely on the J2EE application server architecture. The benefits of an integrated product suite The BMC Identity Management Architecture is more than the sum of its parts. By fusing proven BMC provisioning, web access management, and workflow solutions together with an open-ended modular design, the BMC architecture transforms an already powerful product suite into a feature-laden identity management platform, capable of accommodating customer requirements well into the future. The BMC Identity Management Architecture is all about openness. Designed for the future, it ensures smoother interoperability by embracing standards, such as J2EE Web Services and SPML, and adopting an open, modular approach to addressing identity management connectivity, service, process, and storage requirements. > The BMC Identity Management Architecture Open Connectivity Model. The BMC Identity Management Architecture Open Connectivity Model implies an easier interface with new types of clients, and plug-in-ability of third-party services. The architecture supports multiple client interfaces, including JAVA, SPML, and Web Services. In addition, the architecture is well suited to support new interfaces, as they become popular: The BMC Identity Management Architecture has done away with fat interfaces, implementing instead the services common to all interfaces within a shared system core module. Moreover, due to the openness of this approach, this module, as others, can be modified or even totally replaced without affecting the proper functioning of other modules in system. > The BMC Identity Management System Open Process Model. BMC Identity Management Architecture operations are managed and coordinated by a special operation execution engine that is responsible for the data flow among service providers and processors. The BMC Identity Management Architecture Open Process Model approach touts two aspects of abstraction by dividing the common services into two logical layers one that abstracts the intricacies of identity management services whilst another layer positioned underneath abstracts specific service and storage APIs. One noteworthy benefit of this approach is the freedom to introduce changes to each layer without affecting the other layer. > The BMC Identity Management Architecture Open Service Model. Open Services translate to a more flexible architecture and facilitate implementation of new services without requiring changing the architecture. The BMC Identity Management Architecture employs carefully defined core services to serve a large variety of identity management requests. > The BMC Identity Management Architecture Open Store Model The architecture expands customers choice with regard to identity storage options, letting system data (identity, system metadata, audit logs, etc.) reside in selected repositories. This capability helps leverage various storage systems and more easily accommodate changes with respect to infrastructure. In addition, this approach allows the system to extend support to new storage types in. the future. How does all this help your business? > Supporting Business Agility Accommodating Change The BMC Identity Management Suite s open-ended design offers an unprecedented level of agility to developers and users alike. The architecture accommodates the dynamic nature of business processes, allowing customers to interface with the system s services using a varied selection of clients to leverage miscellaneous repository technologies, and reap the benefits of an open-ended architecture. PA G E > 11

14 > Supporting Richer Workflow-Enabled Applications No identity management platform is worth its salt unless it provides a secure, scalable, reliable, efficient, functional, and expandable service foundation to applications. Furthermore, any platform owes its success to the quality of applications leveraging its power. The BMC Identity Management Suite s architecture s service arsenal equips developers with the power to quickly create enterprisefocused applications. > Supporting Flexible Management of Enterprise Identity Information The BMC Identity Management Suite s detailed management options open new vistas of possibilities by enhancing the feature set to include powerful reporting and auditing options. The open architecture allows customers to define new logic flow paths far beyond common simple workflows. > Supporting Connection to a Variety of Services and Applications The Identity Management Suite wouldn t be that powerful unless it also exposed its services to third-party clients. Supporting major industry standards (and well-equipped to accommodate new standards in the future), the architecture facilitates integration with many business applications and identity-related processes. Conclusion The BMC Identity Management Suite 5.5 introduces new and exciting technology, which powers a new generation of identity management applications. The suite s architecture exhibits flexibility and openness that will provide businesses with an agile foundation for their identity management infrastructure. The BMC Identity Management Suite 5.5 builds upon a proven architecture, embedding years of experience and expertise in developing and deploying some of the world s most comprehensive identity management solutions to date, providing a dynamic framework to support the toughest requirements, today and tomorrow. PA G E > 1 2

15 About BMC Software BMC Software delivers the solutions IT needs to increase business value through better management of technology and IT processes. Our industry-leading Business Service Management solutions help you reduce cost, lower risk of business disruption, and benefit from an IT infrastructure built to support business growth and flexibility. Only BMC provides best practice IT processes, automated technology management, and award-winning BMC Atrium TM technologies that offer a shared view into how IT services support business priorities.. Known for enterprise solutions that span mainframe, distributed systems, and end-user devices, BMC also delivers solutions that address the unique challenges of the midsized business. Founded in 1980, BMC has offices worldwide and fiscal 2006 revenues of more than $1.49 billion. Activate your business with the power of IT. BMC Software, the BMC Software logos and all other BMC Software product or service names are registered trademarks or trademarks of BMC Software, Inc. All other registered trademarks or trademarks belong to their respective companies BMC Software, Inc. All rights reserved *64047*

Oracle Identity Analytics Architecture. An Oracle White Paper July 2010

Oracle Identity Analytics Architecture. An Oracle White Paper July 2010 Oracle Identity Analytics Architecture An Oracle White Paper July 2010 Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and may

More information

Active Directory and DirectControl

Active Directory and DirectControl WHITE PAPER CENTRIFY CORP. Active Directory and DirectControl APRIL 2005 The Right Choice for Enterprise Identity Management and Infrastructure Consolidation ABSTRACT Microsoft s Active Directory is now

More information

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003

Oracle Identity Management Concepts and Architecture. An Oracle White Paper December 2003 Oracle Identity Management Concepts and Architecture An Oracle White Paper December 2003 Oracle Identity Management Concepts and Architecture Introduction... 3 Identity management... 3 What is Identity

More information

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities PRODUCT SHEET: CA SiteMinder CA SiteMinder we can CA SiteMinder provides a centralized security management foundation that enables the secure use of the web to deliver applications and cloud services to

More information

Security solutions Executive brief. Understand the varieties and business value of single sign-on.

Security solutions Executive brief. Understand the varieties and business value of single sign-on. Security solutions Executive brief Understand the varieties and business value of single sign-on. August 2005 2 Contents 2 Executive overview 2 SSO delivers multiple business benefits 3 IBM helps companies

More information

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007

Oracle Identity Management for SAP in Heterogeneous IT Environments. An Oracle White Paper January 2007 Oracle Identity Management for SAP in Heterogeneous IT Environments An Oracle White Paper January 2007 Oracle Identity Management for SAP in Heterogeneous IT Environments Executive Overview... 3 Introduction...

More information

Web Applications Access Control Single Sign On

Web Applications Access Control Single Sign On Web Applications Access Control Single Sign On Anitha Chepuru, Assocaite Professor IT Dept, G.Narayanamma Institute of Technology and Science (for women), Shaikpet, Hyderabad - 500008, Andhra Pradesh,

More information

SAM Enterprise Identity Manager

SAM Enterprise Identity Manager SAM Enterprise Identity Manager The Next IAM Generation New, rich, full-featured business process workflow capabilities Multi-level segregation of duties management and reporting Easy-to-use and secure

More information

CA SiteMinder SSO Agents for ERP Systems

CA SiteMinder SSO Agents for ERP Systems PRODUCT SHEET: CA SITEMINDER SSO AGENTS FOR ERP SYSTEMS CA SiteMinder SSO Agents for ERP Systems CA SiteMinder SSO Agents for ERP Systems help organizations minimize sign-on requirements and increase security

More information

CA Repository for Distributed. Systems r2.3. Benefits. Overview. The CA Advantage

CA Repository for Distributed. Systems r2.3. Benefits. Overview. The CA Advantage PRODUCT BRIEF: CA REPOSITORY FOR DISTRIBUTED SYSTEMS r2.3 CA Repository for Distributed Systems r2.3 CA REPOSITORY FOR DISTRIBUTED SYSTEMS IS A POWERFUL METADATA MANAGEMENT TOOL THAT HELPS ORGANIZATIONS

More information

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution Federation and Attribute Based Access Control Page 2 Realization of the IAM (R)evolution Executive Summary Many organizations

More information

Introduction to Sun ONE Application Server 7

Introduction to Sun ONE Application Server 7 Introduction to Sun ONE Application Server 7 The Sun ONE Application Server 7 provides a high-performance J2EE platform suitable for broad deployment of application services and web services. It offers

More information

Oracle Identity Manager, Oracle Internet Directory

Oracle Identity Manager, Oracle Internet Directory Oracle Identity Manager (OIM) is a user provisioning system. It defines properties for how users and groups get authorized to access compute and content resources across the enterprise. Identity Management

More information

Red Hat Enterprise ipa

Red Hat Enterprise ipa Red Hat Enterprise ipa Introduction Red Hat Enterprise IPA enables your organization to comply with regulations, reduce risk, and become more efficient. Simply and centrally manage your Linux/Unix users

More information

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions Introduction This paper provides an overview of the integrated solution and a summary of implementation options

More information

ManageEngine (division of ZOHO Corporation) www.manageengine.com. Infrastructure Management Solution (IMS)

ManageEngine (division of ZOHO Corporation) www.manageengine.com. Infrastructure Management Solution (IMS) ManageEngine (division of ZOHO Corporation) www.manageengine.com Infrastructure Management Solution (IMS) Contents Primer on IM (Infrastructure Management)... 3 What is Infrastructure Management?... 3

More information

OracleAS Identity Management Solving Real World Problems

OracleAS Identity Management Solving Real World Problems OracleAS Identity Management Solving Real World Problems Web applications are great... Inexpensive development Rapid deployment Access from anywhere BUT. but they can be an administrative and usability

More information

BUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING SAP NetWeaver IDENTITY MANAGEMENT

BUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING SAP NetWeaver IDENTITY MANAGEMENT Solution in Detail NetWeaver BUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING NetWeaver IDENTITY MANAGEMENT Identity management today presents organizations with a host of challenges. System landscapes

More information

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009 Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009 EXECUTIVE OVERVIEW Enterprises these days generally have Microsoft Windows desktop users accessing diverse enterprise applications

More information

can I customize my identity management deployment without extensive coding and services?

can I customize my identity management deployment without extensive coding and services? SOLUTION BRIEF Connector Xpress and Policy Xpress Utilities in CA IdentityMinder can I customize my identity management deployment without extensive coding and services? agility made possible You can.

More information

identity management in Linux and UNIX environments

identity management in Linux and UNIX environments Whitepaper identity management in Linux and UNIX environments EXECUTIVE SUMMARY In today s IT environments everything is growing, especially the number of users, systems, services, applications, and virtual

More information

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion. Web Services Security: OpenSSO and Access Management for SOA Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.com 1 Agenda Need for Identity-based Web services security Single Sign-On

More information

IBM Tivoli Identity Manager

IBM Tivoli Identity Manager Automated, role-based user management and provisioning of user services IBM Tivoli Identity Manager Reduce help-desk costs and IT staff workload with Web self-service and password reset/synch interfaces

More information

The Top 5 Federated Single Sign-On Scenarios

The Top 5 Federated Single Sign-On Scenarios The Top 5 Federated Single Sign-On Scenarios Table of Contents Executive Summary... 1 The Solution: Standards-Based Federation... 2 Service Provider Initiated SSO...3 Identity Provider Initiated SSO...3

More information

IBM Tivoli Directory Integrator

IBM Tivoli Directory Integrator IBM Tivoli Directory Integrator Synchronize data across multiple repositories Highlights Transforms, moves and synchronizes generic as well as identity data residing in heterogeneous directories, databases,

More information

Oracle Access Manager. An Oracle White Paper

Oracle Access Manager. An Oracle White Paper Oracle Access Manager An Oracle White Paper NOTE: The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any

More information

TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management

TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management TECHNOLOGY BRIEF: INTEGRATED IDENTITY AND ACCESS MANAGEMENT (IAM) An Integrated Architecture for Identity and Access Management Table of Contents Executive Summary 1 SECTION 1: CHALLENGE 2 The Need for

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

Boosting interoperability and collaboration across mixedtechnology

Boosting interoperability and collaboration across mixedtechnology Boosting interoperability and collaboration across mixedtechnology environments Standards-based identity federation solutions from Microsoft and Novell May 2009 Executive summary Despite remarkable gains

More information

Leveraging the Synergy between Identity Management and ITIL Processes

Leveraging the Synergy between Identity Management and ITIL Processes BEST PRACTICES WHITE PAPER Leveraging the Synergy between Identity Management and ITIL Processes Ken Turbitt, best practices director, BMC Software Rami Elron, senior system architect, Identity Management,

More information

Business-Driven, Compliant Identity Management

Business-Driven, Compliant Identity Management Solution in Detail NetWeaver NetWeaver Identity Business-Driven, Compliant Identity Using NetWeaver Identity Managing users in heterogeneous IT landscapes presents many challenges for organizations. System

More information

SOA REFERENCE ARCHITECTURE: WEB TIER

SOA REFERENCE ARCHITECTURE: WEB TIER SOA REFERENCE ARCHITECTURE: WEB TIER SOA Blueprint A structured blog by Yogish Pai Web Application Tier The primary requirement for this tier is that all the business systems and solutions be accessible

More information

Can I customize my identity management deployment without extensive coding and services?

Can I customize my identity management deployment without extensive coding and services? SOLUTION BRIEF CONNECTOR XPRESS AND POLICY XPRESS UTILITIES IN CA IDENTITY MANAGER Can I customize my identity management deployment without extensive coding and services? SOLUTION BRIEF CA DATABASE MANAGEMENT

More information

Oracle Role Manager. An Oracle White Paper Updated June 2009

Oracle Role Manager. An Oracle White Paper Updated June 2009 Oracle Role Manager An Oracle White Paper Updated June 2009 Oracle Role Manager Introduction... 3 Key Benefits... 3 Features... 5 Enterprise Role Lifecycle Management... 5 Organization and Relationship

More information

BlackBerry Enterprise Service 10. Version: 10.2. Configuration Guide

BlackBerry Enterprise Service 10. Version: 10.2. Configuration Guide BlackBerry Enterprise Service 10 Version: 10.2 Configuration Guide Published: 2015-02-27 SWD-20150227164548686 Contents 1 Introduction...7 About this guide...8 What is BlackBerry Enterprise Service 10?...9

More information

Fischer International Identity BUILT FOR BUSINESS YOURS. PRODUCT OVERVIEW Fischer Password Manager

Fischer International Identity BUILT FOR BUSINESS YOURS. PRODUCT OVERVIEW Fischer Password Manager Fischer International Identity BUILT FOR BUSINESS YOURS PRODUCT OVERVIEW Fischer Password Manager The Case for Password Management Managing passwords is a common challenge that is shared from the smallest

More information

Perceptive Experience Single Sign-On Solutions

Perceptive Experience Single Sign-On Solutions Perceptive Experience Single Sign-On Solutions Technical Guide Version: 2.x Written by: Product Knowledge, R&D Date: January 2016 2016 Lexmark International Technology, S.A. All rights reserved. Lexmark

More information

Access Management Analysis of some available solutions

Access Management Analysis of some available solutions Access Management Analysis of some available solutions Enterprise Security & Risk Management May 2015 Authors: Yogesh Kumar Sharma, Kinshuk De, Dr. Sundeep Oberoi Access Management - Analysis of some available

More information

Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com

Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com VENDOR PROFILE Passlogix and Enterprise Secure Single Sign-On: A Success Story Sally Hudson IDC OPINION Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com

More information

Open source business rules management system

Open source business rules management system JBoss Enterprise BRMS Open source business rules management system What is it? JBoss Enterprise BRMS is an open source business rules management system that enables easy business policy and rules development,

More information

Alice. Software as a Service(SaaS) Delivery Platform. innovation is simplicity

Alice. Software as a Service(SaaS) Delivery Platform. innovation is simplicity Ekartha, Inc. 63 Cutter Mill Road Great Neck, N.Y. 11021 Tel.: (516) 773-3533 Ekartha India Pvt. Ltd. 814/B Law College Road Demech House, 4th Floor Erandwane, Pune, India Email: info@ekartha.com Web:

More information

How can Identity and Access Management help me to improve compliance and drive business performance?

How can Identity and Access Management help me to improve compliance and drive business performance? SOLUTION BRIEF: IDENTITY AND ACCESS MANAGEMENT (IAM) How can Identity and Access Management help me to improve compliance and drive business performance? CA Identity and Access Management automates the

More information

1 What Are Web Services?

1 What Are Web Services? Oracle Fusion Middleware Introducing Web Services 11g Release 1 (11.1.1) E14294-04 January 2011 This document provides an overview of Web services in Oracle Fusion Middleware 11g. Sections include: What

More information

PASS4TEST 専 門 IT 認 証 試 験 問 題 集 提 供 者

PASS4TEST 専 門 IT 認 証 試 験 問 題 集 提 供 者 PASS4TEST 専 門 IT 認 証 試 験 問 題 集 提 供 者 http://www.pass4test.jp 1 年 で 無 料 進 級 することに 提 供 する Exam : 000-003 Title : Fundamentals of Applying Tivoli Security and Compliance Management Solutions V2 Vendors :

More information

Integrating Hitachi ID Suite with WebSSO Systems

Integrating Hitachi ID Suite with WebSSO Systems Integrating Hitachi ID Suite with WebSSO Systems 2015 Hitachi ID Systems, Inc. All rights reserved. Web single sign-on (WebSSO) systems are a widely deployed technology for managing user authentication

More information

Realizing business flexibility through integrated SOA policy management.

Realizing business flexibility through integrated SOA policy management. SOA policy management White paper April 2009 Realizing business flexibility through integrated How integrated management supports business flexibility, consistency and accountability John Falkl, distinguished

More information

API Architecture. for the Data Interoperability at OSU initiative

API Architecture. for the Data Interoperability at OSU initiative API Architecture for the Data Interoperability at OSU initiative Introduction Principles and Standards OSU s current approach to data interoperability consists of low level access and custom data models

More information

An Oracle White Paper Dec 2013. Oracle Access Management Security Token Service

An Oracle White Paper Dec 2013. Oracle Access Management Security Token Service An Oracle White Paper Dec 2013 Oracle Access Management Security Token Service Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only,

More information

Business-Driven, Compliant Identity Management

Business-Driven, Compliant Identity Management SAP Solution in Detail SAP NetWeaver SAP Identity Management Business-Driven, Compliant Identity Management Table of Contents 3 Quick Facts 4 Business Challenges: Managing Costs, Process Change, and Compliance

More information

IBM Content Integrator Enterprise Edition, Version 8.5.1

IBM Content Integrator Enterprise Edition, Version 8.5.1 IBM Software Information Management IBM Content Integrator Enterprise Edition, Version 8.5.1 Highlights Enriches portals and key business applications with federated access to content stored in multiple

More information

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview

BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2 Feature and Technical Overview Published: 2010-06-16 SWDT305802-1108946-0615123042-001 Contents 1 Overview: BlackBerry Enterprise

More information

First-hand Information about the Enhanced Functionality and Integration Options Within SAP NetWeaver Identity Management 7.2

First-hand Information about the Enhanced Functionality and Integration Options Within SAP NetWeaver Identity Management 7.2 First-hand Information about the Enhanced Functionality and Integration Options Within SAP NetWeaver Identity Management 7.2 SAP Product Management, SAP NetWeaver Identity Management & Security Kristian

More information

Single Sign On In A CORBA-Based

Single Sign On In A CORBA-Based Single Sign On In A CORBA-Based Based Distributed System Igor Balabine IONA Security Architect Outline A standards-based framework approach to the Enterprise application security Security framework example:

More information

Get Success in Passing Your Certification Exam at first attempt!

Get Success in Passing Your Certification Exam at first attempt! Get Success in Passing Your Certification Exam at first attempt! Exam : 000-003 Title : Fundamentals of Applying Tivoli Security and Compliance Management Solutions V2 Version : Demo 1.What is another

More information

Simplified Management With Hitachi Command Suite. By Hitachi Data Systems

Simplified Management With Hitachi Command Suite. By Hitachi Data Systems Simplified Management With Hitachi Command Suite By Hitachi Data Systems April 2015 Contents Executive Summary... 2 Introduction... 3 Hitachi Command Suite v8: Key Highlights... 4 Global Storage Virtualization

More information

NetworkingPS Federated Identity Solution Solutions Overview

NetworkingPS Federated Identity Solution Solutions Overview NetworkingPS Federated Identity Solution Solutions Overview OVERVIEW As the global marketplace continues to expand, new and innovating ways of conducting business are becoming a necessity in order for

More information

Sun Infrastructure Solution for Network Identity Seamlessly extend secure access to your enterprise fast, with reduced deployment time and cost

Sun Infrastructure Solution for Network Identity Seamlessly extend secure access to your enterprise fast, with reduced deployment time and cost Sun Infrastructure Solution for Network Identity Seamlessly extend secure access to your enterprise fast, with reduced deployment time and cost Timothy Siu SE Manager, JES Nov/10/2003 sun.com/solutions/

More information

WebLogic Server 7.0 Single Sign-On: An Overview

WebLogic Server 7.0 Single Sign-On: An Overview WebLogic Server 7.0 Single Sign-On: An Overview Today, a growing number of applications are being made available over the Web. These applications are typically comprised of different components, each of

More information

ROUTES TO VALUE. Business Service Management: How fast can you get there?

ROUTES TO VALUE. Business Service Management: How fast can you get there? ROUTES TO VALUE Business Service : How fast can you get there? BMC Software helps you achieve business value quickly Each Route to Value offers a straightforward entry point to BSM; a way to quickly synchronize

More information

2012 LABVANTAGE Solutions, Inc. All Rights Reserved.

2012 LABVANTAGE Solutions, Inc. All Rights Reserved. LABVANTAGE Architecture 2012 LABVANTAGE Solutions, Inc. All Rights Reserved. DOCUMENT PURPOSE AND SCOPE This document provides an overview of the LABVANTAGE hardware and software architecture. It is written

More information

CA Federation Manager

CA Federation Manager PRODUCT BRIEF: CA FEDERATION MANAGER CA FEDERATION MANAGER PROVIDES STANDARDS-BASED IDENTITY FEDERATION CAPABILITIES THAT ENABLE THE USERS OF ONE ORGANIZATION TO EASILY AND SECURELY ACCESS THE DATA AND

More information

1 What Are Web Services?

1 What Are Web Services? Oracle Fusion Middleware Introducing Web Services 11g Release 1 (11.1.1.6) E14294-06 November 2011 This document provides an overview of Web services in Oracle Fusion Middleware 11g. Sections include:

More information

IBM Tivoli Service Request Manager

IBM Tivoli Service Request Manager Deliver high-quality services while helping to control cost IBM Tivoli Service Request Manager Highlights Streamline incident and problem management processes for more rapid service restoration at an appropriate

More information

Securing the Cloud through Comprehensive Identity Management Solution

Securing the Cloud through Comprehensive Identity Management Solution Securing the Cloud through Comprehensive Identity Management Solution Millie Mak Senior IT Specialist What is Cloud Computing? A user experience and a business model Cloud computing is an emerging style

More information

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption THE DATA PROTECTIO TIO N COMPANY Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption whitepaper Executive Summary Long an important security measure, encryption has

More information

PeopleSoft Enterprise Directory Interface

PeopleSoft Enterprise Directory Interface PeopleSoft Enterprise Directory Interface Today s self-service applications deliver information and functionality to large groups of users over the internet. Organizations use these applications as a cost-effective

More information

NEWMERIX AUTOMATE! FOR PEOPLESOFT 3.0 INTEGRATION WITH PEOPLESOFT ENTERPRISE

NEWMERIX AUTOMATE! FOR PEOPLESOFT 3.0 INTEGRATION WITH PEOPLESOFT ENTERPRISE NEWMERIX AUTOMATE! FOR PEOPLESOFT 3.0 INTEGRATION WITH PEOPLESOFT ENTERPRISE Control Change Intelligently Newmerix Automate! for PeopleSoft is the only comprehensive application lifecycle management product

More information

ORACLE HYPERION DATA RELATIONSHIP MANAGEMENT

ORACLE HYPERION DATA RELATIONSHIP MANAGEMENT Oracle Fusion editions of Oracle's Hyperion performance management products are currently available only on Microsoft Windows server platforms. The following is intended to outline our general product

More information

ELM Manages Identities of 4 Million Government Program Users with. Identity Server

ELM Manages Identities of 4 Million Government Program Users with. Identity Server ELM Manages Identities of 4 Million Government Program Users with Identity Server ELM Implements Single Sign-on With WSO2 Identity Server to Streamline Administration, Improve Productivity, and Reduce

More information

Using EMC Documentum with Adobe LiveCycle ES

Using EMC Documentum with Adobe LiveCycle ES Technical Guide Using EMC Documentum with Adobe LiveCycle ES Table of contents 1 Deployment 3 Managing LiveCycle ES development assets in Documentum 5 Developing LiveCycle applications with contents in

More information

Password Self-Service for Novell edirectory. Brent McCormick Novell Corporate Technology Strategist

Password Self-Service for Novell edirectory. Brent McCormick Novell Corporate Technology Strategist Password Self-Service for Novell edirectory Brent McCormick Novell Corporate Technology Strategist Audience by Industry Government Healthcare Financial Services Education Telecommunications Manufacturing

More information

Security management White paper. Develop effective user management to demonstrate compliance efforts and achieve business value.

Security management White paper. Develop effective user management to demonstrate compliance efforts and achieve business value. Security management White paper Develop effective user management to demonstrate compliance efforts and achieve business value. September 2008 2 Contents 2 Overview 3 Understand the challenges of user

More information

NetIQ Identity Manager Setup Guide

NetIQ Identity Manager Setup Guide NetIQ Identity Manager Setup Guide July 2015 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE

More information

IBM Security & Privacy Services

IBM Security & Privacy Services Enter Click Here The challenge of identity management Today organizations are facing paradoxical demands for greater information access and more stringent information security. You must deliver more data

More information

Q&A Session for Understanding Atrium SSO Date: Thursday, February 14, 2013, 8:00am Pacific

Q&A Session for Understanding Atrium SSO Date: Thursday, February 14, 2013, 8:00am Pacific Q: Is the challenge required or can pass through authentication be used with regard to automatic login after you login to your corporate domain? A: You can configure the system to pass on the challenge

More information

Manufacturer to Enhance Efficiency with Improved Identity Management

Manufacturer to Enhance Efficiency with Improved Identity Management Microsoft Forefront: Security Products for Business Customer Solution Case Study Manufacturer to Enhance Efficiency with Improved Identity Management Overview Country or Region: United States Industry:

More information

Controlling Web Access with BMC Web Access Manager WHITE PAPER

Controlling Web Access with BMC Web Access Manager WHITE PAPER Controlling Web Access with BMC Web Access Manager WHITE PAPER Table of Contents Executive Summary...2 The BMC Identity and Access Management Approach...3 BMC Enforcement Agent Deployment Flexibility...3

More information

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

Open Directory. Apple s standards-based directory and network authentication services architecture. Features Open Directory Apple s standards-based directory and network authentication services architecture. Features Scalable LDAP directory server OpenLDAP for providing standards-based access to centralized data

More information

RSA ACCESS MANAGER. Web Access Management Solution ESSENTIALS SECURE ACCESS TO WEB APPLICATIONS WEB SINGLE SIGN-ON CONTEXTUAL AUTHORIZATION

RSA ACCESS MANAGER. Web Access Management Solution ESSENTIALS SECURE ACCESS TO WEB APPLICATIONS WEB SINGLE SIGN-ON CONTEXTUAL AUTHORIZATION RSA ACCESS MANAGER Web Access Management Solution ESSENTIALS Secure Access Enforces access to Web applications based on risk and context Centralizes security and enforces business policy Web Single Sign-on

More information

Securing your business

Securing your business Securing your business Anders Askåsen Product Manager for OpenIDM * World Wide Coverage ForgeRock.com Enterprise Open Source Software ForgeRock Norway ForgeRock USA ForgeRock UK ForgeRock France Consulting

More information

Troubleshooting BlackBerry Enterprise Service 10 version 10.1.1 726-08745-123. Instructor Manual

Troubleshooting BlackBerry Enterprise Service 10 version 10.1.1 726-08745-123. Instructor Manual Troubleshooting BlackBerry Enterprise Service 10 version 10.1.1 726-08745-123 Instructor Manual Published: 2013-07-02 SWD-20130702091645092 Contents Advance preparation...7 Required materials...7 Topics

More information

JBoss enterprise soa platform

JBoss enterprise soa platform JBoss enterprise soa platform What is it? The JBoss Enterprise SOA Platform includes serviceoriented architecture (SOA) open source middleware such as JBoss Enterprise Service Bus (ESB), JBoss jbpm, JBoss

More information

From Managing Boxes to Managing Business Processes

From Managing Boxes to Managing Business Processes From Managing Boxes to Managing Business Processes The evolving role of IT Service Management BEST PRACTICES WHITE PAPER Table of Contents ABSTRACT... 1 INTRODUCTION THE EVOLUTION OF IT SYSTEMS MANAGEMENT...

More information

Additionally, as a publicly traded company, there are regulatory compliance motivations.

Additionally, as a publicly traded company, there are regulatory compliance motivations. Case Study Retail Industry Sage, TIM & TAM Author: Mark Funk, Trinity Solutions Senior Tivoli Consultant, with over 25 years of extensive experience in the Information Technology Industry with a excellent

More information

Novell Access Manager

Novell Access Manager J2EE Agent Guide AUTHORIZED DOCUMENTATION Novell Access Manager 3.1 SP3 February 02, 2011 www.novell.com Novell Access Manager 3.1 SP3 J2EE Agent Guide Legal Notices Novell, Inc., makes no representations

More information

Base One's Rich Client Architecture

Base One's Rich Client Architecture Base One's Rich Client Architecture Base One provides a unique approach for developing Internet-enabled applications, combining both efficiency and ease of programming through its "Rich Client" architecture.

More information

IBM Maximo technology for business and IT agility

IBM Maximo technology for business and IT agility IBM Software Tivoli March 2010 IBM Maximo technology for business and IT agility IBM asset and service management solutions 2 IBM Maximo technology for business and IT agility Contents 2 Executive summary

More information

PortWise Access Management Suite

PortWise Access Management Suite Create secure virtual access for your employees, partners and customers from any location and any device. With todays global and homogenous economy, the accuracy and responsiveness of an organization s

More information

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery Overview Password Manager Pro offers a complete solution to control, manage, monitor and audit the entire life-cycle of privileged access. In a single package it offers three solutions - privileged account

More information

Communiqué 4. Standardized Global Content Management. Designed for World s Leading Enterprises. Industry Leading Products & Platform

Communiqué 4. Standardized Global Content Management. Designed for World s Leading Enterprises. Industry Leading Products & Platform Communiqué 4 Standardized Communiqué 4 - fully implementing the JCR (JSR 170) Content Repository Standard, managing digital business information, applications and processes through the web. Communiqué

More information

This research note is restricted to the personal use of christine_tolman@byu.edu

This research note is restricted to the personal use of christine_tolman@byu.edu Burton IT1 Research G00234483 Identity Management Published: 9 July 2012 Analyst(s): Ian Glazer, Bob Blakley Identity management (IdM) has become a distinct aggregation of functions for the maintenance

More information

A Complete Identity Service: The RadiantOne Solution for the FICAM Initiative

A Complete Identity Service: The RadiantOne Solution for the FICAM Initiative A Complete Identity Service: The RadiantOne Solution for the FICAM Initiative Using Advanced Identity Virtualization to Meet the Goals of the Authoritative Attribute Exchange Service Page 1 Table of Contents

More information

BMC Cloud Management Functional Architecture Guide TECHNICAL WHITE PAPER

BMC Cloud Management Functional Architecture Guide TECHNICAL WHITE PAPER BMC Cloud Management Functional Architecture Guide TECHNICAL WHITE PAPER Table of Contents Executive Summary............................................... 1 New Functionality...............................................

More information

Password Management Guide

Password Management Guide www.novell.com/documentation Management Guide Identity Manager 4.0.2 June 2012 Legal Notices Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation,

More information

CA SiteMinder. Implementation Guide. r12.0 SP2

CA SiteMinder. Implementation Guide. r12.0 SP2 CA SiteMinder Implementation Guide r12.0 SP2 This documentation and any related computer software help programs (hereinafter referred to as the "Documentation") are for your informational purposes only

More information

Technical. Overview. ~ a ~ irods version 4.x

Technical. Overview. ~ a ~ irods version 4.x Technical Overview ~ a ~ irods version 4.x The integrated Ru e-oriented DATA System irods is open-source, data management software that lets users: access, manage, and share data across any type or number

More information

Unleash the Full Value of Identity Data with an Identity-Aware Business Service Management Approach

Unleash the Full Value of Identity Data with an Identity-Aware Business Service Management Approach Unleash the Full Value of Identity Data with an Identity-Aware Business Service Approach best practices WHITE PAPER Table of Contents Executive Summary...1 The Evolution of Identity...2 > From User Account...2

More information

Oracle Identity Management: Integration with Windows. An Oracle White Paper December. 2004

Oracle Identity Management: Integration with Windows. An Oracle White Paper December. 2004 Oracle Identity Management: Integration with Windows An Oracle White Paper December. 2004 Oracle Identity Management: Integration with Windows Introduction... 3 Goals for Windows Integration... 4 Directory

More information