Documentation. CloudAnywhere. http://www.cloudiway.com. Page 1

Documentation CloudAnywhere http://www.cloudiway.com Page 1

Table of Contents 1 INTRODUCTION 3 2 OVERVIEW 4 2.1 KEY FUNCTIONALITY 4 2.2 PREREQUISITES 5 3 FEATURES 6 3.1 A UNIVERSAL PROVISIONING SOLUTION. 6 3.2 CONNECTING DIRECTLY TO A SAAS PROVIDER 7 3.3 INDIRECT CONNECTIONS 7 4 CONFIGURATION 9 4.1 SOURCE CONFIGURATION 9 4.2 SELECTING ATTRIBUTES AND EXCLUSIONS 10 4.3 DEFINING TARGETS 11 4.4 RECONCILIATION AND PROVISIONING RULES 13 5 MAIN OPERATIONS 18 5.1 MANUAL READING 19 5.2 MANUAL RECONCILIATION 19 5.3 PLANNING 20 6 SYNCHRONIZING PASSWORDS 22 6.1 OPERATION 23 6.2 OFFICE 365 AND GOOGLE PASSWORD COMPLEXITY 24 6.3 RESET PASSWORD PORTAL 24 7 ACCESS REQUEST MANAGEMENT PORTAL 27 8 INTEGRATION WITH META-DIRECTORIES 29 Page 2/29

1 INTRODUCTION Companies have always faced the challenge of managing identities and access to a growing number of applications and platforms hosted and deployed in heterogeneous environments. Typically, a user who joins a large company is provisioned in 17 different systems and de-provisioned in only 13 when they leave. These can include HR systems, LDAP directories for authentication and authorization, messaging systems, PBX systems, swipe cards for physical access to the restaurant or business, etc. These issues are now controlled much more effectively thanks to IAM (Identity and Access Management) solutions based on meta-directories. However, with the advent of the Cloud and hosted SaaS applications, this problem is back on the agenda with the need to integrate SaaS applications into the company s information system. Companies are forced to manage more and more online services (messaging, e-learning, CRM, storage, etc.) and, in order to control both costs and access, must ensure that their users can access only the services relevant to them: When a new employee joins a company their account should be created automatically in the range of services to which they need access. If they leave the company, or change roles, their access should be automatically revoked or updated to reflect their new position. Organizations are faced with three main problems: - To put in place role management, which is both effective and granular, in order to keep control of access to resources in the Cloud. - Grant and revoke access in a flexible and responsive way to track changes in its organization (the arrival and departure of employees, changes in use). - Minimize the number of user accounts and passwords necessary to access each user's distributed information system. Many companies already have one or more business directories (LDAP, Active Directory, HR databases, etc.) which they want to use to implement their strategy for integrating SaaS applications. Page 3/29

2 OVERVIEW CloudAnywhere is an Identity Management Solution for hosted services. It synchronizes the users, groups, contacts, Organizational Units (OU) and passwords in your source directory (Active Directory, LDAP, etc.) with all your SaaS or ASP suppliers. Connectors are also available to synchronize LDAP directories, Exchange and Lync platforms. This software meets the challenges of integrating SaaS applications into your global information system. It helps you to build a business strategy for the Cloud, guaranteeing you control over the administration and access for any present or future SaaS provider. CloudAnywhere replaces your Active Directory as the heart of your Cloud strategy by allowing you to manage access to your resources in the Cloud from your local Active Directory. The Active Directory source may be replaced by any other enterprise source (LDAP, based Google Apps accounts, etc.). Based on the definition of roles stored in the source directory (group membership, the value of an LDAP attribute, etc.), CloudAnywhere makes decisions for provisioning/de-provisioning users and groups connected to different targets. It ensures that users who require access to their resources have an account with the service provider based on roles and permissions defined in the source directory. CloudAnywhere fulfils the following objectives: - It provides SaaS resources access to your information system users. - It manages access from your local Active Directory. - It minimizes the number of user accounts and passwords needed to access all the various services. 2.1 KEY FUNCTIONALITY CloudAnywhere is a so-called On-Premises" solution that installs on your internal network. A Universal Provisioning solution. Active Directory synchronization <-> Cloud Synchronize your users Synchronize your groups Synchronize your contacts Synchronize your "Organizational Units (OU)" Synchronize your passwords Role and access management. A Reset Password Portal for end users and support teams. Multi-domain and multi-forest. Being multi-domain and multi-forest CloudAnywhere can connect to all your AD sources and eliminates the need for an expensive consolidation project for your source directories. Page 4/29

CloudAnywhere can also be used to consolidate internal directory or provision Exchange and Lync platforms (Powershell Connector to run the scripts of your choice). Sources available: - Active Directory - LDAP directories - CSV files - Google Apps Targets available: - Google - Postini - SalesForce - Office 365 - RunMyProcess - DropCloud - WikiPixel - Cloudiway Provisioning Portal (for ASP hosts) - Active Directory - LDAP directories - Exchange (Powershell Connector) - Lync (Powershell Connector) The CloudAnywhere SDK also means that new connectors can be developed in less than five days. Please contact us if you want us to develop a new target to meet your needs. 2.2 PREREQUISITES Installs on Windows Server 2003, 2008 or 2008 R2. 32 or 64 bit. Requires at least DotNet 4.0. Requires a Microsoft SQL Server: Any version. Also supports the free version, SQLExpress. Requires IIS (if the Reset Password Portal is installed). Supports virtual environments. Windows 2008 R2 and Windows 2012 are the recommended OS. If you plan to provision Office 365 it is mandatory to install CloudAnywhere on 2008 R2 or Windows 2012. The Powershell cmdlets for Office 365 can only be installed on Windows 7, Windows 2008 R2 and Windows 2012. Page 5/29

3 FEATURES CloudAnywhere is a universal provisioning platform for your SaaS applications. The provisioning is done by synchronizing your source directories used as repositories. 3.1 A UNIVERSAL PROVISIONING SOLUTION. CloudAnywhere comes with a range of connectors as standard for SaaS applications such as: - Google Apps - Postini - Office365 - SalesForce - RunMyProcess Page 6/29

CloudAnywhere comes with an SDK (Software Development Kit) for creating new connectors to SaaS applications. Thanks to this SDK the CloudAnywhere community regularly develops new connectors and expands the list of suppliers which can be managed by the solution. These connectors are all available on the CLOUDIWAY website. To set-up a new target, simply move the associated connector into the CloudAnywhere "Connectors" directory. In order to develop a connector for an SaaS application the supplier must have an Provisioning API (Application Programming Interface) available online (e.g. CreateUser, DeleteUser, ModifyUser, ChangePassword, etc.). If they don t have an API available CLOUDIWAY can approach the vendor and make its technology and provisioning server available to them to act as gateway between CloudAnywhere provisioning and the host system. 3.2 CONNECTING DIRECTLY TO A SAAS PROVIDER If the supplier has an SaaS Provisioning API, the connector can communicate natively with the SaaS application and provisioning. Any changes in the source AD (i.e. creation, deletion, modification) of users, groups or passwords will be propagated in the connected targets. 3.3 INDIRECT CONNECTIONS If the supplier does not have an SaaS Provisioning API, CLOUDIWAY can approach the provider and offer them its provisioning server. CloudAnywhere comes with a built-in connector that interfaces with the provisioning server. The installed server-side host can then read and write into the provider s account database (LDAP, SQL database etc.). Page 7/29

Page 8/29

4 CONFIGURATION 4.1 SOURCE CONFIGURATION CloudAnywhere connects to the various local Active Directories. It is multi-domain and multi-forest and connects to all the directory sources of the information system. By default all the AD source is read. However, it is possible to exclude certain OUs, or conversely to synchronize only the OUs selected. You can also pull the users of your AD based on a group Membership. Disable Pulling is an option that you check if you plan to work with/extend a platform like FIM 2010. CloudAnywhere can also be used as the source for any LDAP directory or CSV file. Page 9/29

Additional connectors (e.g. for Google, Novell) are under development. 4.2 SELECTING ATTRIBUTES AND EXCLUSIONS By default, most of the necessary attributes are pulled from the AD. However, you can read as many attributes as you like. Similarly all default accounts and group data are pulled. The source filtering engine allows you to exclude any accounts you want based on the criteria defined. Page 10/29

Defining a filter. 4.3 DEFINING TARGETS In the Targets tab, you can define the targets you want to connect to. Click Add to add a new target, then click Edit to configure its connection parameters. Page 11/29

For each target, the appropriate configuration window is shown. The deletion rules define how a target should react on receiving a delete event. This is a safety feature to avoid deleting a target s content by mistake. This parameter can be used to transform a delete request into a disable request. Some targets have organizational concepts equivalent to Active Directory Organizational Units (OU). It is then possible to synchronize them and to provision users in the respective OUs. For example it is possible to: Page 12/29

- not synchronize the OUs (Create Users in the root organization). - Synchronize users without using an existing OU (Create users to Existing Organizations) - Synchronize the OUs, making it possible to map them to different names. In this case, a mapping file is used: <?xml version="1.0" encoding="utf-8"?> <OUMapping> <Domain domainname="ilinfo.fr"> <OU source="ou=emea,dc=domvirtu,dc=com" target="businessou"/> <OU source="ou=computers,ou=bcp,dc=domvirtu,dc=com" target="ilinfo.fr/business2"/> <OU source="ou=users,ou=bcp,dc=domvirtu,dc=com" target="ilinfo.fr/business"/> </Domain> </OUMapping> OUMapping.xml 4.4 RECONCILIATION AND PROVISIONING RULES Configuring the provisioning rules requires four steps: - Provisioning decision: should the current object being provisioned be created or deleted in the target? - Which attributes need to be synchronized with the target? - What reconciliation rules are established with the target? - What naming convention is followed during the provisioning? Page 13/29

4.4.1 PROVISIONING DECISIONS An object being synchronized can be provisioned in a target based on different criteria, for example, based on the value of an LDAP attribute or based on an Active Directory group membership from a synchronized source domain. Page 14/29

4.4.2 ATTRIBUTES TO BE SYNCHRONIZED In this section you can choose which attributes to synchronize with this target. 4.4.3 RECONCILIATION RULES When you connect to a new SaaS target, it is likely that it will already contain objects (user accounts, groups or contacts). It is also possible that, in some cases, the target administrator will create user accounts manually. The reconciliation rules will allow you to map existing objects of the source with existing objects in the target according to the construction rules. Page 15/29

In this situation, all rules are evaluated from top to bottom. Once a rule matches, a connection is made between the source and target object. If, after the attempt at reconciliation, no match could be made the object will be created in the target. The connection is made between the construction rule defined here and the attribute value defining the unique identifier in the target. FLastName: <First letter of First Name><Surname> FDotLastName: <First letter of First Name><Surname> FirsNameDotLastName : <First Name>.<Surname> samaccountname : Email Processing: With email migration it s possible that the domain name will change. This rule is used to retrieve the email source, to apply the transformation to the target domain and to attempt a match. MailExactMatch: the attribute value for storing email Programmatic: A programmatic extension where you can put your own business rules. 4.4.4 PROVISIONING Page 16/29

UpperCase : Converts the login to uppercase LowerCase : Converts the login to lowercase PascalCasing : Capitalizes the first letter of each word. If no reconciliation rule returns a match the account is created (provisioned in the target) following the naming rules that have been defined. Page 17/29

5 MAIN OPERATIONS The CloudAnywhere overview shows all the connected sources and targets. The management console shows each managed account in a source or a target, displays its properties and shows to which source or target accounts it is connected. You can manually change the status of an object: - Forcing an object to be filtered. o In this case the synchronization rules will never be applied. o If it is connected to an existing object the target object is deleted / deactivated. (You can break the link before disabling an account to avoid deleting the target) - Bind / unbind two objects manually o This is useful for managing any problems with homonyms and for forcing an account to bind to the target object of your choice. o These manually forced connections are then no longer checked. When the processing rules are validated, you can activate the CloudAnywhere service which periodically synchronizes sources and targets. Page 18/29

5.1 MANUAL READING You can manually read a source or a target to pull the data and then manually test the reconciliation and provisioning rules. 5.2 MANUAL RECONCILIATION You can test your reconciliation and provisioning rules manually. Firstly, synchronize your sources and targets and then click Reconcile. The list of pending changes appears. If you click the Simulate button you will see the expected result in the different targets for each entry. If everything is correct you can save your changes by clicking Commit. When all your rules are working the way you want, you can automate the synchronization and leave the service to periodically perform synchronizations. You can also export the simulation tests as an XML file for offline analysis. Page 19/29

5.3 PLANNING The CloudAnywhere service carries out regular synchronizations. You just need to decide how often synchronization should be carried out. Synchronization once or twice a day is adequate for most companies. If your administrators occasionally create accounts in the target SaaS, it will be necessary to rescan the targets during each synchronization. On the other hand, if you are certain that no account has been created directly in the target and that all users are managed from the local AD, you can turn off target pulling during synchronization. This step would then only be necessary during the initial connection. Page 20/29

Page 21/29

6 SYNCHRONIZING PASSWORDS CloudAnywhere works with your SSO (Single Sign On) solutions. These SSO solutions do not work in all cases. - Some protocols do not support SSO. Eg: IMAP,POP3,SMTP - The SSO may not work on all devices (e.g. some smartphones). - Some SaaS vendors have not implemented an SSO solution. Your SSO infrastructure is critical to your business and becomes your SPOF (Single Point of Failure). Therefore it requires special attention and a high availability implementation. If such a disaster should happen your whole company will lose access to the SaaS applications. CloudAnywhere does not include an SSO engine. It relies on its network of technology partners to offer an SSO solution if you want to use this technology. On the other hand, CloudAnywhere complements your SSO solution by enabling the synchronization of passwords between your local Active Directory and your various connected targets. Synchronization is actived target by target. This means you can use the SSO with a target and only enable password synchronization with the targets of your choice. Page 22/29

6.1 OPERATION CloudAnwyhere synchronizes passwords between Active Directory and your SaaS suppliers. The Active Directory passwords cannot be extracted. They are actually stored in an attribute whose permissions are set to "Write Only" for everyone: no one can read them. Moreover, this attribute stores a hash which is not reversible. Even if you were to succeed in capturing the value of this attribute you could not extract the actual password from the hash. CloudAnywhere therefore relies on the password change-capture function provided by the Active Directory infrastructure. A password filter extension must be installed on each domain controller (DC). When a user changes their password from any computer on the domain, this password is captured on one of the DCs and sent to a local service so as not to impact on the DC s performance. The local service then sends the password to the CloudAnywhere server over a secure connection. The CloudAnywhere service then searches all the targets where the source account is provisioned and then proceeds to change the password in the targets wherever password synchronization is enabled. When setting up CloudAnywhere and password synchronization it is recommended that a password changing policy is set up in Active Directory to synchronize your users passwords from the start. Retransmissions Mechanisms : Various retransmission mechanisms are implemented: - Retransmission mechanisms between the local DC service and the CloudAnywhere server. - Retransmission mechanisms between the CloudAnywhere server and the targets. Security: Passwords are not permanently stored on the hard disk. They are stored in memory only while they are waiting to be processed. They are encrypted in memory to avoid being revealed as plain text in a possible memory dump. In the case of a power failure pending password changes are lost. Passwords Compliance Strategies : The possible passwords rules (password length etc.) are not checked when the password is changed in the different targets. The resulting errors in the passwords changes are logged in the CloudAnywhere database. The Active Directory password policy rules must be stronger than your SaaS providers strongest password strategies to ensure that your users passwords will be synchronized with all your targets. Key Elements: - Multi-domain and multi-forest - Does not require a trust relationship - Does not require a schema extension. - Requires just a single open port (of your choice) in your firewall Page 23/29

6.2 OFFICE 365 AND GOOGLE PASSWORD COMPLEXITY When a user changes his password in the Active Directory, CloudAnywhere can force to respect the password complexity requested by Office 365 or Google Apps. When a password doesn t meet the required complexity of the SAAS application, the password change is refused and the user must type a compliant one. 6.3 RESET PASSWORD PORTAL In addition to the password synchronization solution the full version of CloudAnywhere comes with a reset passwords portal. It allows users who have forgotten their passwords to reset them themselves. The portal allows you to change the password in the Active Directory Source as well as in the target and can be used in On-Premise only, Cloud only or hybrid modes. For example, If you have enabled password synchronization between Active Directory and the Cloud, you can configure the portal to allow the password to be changed only in the local AD. The password will then be captured and sent to CloudAnywhere. The portal can also be used by your support staff to reset passwords. The user must first register with this service and answer a set of security questions which they must answer to prove their identity in the case of forgotten passwords. Page 24/29

They can also authenticate themselves using their old password, even if it has expired. This can be handy for users who do not have a computer in the domain. They can change their AD password from the portal. For this purpose, the portal also comes with a utility that scans the AD and periodically sends an email automatically to users whose password will expire after a configurable delay. Page 25/29

Page 26/29

7 ACCESS REQUEST MANAGEMENT PORTAL The portal also includes a request feature for access management. The portal administrator can define a number of resources and assign a manager and a management group in Active Directory. Once logged in, the user can see the list of available resources and make an access request to be sent to the resource manager or his backup. If the manager approves the request the user will be automatically added to the associated group. If this group is the decision criterion for the provisioning of the resource in question, Cloudanywhere will provision it during its next action. Page 27/29

Note that this feature manages inclusion requests in the Active Directory groups. These groups are used by CloudAnywhere to make provisioning decisions but this self-service access management portal can be used for all other relevant uses. Page 28/29

8 INTEGRATION WITH META-DIRECTORIES CloudAnywhere operates autonomously. It knows how to connect all your sources and how to consolidate and synchronize them with all your SaaS and ASP vendors. If you are already have a meta-directory identity management solution, which is connected to your sources and currently provides consolidation, CloudAnywhere will work with and complement this existing service. CloudAnywhere is built around a SQL database that provides centralized storage of consolidated data. Using your meta-directory identity manager (e.g. Fim 2010), you can completely configure an SQL Server type connector and automatically update the CloudAnywhere database. In this case it is only necessary to disable the connection to the data sources. It will then synchronize its data with the SaaS suppliers or simply carry out password synchronization, leaving provisioning actions to your current platform. The data required for the proper operation of your CloudAnywhere will be made by your third-party solution. This solution provides a range of benefits. It allows you to keep your existing infrastructure. You can also extend the functionality of your metadirectory which is probably not available in the range of connectors provided by CloudAnywhere. Page 29/29