Novell Access Manager

Novell Access Manager Product Overview Kiran Mova

Agenda Introduction Architecture IDP AG SSL VPN Administration Console How it works? Web SSO Federation SSO Protect HTTP Resources Protect non-http Resources 2 2011 NetIQ Corporation. All rights reserved.

Introduction Access Manager is a set of components that help to : Provide Web and Federated SSO Protect HTTP/Non-HTTP enterprise servers Provide SSO to Legacy Web Servers Also allows customers to extend : Authentication Mechanisms using Authentication SDK Authentication against Custom User stores using LDAP Server Plugin Policy Engine using Policy Extension API 3 2011 NetIQ Corporation. All rights reserved.

Sample NAM Deployment InnerWeb Access Gateway (innerweb.novell.com) VersionOne (v1.innerweb.novell.com) Employee Self Service (psselfservice.innerweb.novell.com) Identity Provider (login.innerweb.novell.com) SSLVPN (sslvpn.innerweb.novell.com) 4 2011 NetIQ Corporation. All rights reserved.

Architecture NAM 1..3 User Federated Identity Providers SAML 2.0, SAML 1.x, Liberty, WS Fed Web SSO Federated SSO Non-HTTP server Access Load Balancer(s) Identity Servers, Access Gateways, SSLVPNs 1 Identity Provider (Authenticate) 1 Access Gateway (Authorized Access) VPN SSL VPN (Authorized Access) 1 1 Audit, Alerts Configuration, Policy Administration Console J2EE Agent (Authorized Access) Web UI User Directory (LDAP) Administrator Authentication Servers (RADIUS, etc.,) Mission Critical and Enterprise Data Systems. HTTP and non-http 5 2011 NetIQ Corporation. All rights reserved.

Admin Console Key Features Administration Console Configure Components Monitor Health and Statistics of Individual Components Policy Administration Certificate Management Delegated Administration Persistent configuration store Granular Auditing (embedded NSure Audit Server) 6 2011 NetIQ Corporation. All rights reserved.

Architecture AC Federated Identity Providers NAM Administration Console edirectory Web UI (HTTPS) Administrator User Load Balancer Authenticate Identity Provider Access Gateway Nsure Audit Server Audit (TCP) Audit Cache Alerts (HTTPS) Device Manager (imanager/tomcat) JCC Configuration/ Commands (HTTPS) LDAPS Cert Configure (LDAPS) Config, Policy, Certificate Store Clustering (edirectory Replica) Configuration, Policy (LDAPS) User Directory (LDAP) Authentication Servers (RADIUS, etc.,) Mission Critical and Enterprise Data Systems. HTTP and non-http SSL VPN 7 2011 NetIQ Corporation. All rights reserved.

Identity Provider Key Features Identity Provider (IdP) Authentication (includes x509, RADIUS..) Federated Authentication (SAML/ADFS) Associate Roles and Attributes with authenticated user Capable of authenticating against multiple User ID stores like edirectory, Active Directory Sun One etc., Extensible Authentication and Policy framework SP (Service Provider) Agent Shared Component Redirects all authentication requests to IdP Maintains a cache of user data fetched from IdP Evaluates Policies by requesting additional data from IdP. 8 2011 NetIQ Corporation. All rights reserved.

Architecture - IDP Federated Identity Providers NAM Identity Provider Audit (TCP) Alerts(HTTPS) Administration Console SAML 2.0, SAML 1.x, Liberty, WS Fed (HTTPS) Load Balancer Audit Agent Authentication & Attribute Services (Tomcat) JCC RMI Configuration (HTTPS) Configuration, Policy (LDAPS) User Data (LDAP[S] ) Custom Connections Web UI Administrator User Directory (LDAP) Authenticate 2 Clustering (JGROUPS) Authentication Servers (RADIUS, etc.,) User Access Gateway SSL VPN Liberty and Attribute Service (HTTPS) Mission Critical and Enterprise Data Systems. HTTP and non-http 9 2011 NetIQ Corporation. All rights reserved.

Access Gateway Key Features Access Gateway (AG) Authentication (via Identity Server) Authorization Single sign-on to Legacy Web Servers (form-fill, identity injection) Identity injection (personalization) Secure exchange (SSLizer) Multi Homing Load Balancing URL Normalization/ Rewriting Caching Policy Extensions API 10 2011 NetIQ Corporation. All rights reserved.

Architecture - AG Federated Identity Providers User Load Balancer Authenticate SAML 2.0, SAML 1.x, Liberty, WS Fed (HTTPS) 2 NAM Identity Provider Access Gateway Clustering (JGROUPS) HTTP(S) AJP Liberty and Attribute Service (HTTPS) Audit (TCP) Session Cache SSL VPN Alerts(HTTPS) Configuration (HTTPS) Active MQ Administration Console Web UI Administrator User Directory (LDAP) Audit Agent JCC RMI Configuration, Policy (LDAPS) SP Authentication Agent Gateway Policy Extension API Servers Manager (RADIUS, etc.,) HTTP Apache Instance Config Messages HTTP(S) Mission Critical and Enterprise Data Systems. HTTP and non-http 11 2011 NetIQ Corporation. All rights reserved.

SSLVPN Key Features SSL VPN Provide Secure access to Non-HTTP Applications Enterprise mode (full access) or KIOSK mode (application access) Client Integrity Check and Policy Based Access Desktop Clean-up / Secure Folder 12 2011 NetIQ Corporation. All rights reserved.

Architecture SSLVPN (Server) Federated Identity Providers NAM Identity Provider Audit (TCP) Administration Console Alerts(HTTPS) SAML 2.0, SAML 1.x, Liberty, WS Fed (HTTPS) Access Gateway HTTP(S) Liberty and Attribute Service (HTTPS) Configuration (HTTPS) Web UI Administrator User Directory (LDAP) Load Balancer HTTP Authentication Servers (RADIUS, etc.,) 2 User Authenticate HTTP(S) SSL SSL SP Agent STunnel Open VPN Server Audit Agent Conn Mgr Socks Server JCC Configuration(LDAPS) TCP Mission Critical and Enterprise Data Systems. HTTP and non-http SSL VPN 13 2011 NetIQ Corporation. All rights reserved.

Architecture SSLVPN Client (KIOSK) NAM SSL VPN Client Stunnel Policy Engine Socks Client SSL SP Agent STunnel Open VPN Server Audit Agent Conn Mgr Socks Server JCC SSL VPN TCP Mission Critical and Enterprise Data Systems. HTTP and non-http Application User 14 2011 NetIQ Corporation. All rights reserved.

Architecture SSLVPN Client (Enterprise) NAM SSL VPN Client Open VPN Client TUN Driver SSL over TCP/UDP SP Agent STunnel Open VPN Server Audit Agent Conn Mgr Socks Server JCC SSL VPN TCP/UDP Mission Critical and Enterprise Data Systems. HTTP and non-http Application User 15 2011 NetIQ Corporation. All rights reserved.

Recent/Current Initiatives... Access Management On Demand Federation Hub Simplification Creating products out of individual components 16 2011 NetIQ Corporation. All rights reserved.

Simplification 17 2011 NetIQ Corporation. All rights reserved.

How it works?

Web SSO User Service Provider (Web Server) Identity Provider User Id Store 1 SP Agent Redirects to IdP for authentication If authenticated goto (4) If not, seek credentials 2 Post Credentials 3 Validate Credentials 4 IdP Redirects to SP Agent with Auth Token 5 Verify Token Create User Session, form a token to send to SP Agent Respond with Assertion, including user attributes/roles Provide Access 19 2011 NetIQ Corporation. All rights reserved.

Federated SSO User Identity Provider User Id Store Federated Identity Provider 1 Request for Authentication (SAML/Liberty/WSFed) If authenticated goto (8) If not, redirect to Trusted Federated Identity Provider Configuration Store 2 Send AuthRequest to Federated IdP If not authenticated seek credentials 5 IdP Receives the authentication 6 Verify Token 6 Provide AuthResponse with authentication details Map to Local user or Autoprovision the user. 7 Create user session and store persistent federation mapping 8 Respond with Auth Token 20 2011 NetIQ Corporation. All rights reserved.

Protect HTTP Resources User Access Gateway Identity Provider User Id Store Web Server(s) 1 Access v1.innerweb.novell.com If authenticated goto (7) If not, redirect to SP Agent 2 SP Agent Redirects to IdP for authentication If authenticated goto (5) If not, seek credentials 3 Post Credentials 4 Validate Credentials 5 IdP Redirects to SP Agent with Auth Token 6 Verify Token Create User Session, form a token to send to SP Agent Respond with Assertion, including user attributes/roles 7 Authorization Policy 8 Redirect to Access Resource 9 Form fill, Identity Injection, Load Balance 10 URL Rewriting, Cache 21 2011 NetIQ Corporation. All rights reserved.

Access to Non-HTTP Resources User SSL VPN Client 1 Login to SSL VPN (using IdP or AG) SSL VPN If authorized user, push the SSL VPN Client Enterprise Server(s) 2 Accept and Install Client Install Client Integrity Check Establish VPN Tunnel Client Policy Update VPN Tunnel 3 Access Enterprise Server Virtual/HookingAdapter, takes request, routes through tunnel. 4 Authorize Access, Forward 5 Logout Desktop Clean up 22 2011 NetIQ Corporation. All rights reserved.

www.novell.com/accessmanager 23 2011 NetIQ Corporation. All rights reserved.

Worldwide Headquarters 1233 West Loop South Suite 810 Houston, TX 77027 USA 1 713.548.1700 (Worldwide) 888.323.6768 (Toll-free) info@netiq.com NetIQ.com http://community.netiq.com 24 2011 NetIQ Corporation. All rights reserved.

nts in or changes to the software described in this document at any time., Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ