Date post: | 25-Dec-2015 |
Category: |
Documents |
Upload: | rolf-lyons |
View: | 267 times |
Download: | 3 times |
Identity and Access Management Solution Overview
Identity and Access Management Solution Overview
Access Management
SiteMinder
Access Management
SiteMinder
Web Services Access Mgmt
TransactionMinder
Web Services Access Mgmt
TransactionMinder
User Administration
IdentityMinder, Web Edition
User Administration
IdentityMinder, Web Edition
Resource Provisioning
IdentityMinder, Provisioning Edition
Resource Provisioning
IdentityMinder, Provisioning Edition
The Netegrity Identity and Access Management Solution
For Legacy, Web and Service-Oriented Architectures
Enforcement
Administration
The Netegrity Solution
High security administration costsExpensive coding and maintenancePoor user experience
J_Doe1211960
John DoeA23JJ4
John Doe John_D Johnd Mobile Phone
Application Layer
User Store
Operating System
SQL 2000SunONELDAP
OracleOID
OracleRDBMS
Active Directory
Oracle
PKI Cert
LDAP
CRM ERP HRPartner
ExtranetSCM
Customer Self-Service E-Commerce
Employees PartnersCustomers
The Application Silo Challenge
Security Layer
No centralized security enforcementNo standardized security processNo central auditing capability
Employees
Partners
Customers
• CRM• Customer Service• Channel• e-Commerce
Secured Applications
Firew
all
Firew
all
SiteMinderPolicy Server
SiteMinder in Action
Web Server With
SiteMinder Agent
1) Is Resource Protected?
jdoe ********
Authentication Scheme
Secured Applications
• Customer Service• Supply Chain• Intranet
6
7User & Entitlement Stores
•LDAP•RDBMS•Mainframe•NT Domain
Secured Applications
• Finance• HR / Payroll• eCommerce• Extranet
2) Is User Authenticated?
3) Is User Authorized?
NT, LDAP, ADODBC, RACF
Native Directory Enabled
Map to existing user stores– No embedded database required– Eliminates user store synchronization issues
Separate authentication & authorization stores – Chain directories
Supports multiple user directories– Including databases & mainframes
Authentication Namespace
Authorization Namespace
Users
Web Server WithSiteMinder Agent
SiteMinderPolicy Server
No User Data Stored inSiteMinderDMZ
mycompany.com
Single Sign-On Microsoft Environment
Outlook Web Access
MS IIS Web Server SiteMinder Agent
Web Server on Unix SiteMinder Agent
SiteMinderPolicy Server
Active Directory
SQLServer
Windows Integrated SecurityAuthenticate to your desktop & access all your enterprise web applications
Microsoft Application Login
Single Sign-On Netegrity Secure Proxy Server
Turnkey Proxy Solution SSO
– Mini cookie– SSL-ID– URL rewrite
Enhanced security
Define target destination servers
Deployed at VISA VOLUsers
User & Entitlement
Stores
Web Apps
ERP/CRM
J2EE Apps
Proxy Server
Firewalls
DMZ
SiteMinderPolicy Server
DestinationWeb Servers
Firewalls
Backend Resources
Single Sign-on Application Server Environment
User & Entitlement
Stores
Web Apps
ERP/CRM
J2EE Apps
Web Server
Firewalls
SiteMinderPolicy Server
J2EEApplication
Server
Backend Resources
J2EE Application Server Agents IBM WebSphere & BEA WebLogic
Enables SSO across the enterprise
Including J2EE application server based applications
Leverages SiteMinder’s broad range of authentication system support
Centralized authorization management & audit services
Firewalls
Users
Single Sign-on Enterprise Applications
User & Entitlement
Stores
Web Server
Firewalls
NetegrityPolicy Server
EnterpriseApplications
Firewalls
Users
Enables SSO across the enterprise, including ERP/CRM systems
–SAP, Siebel, Peoplesoft, & Oracle
Leverages SiteMinder’s broad range of integrated authentication systems
Provides centralized authorization management & audit services
SAP
Siebel
Peoplesoft
Authentication Management
Methods Passwords Two factor tokens X.509 certificates Passwords over SSL Smart cards SAML Combination of methods Forms-based Custom methods Full CRL & OCSP support Biometric devices
Management Authentication Levels Directory chaining Configured fallbacks to other authentication
schemes
Broad Support for Authentication Systems
Authentication Management
Password Management Expiration with warning & grace period Composition rules
– Max/Min lengths, repeating characters, case sensitivity, reusability– Difference (%) measures between before & after passwords– Editable password dictionary to prohibit certain word use– Prohibition of use of user profile attributes (name, address etc…)
Account Management & Auditing – Forgotten password support– Redirects– Password & Login history – Lock-out
o Permanentlyo Successive failed passwordso Inactivity o Until or after certain dateo Login before a specific dateo Disable field in MS AD & Sun One
Restrict access by user, role, groups, dynamic groups, or exclusions– Controlled “impersonation” of users by other users
Fine-grained authorization at the file, page, or object level Determine access based on location and time Policies
– Send static, dynamic (SQL queries), or profile attributes in responses– Redirect users based on type of authentication or authorization failure– Can have global or local policies
Authorization ManagementCentralized Policy Management
SiteMinder Policy
Rule orRule Group
Users or GroupsIn a Directory Time IP Address
Active Response
eTelligentRule
Response or Response
Group
=
Allows ordenies
access to a resource
User, GroupsExclusions,
Roles
+ +
Action thatoccurs whena rule fires
+ + + 1.2.3.4
Expressionusing
ContextualData, Web
Services
IP addressthat the policy
applies toTime when thepolicy can or
cannot fire
Dynamic extension of
the policy (optional)
Option(s)
e
www. SiteMinder.com
Authenticate
www. PartnerB.com
www.PartnerA.com
Federated Security Services
User
SSO
SSO
InternetInternet
SAML Producer
SAML Consumer
SAML Affiliate Agent SAA
SAA
www. SiteMinder.com
Authenticate
www. PartnerB.com
www.PartnerA.com
Federated Security Services:SAML Producer with SAML Affiliate Agent (SAA)
User
SSO
SSO
InternetInternet
SiteMinder site conducts authentication–User profile must exist at www.SiteMinder.com
Light-weight Web plug-in at partners–Security product/SAML support not required at partners
–Converts SAML attribute assertions into HTTP header variables
oProvides user profile information to Web application
–Synchronized session between sites
oSingle sign-on/off
–Centralized auditing & reporting
–Event notification services
SAA
SAA
www. SiteMinder.com
Authenticate
www. PartnerB.com
www.PartnerA.com
Federated Security Services: SAML Producer
User
SSO
SSO
InternetInternet
SiteMinder site conducts authentication
–User profile must exist at www.SiteMinder.com
–Generates SAML artifact
SAML Consumer capability required at Partners
–SiteMinder or equivalent capability
oCompetitive IAM system, toolkit, standards compliant platform
–Functionality available to partners dependent on capability of local security tool
–No Netegrity software required at partners
www. SiteMinder.com
www. PartnerB.com
www.PartnerA.com
Federated Security Services: SAML Consumer
User
SSOInternetInternet
Security product at PartnerA/B conducts authentication
–May or may not be SiteMinder
–Could be competitive IAM system, toolkit, or standards compliant platform
•SiteMinder conducts SAML-based authorization & SSO
–Partner-user to SiteMinder-user mapping is flexible
oOne-to-one (account-to-account)
oMany-to-one
Authenticate
Authenticate
Enterprise Class ManageabilityAuditing & Reporting
Managers need reports to:– Fine tune infrastructure– Show compliance with security policies &
regulations SiteMinder provides:
– Schema for reporting RDBMS– Stored procedures which can be used to
generate:o Access reportso Activity reportso Intrusion reportso Audit reports
Access ReportsHourly Rollup Access ReportDaily Rollup Access ReportHourly Authentication Access ReportDaily Authentication Access ReportHourly Authorization Access ReportDaily Authorization Access ReportHourly Administrator Access ReportDaily Administrator Access Report
Activity ReportsActivity Rollup ReportUser Activity ReportAgents Activity ReportResource Usage/Activity Report
Intrusion ReportsIntrusion Rollup ReportIntrusion by User Report Intrusion by Agent Report
Audit ReportsAudit Rollup ReportAudit by Resource ReportAudit by Administrator Report
Directory Server Directory Server
Web ServerWeb Agent w/Cache
Web ServerWeb Agent w/Cache
High Performance Architecture
Automatic fail-over– Cluster-to-cluster
fail-over (SM 6.0) Agent to Policy Server
dynamic load balancing Policy Server to
directory server load balancing & failover
2-level caching in Policy Server & agents
8 processor support (SM 6.0)
Web ServerWeb Agent w/Cache
PolicyCache
Policy Server
RulesCache
PolicyCache
Policy Server
RulesCache
128 Bit RC4encryption
Audit Log(ODBC)
Replication
Application Servers BEA WebLogic IBM WebSphere
ERP/CRM Peoplesoft Siebel SAP Oracle
RADIUS Network Access Devices
Firewalls Communication
Servers
Web Agents Microsoft IIS Sun ONE Apache HP Apache Lotus Domino IBM HTTP Oracle HTTP Domino Go
Policy Server MS NT/Win
2000/Win2003 Sun Solaris HP-UX Red Hat Enterprise
Linux
Sun Java System Directory Server
NT Domains Microsoft Active
Directory IBM Directory Server Novell eDirectory MS SQL Server Oracle RDBMS Siemens DirX Oracle Internet
Directory Critical Path Directory
Server Lotus Domino LDAP CA eTrust
Passwords Passwords over SSL Forms-based X.509 certificates Full CRL & OSCP
support Smart cards Two factor tokens Method Chaining SAML Custom methods Biometric devices Combination of
methods
Platforms UserDirectories
Other Systems
Broad Platform Support
Leverages Existing Investments
AuthenticationSystems
Solution Modules
Mobile Authentication Module– Authentication by passcodes delivered wirelessly to your handled devices
User Context Gateway– Provides SSO to Microsoft applications like OWA and Citrix NFuse
Limit Concurrent Login– Prevents users from authenticating twice and accessing the site from two or more
browsers simultaneously
Impersonation (SM 5.x – OOB in SM 6.0)– Allows one user to impersonate another while still maintaining control, security
and the ability to audit
SmFTP Server– SiteMinder enabled FTP server
TransactionMinder® Key Features
Deployed at VISA ROL and CCDR Centralized policy-based authentication,
authorization, and audit– Provides single point of access control
and administration for the whole enterprise
Synchronized sessioning – Enables single sign-on across multiple
Web services used in the same transaction
Shared Web services security platform – Avoids creation of an isolated island of security:
Web services are one of many resources that must be secured by the enterprise
Seamless integration with existing SiteMinder®-enabled sites Open, platform-neutral architecture
– Support all major relevant web services standards (XML/SOAP, WS-Security, SAML, XML Signature)
– No investment in proprietary technologies is required.
Provisioningand User
Administration
TransactionMinder
The industry’s first policy-based solution to protect access to
Web services
Resource Provisioning
Authentication & Access Management
User Administration
Introducing TransactionMinder
Complete Web services security solution
Internet
Web Service(s)
TransactionMinder XML Agent
Web Services Provider
NetegrityPolicy Server
User Directories
Back-endApplication
Policies define:- Authentication- Authorization- Audit- Federation- Session Mgt
Designed to provide secure access to Web services
– Authentication based on message content and Web services standards such as WS-Security, SAML, XML Signature
– Runtime authorization rules based on the content of a business payload, e.g., a purchase order
Centralized authentication, authorization, audit, and federation services
– Leverages and extends the core Netegrity Policy Server
– Delivers security policy as a “shared service”
Support for industry-leading Web services frameworks and standards
Web Services Consumer
TransactionMinder Features
Content-based Authentication– XML Document Credentials Collector (DCC)– XML Signature– Sessioning (expressed as a SAML session assertion)– WS-Security (supporting three security tokens: password digest, X.509 certs,
and SAML assertions) o XML Encryption (New in TransactionMinder v6.0)
New Policy Server XML response types– SAML session assertion generation (in SOAP envelope, HTTP header, or
cookie)– WS-Security header generation (supporting three security tokens: password
digest, X.509 certs, and SAML assertions)
Dynamic Authorization Policy Model– eTelligent™ Rules using TransactionMinder-specific variables in policy
expressions
WS-Security Authentication Scheme
Producing and consuming three WS-Security-bound security tokens (WSSE)– Password digest – X.509 certificates– SAML 1.1 assertions
WS-Security utilities (WSU)– Digital signatures (using TransactionMinder v6.0’s key database
functionality)– Message timestamps
WS-Security Encryption (Production & Consumption) (New in TransactionMinder v6.0)– Encryption / decryption of tokens and message elements that are
included in SOAP messages using WS‑Security
TransactionMinder Deployments Based on the Netegrity Reference Architecture
Simple Direct Deployment
Simple Proxy Deployment
IAM / WSM Deployment with Security Appliance
Simple Direct Deployment
NetworkFirewall
SOAP
HTTPSMTPFTP
JMS/MQ
NetegrityPolicy Server
Legacy
.NET
J2EE
User Stores(LDAP, RDBMS, etc.)
NetworkFirewall
TxMinderXML Agent
Web Service
Container (IIS, iPlanet, Apache)
Simple Proxy Deployment
NetworkFirewall
HTTPSMTPFTP
JMS/MQ
SOAP
ReverseProxyServer
TxMinderXML Agent
NetegrityPolicy Server
Legacy
.NET
J2EE
User Stores(LDAP, RDBMS, etc.)
NetworkFirewall
ProprietarySecurity
.NET Security
Container Security
SOAP
IAM/WSM Deployment w/ Security Appliance
NetworkFirewall
HTTPSMTPFTP
JMS/MQ
SOAPSAML
Proxy
WSM (1)
TxMinderXML Agent
NetegrityPolicy Server
Legacy
.NET
J2EE
TxMAgtSOAP
User Stores(LDAP, RDBMS, etc.)
WSMPolicies
NetworkFirewall
PropriatarySecurity
WSMAgt
TxMAgt
WSMAgt
SecurityAppliance(2)SOAP
NotesDotted lines materialize integration between TransactionMinder and Netegrity partners (1): Web Services Management(2): XML Firewall providing “wire speed” XML processing (parsing, transformation, crypto math, etc.)
Integration with Complementary Third-Party Offerings
Purpose– Create a TransactionMinder ecosystem that provides more complete customer solutions
Integration Approach– Based on Netegrity’s Reference Architecture– Use of TransactionMinder’s Agent API
Integration of XML Gateways with TxMinder– Vendors involved: Forum, Reactivity, Sarvega, Layer7– Customer Benefits
o Intrusion detection (XML Gateway)o Accelerated, first-level, entry point authentication (XML Gateway)o Integration with Enterprise infrastructure (TransactionMinder)
Centralized security policies, multiple-factor user stores, etc.o Web services federation, sessioning (TransactionMinder)
Integration of Web Services Management (WSM) Platforms with TxMinder– Vendors involved: Digital Evolution, Actional, Amberpoint, Blue Titan– Customer Benefits
o Provides SLA and business policies management (WSM Platform)o Integration with Enterprise infrastructure (TransactionMinder)
Centralized security policies, multiple-factor user stores, etc.o Web services federation, sessioning (TransactionMinder)
IdentityMinder Features Overview
Stuctured Administration– Leverage administrator roles, groups, organizations, & attributes to
maximize administrative productivity & control– Enable role-based access control (RBAC)
Integrated Workflow– Improve security and reduce costs through on-line workflows– On-line requests, approvals, & notifications
Delegated User Administration– Improve efficiency by distributing administration– To partners & internal administrators
Auditing & Reporting– Improve security through comprehensive auditing and management
reporting
User Self-Service– Reduce costs by allowing end-users to manage their own profiles,
passwords, & entitlements
J2EE application that provides a customizable interface for delegating user administrationand granting users entitlements. IMWE leverages the power of SiteMinderincluding support for role-based access control.
Deployed at VISA DPS, Risk Mgmt
Key Functionality
Self-Service
Integrated Workflow Approvals
Delegation
Role-based Entitlement Support
Auditing and Reporting
Customizable Interface
Extensibility
Scalable Architecture
Integrated Provisioning
Self Service
1. User Self registerso Requests access to applications and group memberships
2. Workflow approval is conditionally triggered for group assignments3. The user object is created4. The user can now change profile and password attributes and memberships
SelfRegister to NeteAutoName: JsmithPwd: xyzEmail: [email protected] Code: x23zSign Me Up: Free Stuff Credit Line
NeteAuto WebSite
Welcome: JsmithSelect One: Edit My Profile Reset My Password Change Memberships
User Object
cn=JSMITHuserPassword=##mail=OS.COMorg=DEALER
FreeStuff
CreditLine
Groups
User Store
1
Approval Required
2
3
4
Reduces administrative cost and improves user experience
Self-Registration
Support for multiple self-registration schemes– Multiple user communities (Partners vs. Contractors)– Multiple languages
Options for customizing self-registration– Use default form– Redesign form using the form designer
o Prompts, Fields, Hints, Layout, Branding, Formatting– For additional customization, generate WSDL for fully
customized web service interface
Redesigned form:Prompts, Fields, Hints, Layout, Branding, Formatting
Default form:
Self Management
Benefits:– Reduce administrative costs– Speed delivery of service to users– Improved user experience
Forgotten Password Support– Multiple Challenge/Response questions– Integration with SiteMinder password policy
Self Management options– Modify specific attributes– View Group and Role memberships– Request additional entitlements– Subscribe to self-subscribing groups– Change password
Key Functionality
Self-Service
Integrated Workflow Approvals
Delegation
Role-based Entitlement Support
Auditing and Reporting
Customizable Interface
Extensibility
Scalable Architecture
Integrated Provisioning
Integrated Workflow
Configurable Workflow Engine Supports: Multi-step, non-linear approvals Design workflow process variants
– Create Contractor vs Create Partner
Customizable rules defining approvers– Member of role or group, meets filter condition, custom– AutoApprove if no approvers are assigned
Customizable rules to identify who is notified Customizable e-mail templates
– Approved, pending, completed, rejected
Workflow API enables integration with other user management processes
Supplierregistersfor Goldstatus
Is Credit ratingA or B
Worklist for COO
• Approve gold status for I. Supply• Approve …
Name: I. SupplyStatus: bronze
COOapproves
TO: I. Supply
CC: Supplier Mgr
A
BNO YES
Name: I. SupplyStatus: gold
Workflow Customization
1. Copy Create User Approve process to generate Create Contactor Approve process
2. Specify HR group as approver
3. Specify Contractor Supervisor as approver
Key Functionality
Self-Service
Integrated Workflow Approvals
Delegation
Role-based Entitlement Support
Auditing and Reporting
Customizable Interface
Extensibility
Scalable Architecture
Integrated Provisioning
Delegation
Delegation is based on IdentityMInder roles and tasks– IM Admin roles allow management of users, groups, orgs, roles– Roles contain granular tasks (Modify User)– Create new roles by re-combining tasks– Create new tasks to meet business needs (Create Contractor)
Delegation Creating Admin Roles
During role creation, specify ALL the rules about the role– What are the tasks associated with this role?
o HelpDeskAdmin has Enable/disable User, Reset User Password, Modify User
– Who are the role members?o Can initiate the tasks of the roleo While performing this role, what users, groups,
orgs are in scope?
– Who are the role administrators?o Can delegate the role to others o While delegating this role, what users are in scope?
– Who are the role owners?o Can modify the role using this interface
Each role may have multiple member policies– People in HelpAdmin group – Title=ITManager
All role metadata stored in Policy Store
Delegation Membership Rule Examples
Member Requirement Rule Type Example
Must match one attribute value User Users where title starts with senior
Must match multiple attribute values User Users where title=mgr and locality<>east
Must be a member of another role User Users in admin role helpdeskadmin
Must belong to named org(s) Org Users in org sales and lower
Must belong to org(s) which meet a condition specified by attribute(s) on the org
Org Users in orgs where Business Type=gold or Business Type=platinum
Must belong to specific org(s) and match specific user attributes
Org + User Users where title=mgr and locality=east and who are in org sales or org marketing
Must belong to specific group(s) Group Users who are members of group ORGADMIN
Must belong to group(s) which meet a condition specified by attribute(s) on the group
Group Users who are members of groups where owner=CIO
Must meet some condition which is beyond scope of rule syntax
Query Users returned by the query ldap_query
Delegation Managing User Store Objects
Delegate responsibility for managing segments of the user store to the best qualified individuals – Non-intrusive support for the corporate user store– User stores supported
o Relational Database Single/multiple table based objects Objects retrieved by stored procedures Database generated unique identifier Delimited or row-based multiple values Native database datatypes
o LDAP v3 Hierarchical, Flat structure Auxiliary classes Groups
Delegation Managing Groups
Delegated group management provides for separation of duties:– Group Manager
o Create/modify/delete groupo Assign Group Admin(s)
– Group Admino Manage group membershipo Can manage groups regardless of organizational context
Group management can be hidden behind role assignment– Membership rule is a group
Support for – Self-subscribing groups – Nested groups– Dynamic groups– For example: All technicians (employeetype) with cell phones (mobile)
ldap:///ou=NeteAuto,o=security.com??sub?(employeetype= technician) (!mobile=NULL)
Key Functionality
Self-Service
Integrated Workflow Approvals
Delegation
Role-based Entitlement Support
Auditing and Reporting
Customizable Interface
Extensibility
Scalable Architecture
Integrated Provisioning
RBAC Support in SiteMinder®
Step 1: Use SM UI to link Access rolesto security policies
RBAC Support in SiteMinder®
Response returns user’s roles/tasks for authorization
Role & Task names are passed to the Application
Step 2:User defined variable
SiteMinder generated attributes SM_User_Application_Roles SM_User_Application_Tasks
Application name (optional)
Delegated User Admins
Why RBAC?
SiteMinder® role based policies secure applications– Efficiency, scalability, flexibility– Reduces administrative cost – Coexist with user based policies
Sales Support
Role
Employees
Contractors
Partners
Security Policy Admins
Web App
ERP App
OTShelf App
Custom App
Key Functionality
Self-Service
Integrated Workflow Approvals
Delegation
Role-based Entitlement Support
Auditing and reporting
Customizable Interface
Extensibility
Scalable Architecture
Integrated Provisioning
Auditing & Reporting
Configurable auditing logged to relational DB– Which objects?
o User Store objects – User, Org, Groupo IdentityMinder® objects – Roles, Tasks
– Which state transitions?o Approve, reject, executing, pending, completed, cancel, done
– What data?o Old values, new values, or both
Reports can be derived from audit data– Report types
o Auditing (for example, “what changes were made to UserB”)o Administrative (for example, “what roles can AdminA grant?”)
– Control access through the delegation modelo Specify which users can access which reports
Key Functionality
Self-Service
Integrated Workflow Approvals
Delegation
Role-based Entitlement Support
Auditing and Reporting
Customizable interface
Extensibility
Scalable Architecture
Integrated Provisioning
Customization Options
Rebrand, change look and feel of the IM UI Provide interfaces for users in different geographies
– Fully internationalized and localized to support multi-national companies
Reduce clicks for administrators with few responsibilities – Assure that IM administrators ‘first screen’ is optimized
Redesign forms used by delegated admins– Significant opportunities for customizing the interface using the IM
interface
Use web services interface (WSDL)– Generate WDSL files then perform additional customization if necessary– Enables embedding in the company portal
Customizing Look & Feel
Skin has components that may be edited to change look and feel– Headers and footers– Images – Colors and fonts
IM supports multiple skins, each consisting of– Cascading Style Sheet– Images (.jpeg, .gif, .png)– A .properties file that defines the components of a skin
Addresses accessibility requirements specified in Section 508 of the Rehabilitation Act
Tailoring the First Screen
First screen may vary by user
1. Few tasks – Listed in left nav
2. Many tasks – Categories in left nav
3. Workflow approver sees worklist first
1 2
Creating Custom Tasks for Admins
Tasks - the building blocks of custom views – Supports fine grained delegation
Use IM task designer to create new tasks – Copying and modifying existing tasks– Copy all or parts of tasks
User MgmtCreate UserModify UserView User
Contractor MgmtModify ContractorView Contractor
Employee Info:
Name:Employee ID:Department:Supervisor:
Contractor Profile:
Name:Dealer ID:Classification:
User Object
cnEmployeeNumberdepartmentNumbermanageremployeeType
Design Custom Forms with IM
• Rebrand, add links, text, etc• Add/remove/rename tabs• Remove the Org search• Re-label prompts• Add field hints
Key Functionality
Self-Service
Integrated Workflow Approvals
Delegation
Role-based Entitlement Support
Auditing and Reporting
Customizable Interface
Extensibility
Scalable Architecture
Integrated Provisioning
Web Service Support
Business Case:– IM is web service enabled
o Enables additional customization beyond what is supported through the IM interface
o Support embedding into corporate portal
– Support industry standard - WSDL
Steps:1. Identity which tasks will be enabled as web service
2. Customize those tasks as much as possible using IM interface
3. Export WSDL
4. Modify WSDL to complete customization
5. Use tools such as Apache Axis to generate web clients
IdentityMinder APIs
Logical Attribute API —Enables you to display an attribute differently than how it is stored physically in a user directory.
Business Logic Task Handler API —Allows you to perform custom business logic during data validation or transformation operations.
Workflow API —Provides information to a custom script in a workflow process. The script evaluates the information and determines the path of the workflow process accordingly.
Participant Resolver API --Enables you to specify the list of participants who are authorized to approve a workflow activity.
Event Listener API —Enables you to create a custom event listener that listens for a specific IdentityMinder event or group of events. When the event occurs, the event listener can perform custom business logic.
Notification Rule API —Lets you determine the users who should receive an email notification.
Email Template API —Includes event-specific information in an email notifi-cation.
Key Functionality
Self-Service
Integrated Workflow Approvals
Delegation
Role-based Entitlement Support
Auditing and Reporting
Customizable Interface
Extensibility
Secure & Scalable
Integrated Provisioning
Secure Architecture
Scalability for Fault Tolerant Deployment
WS-3
WS-1
WS-2
UserStore
Browser Web Tier Application Tier Data Tier
J2EE Cluster
LoadBalancer
SiteMinderPolicy Server
Supported Platforms
Leverages enterprise architecture
User store– LDAP Directories (SunOne, MS AD/ADAM, Novell eDirectory, Oracle
OID, IBM SecureWay, Siemens DirX, InJoin Critical Path)– Relational Databases (Oracle, MS SQL Server)
Application Servers– IBM WebSphere– BEA WebLogic– JBoss
OS Support: Windows, Solaris
Integrated Identity and Access Management