Identity Management · Peoplesoft Database SAP R&D Apps Employees Employee Purchase Select Identity...
Transcript of Identity Management · Peoplesoft Database SAP R&D Apps Employees Employee Purchase Select Identity...
© 2004 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
Identity Management
Artur Kacała
Teta
• HP OpenView obszary funkcjonalne
• Zarządzanie tożsamością− wprowadzenie
− HP OV Select Access
− HP OV Select Identity
− HP OV Select Federation
Agenda
Obszary funkcjonalneHP OpenView
HP OpenView podejście do zarządzania
Trzy fundamentalne obszary zarządzania IT
Optymalizuj
Automatyzuj
Dopasuj
Optymalizacjainfrastruktury
Utrzymuj IT w ciągłym działaniu
Automatyzacjaprocesów IT
Dopasuj się do zmian
Zgodność z biznesem
Pokaż wartość IT
HP OpenViewAby odnieść sukces w dzisiejszym świecie IT,zespółinformatycznymusi adresowaćwszystkie trzy uzupełniające siękierunki zmian
Zgodnośćz biznesem
Optymalizacjainfrastruktury
Automatyzacjaprocesów IT
dojrzałość
dojrzałość
dojrzałość
HP OpenViewzarządzanie IT w przedsiębiorstwie
HP OpenViewkompletne rozwiązanie
Zgodność z regulacjamianalizy i raportowanie
Jakość usługbiznesowych
Zgodnośćz biznesem
Zarządzanieaplikacjami„end-to-end”
Skonsolidowanezarządzaniezdarzeniamii wydajnością
Zarządzaniesiecią/serweramipamięcią masową
Optymalizacjainfrastruktury
Zarządzanie tożsamością
Zarządzanie konfiguracją
Zarządzanie środkami trwałymi
Skonsolidowany Service Desk
Automatyzacjaprocesów IT
Optymalizuj
Automatyzuj
Dopasuj
HP OpenView portfolio
Point Tools Consolidated / Integrated Service Perspective
IT Operations
Focus
IT ProcessFocus
BusinessExternalFocus
Network Node Manager (with sub modules)
Service Desk (with sub-modules)
Service Center (with sub-modules)
Configuration Manager (with sub-modules)
Performance Manager
Performance Insight
OperationsSOA Manager
Application Smart Plug-Ins
Select Identity Select Access Select Federation Select Audit
SOA Manager
OS Smart Plug-Ins
System Insight Manager/Essentials Suite
Service Navigator
Transaction Analyzer
Internet Services
Dashboard Business Process
Insight
Service Navigator
Compliance Manager
Service Level Manager
Performance Insight
Reporter
Service Level Manager
Glance Plus
Service Desk Process Insight
Asset Center (with sub-modules)
Dashboard Operations View
Decision
Center
CMDB
Audit &Reporting
RegulatoryCompliance� �
Select Audit
• Standalone audit server
• Audit process modeling
• Attestation
• Tamper-Resistance
• Reports/Alerts
• Segregation of duties
the HP OpenView Identity Management suite
Accounts
&
Policies
PropagationRegistration
Termination Maintenance
Select Identity
• User life-cycle management
• Provisioning workflow
• Approvals tracking
• Password management
• Self Service
• Delegated administration
�
�
�
�
� �
Web &
Web Services
Authorization
Single
sign-on
Select Access
• Policy-based access control
• Web single sign-on
• Authentication
• Web Services security & access
• Privacy mgmt
• Personalization
Account linking
&
Cross-domain SSO
Trusted partnerships
Select Federation
• Open protocol federation with SAML and Liberty
• Cross site single sign-on
• Automated account creation
• Opt-in privacy consent
• User activity auditing
Desktop Apps
Where OpenView IdM fits in an Adaptive Enterprise
OperatingSystems
(Windows
$
ExpensesSystem
EnterpriseDirectory
IDs
accts
Non ITResources
Databases,Directories
PhysicalAccess
OS(unix, non Stop)
HR,Finance
LocalStores
PeoplesoftDatabase
SAPDatabase
R&D Apps
Employees
EmployeePurchase
Select IdentitySelect Identity
Select AccessSelect Access
MSSQL
SharePoint Collaborati
on
OnlineeLearning
SuportBugTools
SalesToolsCRM
Select Select
FederationFederation
Citrix MPMCitrix MPM
@EmployeePortal
@ConsumerPortal
IDsPartner
Providers
SupplierSites
IDs
Partners
Partner Respository
@PartnerPortal
accts
retirement.co.uk
Zarządzanie tożsamością
Wprowadzenie
Po co zarządzać tożsamością ?
• Security− At best only about 62% of a user’s access is removed
upon termination (Meta). Orphan accounts compound an organization’s risk of security breech by 23 X
− 81% of security breaches come from disgruntled employees (Computer Security, Issues, & Trends)
− Insider security lapses cost $250K per incident (FBI/CSI Computer Crime and Security Survey)
• Audit/Regulatory Compliance− Only 50% of companies attempt to audit rights on a regular
basis
− Up to 60% of access profiles are no longer valid. In high turnover industries this can be as high as 80% (IDC)
− Regulatory issues raising stakes on audit
Regulations (incomplete list …)
Regulatory Compliance (Example of Process)
Regulacje prawne
Po co zarządzać tożsamością ?
• Efficiency and Productivity− 15-25% of access and provisioning activities need to be
redone due to paper and manual processing errors across the identity lifecycle (Intl Security Forum Report)
− 27% of companies take greater than 5 days to grant or remove access rights (Intl Security Forum Report)
• Cost Reductions− 40-60% of helpdesk workload deals with password mgmt
(Meta and Intl Security Forum Report)− 45% of help desk calls are password related, and
deploying identity management will reduce help desk call volumes by 33% and a 32% increase in overall security. (Meta)
− Company with 12 applications can save 3.5MM in 3 years and see a 295% ROI (14,000 hours in user mgmt and 6,600 hours at the help desk) -Gartner 2003.
Korzyści biznesowe
• Regulatory Compliance
• Cost Reduction and Revenue Enhancement
• User Self Sufficiency
• IT Efficiency
• Increased Security
• User Experience and Productivity
Services
Web
Services
Client Server
Directories
Meta-Directories
Virtual Directories
Applications
Messaging
Databases
CRM
ERP
Custom
Web
Web Servers
Portal
Java App
Custom
Non Digital
Facilities
Equipment
Entry Control
IT Admin Employees Mobile
EmployeesPartners CustomersOutsourced
Admin
HP C&I
•Business process consulting
•Technical deployment
Select Access
Access Control
•Single Sign On
•Authorization
External User
Provisioning
•Self Enrollment
•Self Management
•Delegated Admin
Select Federation
id
Federation
•Account Linking
•Attribute Exchange
•Session Management
•Liberty, SAML, WS
HP OpenView Identity Management
Select Identity
Provisioning,
Synchronization
•Password Reset•Workflow
•User Management
Access Management
• Authentication• Authorization• Single Sign On• Delegation• Secure Audit• Federation
Select AccessUnequaled Policy Admin
N-Tier Delegation of ApprovalsLiberty & SAML Federation
Tamper Resistant Event AuditWeb Services Security
HP OpenView Identity Management
Identity Management
• Internal/External Users• Self Service• Workflow• Robust Provisioning• Modifs/Terminations• Delegation• Password Mgmt• Secure Segmented Audit
Select IdentityContextual Identity Mgmt
N-Tier Delegation of Business ProcessSecure Segmented Process Auditing
100% Web Based100% J2EE
Identity Federation
• Cross site SSO• Privilege Management
Select FederationLiberty Alliance 1.1, Liberty Alliance 1.2
SAML 1.0, SAML 1.1
Services
Web
Services
Client Server
Directories
Meta-Directories
Virtual Directories
Applications
Messaging
Databases
CRM
ERP
Custom
Web
Web Servers
Portal
Java App
Custom
Non Digital
Facilities
Equipment
Entry Control
IT Admin Employees Mobile
EmployeesPartners CustomersOutsourced
Admin
HP C&I
•Business process consulting
•Technical deployment
Select Access
Access Control
•Single Sign On
•Authorization
External User
Provisioning
•Self Enrollment
•Self Management
•Delegated Admin
Select Federation
id
Federation
•Account Linking
•Attribute Exchange
•Session Management
•Liberty, SAML, WS
Przykład: Nowy pracownik
Select Identity
Provisioning,
Synchronization
•Password Reset•Workflow
•User Management
1. New employee entered in HR system.
3. First stage of workflow may involve getting managers approval or having special entitlements added
2. Select Identity detects change in HR system, determines context and triggers workflow(s)
4. Next stage of workflow may be the provisioning of various resource entitlements
5. Select Access automatically picks up the access entitlements and enforces them
6. Select Federation provides seamless access to the enterprises outsourced services (e.g. Travel, 401K)
Select Identity
Role i użytkownicy
ResourcesGroupsIdentities Roles
Common role based approach…
– Create Roles
– Link Resources and Entitlements to Roles
– Link identities (users) into groups
– Link Groups into Roles
– Solution may offer Hierarchical Roles allowing for inherited entitlements
Każdy system konfigurowany oddzielnie
Order Mgmt FulfillmentInventory Logistics Acct Rec Gen Ledger
Order Entry Warehouse Shipping Accounting
Order and Fulfillment Process
• Resource-centric organization introduces inefficiencies
• Roles are tightly coupled to resources
• Auditing is difficult
HP OpenView Select Identity
Select Identity’s Contextual Identity Management (CIM) is a new paradigm for
Identity Management that eliminates the complexity associated with managing
IdM business processes.
Order Mgmt FulfillmentInventory Logistics Acct Rec Gen Ledger
Order Entry Warehouse Shipping Accounting
Order and Fulfillment Process
Order & Fulfillment
IdM Service
At O&F process level, integrate:• Provisioning• Approval workflow• Delegation• Notifications• Forms• Policies
Business Relationships
HP OpenView Select Identity
ResourcesComposite
Service
•Select Identity Services are reusable objects that can be built quickly and combined into composite services
• Each service can be owned and managed independently
• Each service owner can define what other service owners are allowed to use in their composite services
• Services can thus be hierarchical as well
Service A Service B
Groups Business
Relationship
HP OpenView Select Identity
Identities are also handled differently:− Each Service can be offered to an unique hierarchy
− Remember Services incorporate all the options for workflows, forms, policies and notifications
− Delegation is implicit throughout the hierarchy using Business Relationships
Resources
Corporate
Europe AsiaUSA Americas
USA East USA Central USA West Canada
Latin
America
Service
HP OpenView Select Identity
Enterprise
App A
InventoryEnterprise
App B
Billing Documentation Purchasing
IT Manager Agency Manager HR Manager Accounting
Resources
IdM Service:Defines the superset of ALL Identity
Functions necessary to manage identity for
Business Process
Business Relationship:Extends a subset of the Service
along business lines
BR BR BR BR
Communications
Officer
BR
Compliance
Manager
BR
Project
Manager
BR
Identity Service Object
Identity Relationships are
inherited, rather than hard
coded
• NO RULE CODING
All Identity management
maintenance done in one
place
• Huge reduction in
management overhead
At each delegation level,
there is a subset of
services, but complete
management of
Identities…full
empowerment
HP OpenView Select Identity
Porównanie
Change Mgmt
Events
Delegated
Administration
Delegated
Reporting
Resources/
Entitlements
Workflow
(Registration/
Provisioning/
Approval)
Total Cost of Ownership Comparison
Select Identity vs. RBAC Solutions
RBAC Approach 3.5x
RBAC Approach 3.5x
RBAC Approach 3x
RBAC Approach 5x
RBAC Approach 4x
Select Identity 1x
Select Identity 1x
Select Identity 1x
Select Identity 1x
Select Identity 1x
0 1 2 3 4 5
Relative Man-Hour Effort/Cost Per Activity
• Centralized Management of the Identity
Lifecycle
• Registration: self, delegated and HR
driven
• Robust tightly integrated, multi-stage,
multi-step workflow
• User self-service: Profile, password
management and synchronization
• Robust Provisioning of accounts,
resources and entitlements
• Account Terminations and modifications
• Segmented Auditing and Reporting
• N-tier delegated authority
• 100% Web Based to meet the
demands of security and contingency
• 100% J2EE for maximum scalability,
reliability and performance, JCA
Agentless connectors
HP OpenView Select Identity
Agenda
Architektura
Select Identity OverviewHP OpenView Select IdentityArchitektura rozwiązania
Select Identity OverviewHP OpenView Select IdentityArchitektura rozwiązania
Select Identity OverviewHP OpenView Select IdentityArchitektura rozwiązania
Select Identity OverviewHP OpenView Select IdentityPrzykład: zmiana adresu email
Select Identity OverviewHP OpenView Select IdentityPrzykład: zmiana adresu email
Select Identity OverviewHP OpenView Select IdentityPrzykład: zmiana adresu email
Select Identity OverviewHP OpenView Select IdentityPrzykład: zmiana hasła
Select Identity OverviewHP OpenView Select IdentityPrzykład: zmiana hasła
Select Identity OverviewHP OpenView Select IdentityPrzykład: zmiana hasła
Select Identity OverviewHP OpenView Select IdentityPrzykład: zmiana hasła
A Case Study:Depository Trust and Clearing Corporation
"HP OpenView’s Contextual Identity Management approach went beyond the traditional roles and rules to provide a unique and flexible way to address DTCC'scomplex extended-enterprise requirements."
Stephen Cooper
Senior Manager, Accenture
Depository Trust & Clearing CorporationDTCC is the world’s largest post-trade financial services infrastructure
− Within the Customer’s clearance business:
• 9.59 million - Average daily number of transactions
• $244 billion - Average daily value of transactions
• 30+ customer-facing services
• Each service has 3+resources
• 5,000+ customer organizations, each with up to 1,000 users
• Resources administered by 8 business units using 20different admin tools
• Multiple tiers of business relationships (up to 5 deep)
DTCC wyniki
User Set-up 7 – 10 days Real-time to 24 hrs
Before Select Identity
Customer Satisfaction
Password Reset 2 days Immediate & Self Service
Account Termination
Scalability Limited User Mgmt Capacity
Capacity meets or exceeds requirements
Operation Issues
Audit timeframes 2+ weeks Real-time
7 – 10 days Real-time to 1-click
Introduction of new business services
Frequent Delays Reduced Time to Market
Business Efficiency
After Select Identity
Select Access
Corporate Web Sites &Applications
Pension Plan
HR
Asset Management
Sales Forecast
Competitive Analysis
Intranet
Ask the Expert
KnowledgeBase
Order Accessories
Product Updates
Schedule Service
Customer Service
Virtual StoreFront
Product Catalogs
Auctions
Configurators
Pricing
eCommerce
Negotiation
Reverse Auction
Decision Optimization
Catalog Management
Contract Management
Supply Chain
Inventory
Pricing
Sales Forecasting
Pipeline Reporting
Quoting
Channel Management
Server-based Access Control ListsWeb Sites & Applications
PartnersSuppliersCustomerEmployeesEnd UsersPIN/PasswordSign-on to resources
IT Administration ofAccess Control Lists
Business Mgr. Business Mgr. Business Mgr.Business Mgr. Business Mgr.Request to IT-useraccountadd/deletemodify
Brak spójnego rozwiązania
Virtual StoreFront
Product Catalogs
Auctions
Configurators
Pricing
PartnersSuppliersCustomerEmployees
Users
Business Mgr.
Inventory
Pricing
Sales Forecasting
Pipeline Reporting
Quoting
Corporate Web Sites &Applications
401 K
HR
Asset Management
Sales Forecast
Competitive Analysis
Intranet
Ask the Expert
KnowledgeBase
Order Accessories
Product Updates
Schedule Service
Customer Service eCommerce Apps
Negotiation
Reverse Auction
Decision Optimization
Catalog Mgmt
Contract Mgmt
Supply Chain Apps Channel Management
Web Servers, ApplicationServers – theWeb enabled business.
Select Access governs and manages access, roles, privilege and access policy.
HP Open View Select Access
Spójne podejście do zarządzania tożsamością
Przykład #1: dostęp do danych
Table T1 with PII Data Enterprise Privacy Policies/Guidelines
If role==“empl.” and intent == “Marketing” ThenAllow Access (T1.Condition,T1.Diagnosis)
Else If intent == “Research” ThenAllow Access (T1.Diagnosis)
Else Deny Access
HIVDrug AddictedRob2
HepatitisContagious IllnessJulie3
CirrhosisAlcoholicAlice1
DiagnosisConditionNameuid
Access content Table T1(SELECT * FROM T1)Intent = “Marketing”
Privacy PolicyEnforcement
Enforcement: Filter data
HIVDrug Addicted-2
HepatitisContagious Illness-3
CirrhosisAlcoholism-1
DiagnosisConditionNameuid
Table T1 with PII Data and Customers’ Consent
Enterprise Privacy Policies &Customers’ Consent
If role==“empl.” and intent == “Marketing” ThenAllow Access (T1.Condition,T1.Diagnosis) & Enforce (Consent)
Else If intent == “Research” ThenAllow Access (T1.Diagnosis) & Enforce (Consent)
Else Deny Access2
3
1
ResearchMarketingConsent
xx x
HIVDrug AddictedRob2
HepatitisContagious Illness
Julie3
CirrhosisAlcoholicAlice1
DiagnosisConditionNameuid
Access Table T1(SELECT * FROM T1)Intent = “Marketing”
Privacy PolicyEnforcement
Enforcement: Filter data
HepatitisContagious Illness-3
---2
CirrhosisAlcoholism-1
DiagnosisConditionNameuid
Przykład #2: dostęp do danych
Architektura rozwiązaniaPoszczególne komponenty
Validator
SAML Server
Secure Audit ServerEnforcer Plug-In
Admin Server
Directory Server
• Rich access control down to the URL, object or transaction level− With role-based authorizationWeb Server
Web Services
Portal
Java App Server
Application• Integrated with web-based resources
− Web servers
− Java EJB/J2EE application servers
− Portal servers
− Web-based & custom applicationsEnforcer Plug-In
• Implemented as plug-ins to the servers− The Policy Enforcement Point (PEP)
Users makes access or transaction requests, which are intercepted by the Enforcer plug-in
Architektura rozwiązaniaPolicy Enforcer
Enforcer Plug-In
The Enforcer plug-in queries the Validator via XML for access decisions
Validator
• Policy servers evaluate all access decisions− The Policy Decision Point (PDP)
Architektura rozwiązaniaValidator
ValidatorEnforcer Plug-In Directory Server
• Policy data Is stored in an LDAP v3 compliant directory− The Policy Repository
The Validator retrieves relevant policy data from the
Directory Server via LDAP, and evaluates the access logic based on the information passed from the Enforcer
Architektura rozwiązaniaLDAP
Microsoft Active
Directory
SunONE/iPlanet/Ne
tscape
Critical Path
Novell eDirectory
Oracle OID
Siemens DirX
CA eTrust
Syntegra
• User, group and policy information stored in LDAP v3 directory servers− No need to re-
populate/locate LDAP users or groups
− Existing Directory Information Tree (DIT) remains intact
• Maximizes benefit of LDAP directories− High Performance &
Availability
− Enhanced Scalability
− Centralized view of data for many applications
Directory Server
Architektura rozwiązaniaIntegracja z LDAP
ValidatorEnforcer Plug-In Directory Server
The Validator returns authorization decisions to the Enforcer, which implements the decisions
Allow
Deny
Allow and
Personalize
Request
Authentication
Redirect
Logout
All authorization actions are audited
centrally to the Secure Audit Server and digitally signed
Secure Audit Server
Architektura rozwiązaniaAudit Server
Validator
Admin Server
Directory Server
Administrators
Partners
Managers
Delegated
Administrators
Administrators access the Admin Server with a browser which downloads an applet and launches the Policy Builder
Administrators can delegate user, group and/or policy management to managers both in and outside the
organization
Secure Audit Server
All policy and user administration actions are audited – for both
full and delegated administrators
Architektura rozwiązaniaAdmin Server
Validator
SAML Server
Enforcer Plug-In
Admin Server
Directory Server
• All SelectAccess components audit events to a centralized audit system
Secure Audit Server
Oracle
Microsoft SQL
Windows Event Log
UNIX Syslog
and/or File�Outputs to multiple data stores
• Includes user and policy administration changes
− What was changed
− Who made the changes
and when
− What the old data was
− What the new data is
�Digital signing of audit entries provides proof of administrative changes and a secure audit trail
Architektura rozwiązaniaAudit Server
ValidatorEnforcer Plug-In Directory Server
• SelectAccess is designed around a three-tier architecture− Enforcers – Validators – Directory Servers
Enforcer Plug-Ins Validators Directory Servers
• All components can be replicated for scalability
− Load-sharing and failover is handled seamlessly and automatically over replicated components
Aggressive
Caching Advanced Caching
Minimizes traffic and
processing
requirements
Cache pre-loads itself
for resource access
Advanced Caching
Minimizes traffic and
processing
requirements
Cache pre-loads itself
for resource access
Architektura rozwiązaniaSkalowalność, wysoka dostępność
then proceeds to a partners site
Enforcer Plug-In Directory Server
• SSO and authorization across business boundaries− Regardless of authorization product (SelectAccess, other)
• User is authenticated at one web site,
SAML Server
Authentication, authorization and personalization data
passed to the partner using SAML
Secure Audit ServerValidator
Architektura rozwiązaniaSAML Server
Architektura Systemu
ValidatorValidatorValidator
SAML ServerSAML ServerSAML Server
Secure Audit ServerSecure Audit ServerSecure Audit ServerEnforcer Plug-InEnforcer PlugEnforcer Plug--InIn
Admin ServerAdmin ServerAdmin Server
Directory ServerDirectory ServerDirectory Server
Web Server
Portal
Java App Server
Application
Web Services
Web ServerWeb Server
PortalPortal
Java App ServerJava App Server
ApplicationApplication
Web ServicesWeb Services
Autentykacja
• Supports all leading Authentication mechanisms
− Allows multiple different types of Authentication across all applications
− Allows extension of Authentication mechanisms to other applications
− Improved ROI of Existing Authentication systems
• The Adaptive Policy can require different levels of Authentication using different techniques for different levels of access to resources independent of the application
− E.g. require a PKI certificate for transactions over $10,000 dollars
�Password
�X.509 Certificates
(CDPs, CRLs, & OCSP)
�User self-registration
�RSA SecurID
�RADIUS
�Challenge/response tokens
�Smart cards
�Security Assertions Mark-up
Language (SAML)
� Integrated Windows
�NTLM and Kerberos
�Custom methods
(through APIs) e.g.
Biometrics
�Password
�X.509 Certificates
(CDPs, CRLs, & OCSP)
�User self-registration
�RSA SecurID
�RADIUS
�Challenge/response tokens
�Smart cards
�Security Assertions Mark-up
Language (SAML)
� Integrated Windows
�NTLM and Kerberos
�Custom methods
(through APIs) e.g.
Biometrics
Access Table T1Intent = “Marketing”
(SELECT * FROM T1)
SA Data Enforcer
Allow Access
T1:<B,C> &
consent
SA Validator
<T1,Marketing>
ActualRetrievedData
Table T1 with PII Data and Customers’ Consent
Enterprise Privacy Policies &Customers’ Consent
If role==“empl.” and intent == “Marketing” ThenAllow Access (T1.Condition,T1.Diagnosis) & Enforce (Consent)
Else If intent == “Research” ThenAllow Access (T1.Diagnosis) & Enforce (Consent)
Else Deny Access2
3
1
ResearchMarketingConsent
xx x
HIVDrug AddictedRob2
HepatitisContagious Illness
Julie3
CirrhosisAlcoholisAlice1
DiagnosisConditionNameuid
Enforcement: Filter data---2
HepatitisContagious Illness-3
CirrhosisAlcoholism-1
DiagnosisConditionNameuid
Przykład #2: dostęp do danych
Przykładowa architektura systemu #1
Intranet Applications
Co
rpo
rate
firew
alls
Intranet applications and Web Infrastructure
Select Access Components*
Validator*ValidatorValidator**
SAML Server*SAML Server*SAML Server*
Secure Audit Server*Secure Audit Server*Secure Audit Server*
Enforcer Plug-In*Enforcer PlugEnforcer Plug--In*In*
Admin Server*Admin Server*Admin Server*
Corporate Directory ServerCorporate Directory ServerCorporate Directory Server
Partner with Supply Chain
Direct B2B partner
Delegated
Administration
down the supply
chain
Policy
Controlled
Access to
information
Browser Based
Policy Build GUI*
Browser BasedBrowser Based
Policy Build GUI*Policy Build GUI*
Central Policy
Admin
Central
Audit
Federated Partnership
SAML Enabled
Partner Site
Przykładowa architektura systemu #2
Przykładowa architektura systemu #3
• Reliable single sign-on across a heterogeneous mix of applications, servers and Internet domains
− HTTP is a stateless protocol, transient cookies are used to maintain state between HTTP requests
− Cookies are not persistent, they are not stored on the client disk and are only active during a browser session
− Configurable idle session timeout (default10 min)
• Seamless SSO even across multiple domains− Transparent to the user
− No changes to Web server configurations or content
Single Sign On
Delegacja uprawnień
• Customizable self-registration allows users to enrol themselves
−Increases speed and reduces deployment effort
• SelectAccess allows users to manage their own attributes
• Administrators can define which attributes the user can manage
−Password, mail address, personal preferences, etc.
Automatyczne wykrywanie zasobów
• Automatically populates the directory with network services and resource information
− Detects all running network services (HTTP, FTP, etc)
− HTTP discovery plug-in populates resources by following links and directories
− Resource data is discovered, enumerated and hierarchically added to the directory
− Less opportunity for administrative errors
• Discovery plug-ins can be added for new services
• Resource data can be imported from text file
Interfejs administratora
Interfejs administratora
Elementy do budowy polis
• Source IP Address
• Time-of-Day
• Encryption Level
• Attribute Values
• Authentication − Personalization
• Port Limitation
• XML Attribute Values
• Included API to Extend – Adapt to your own IT needs
• Alerts
• SubRule
• Allow with additional Information *
• Log off *
• URL Redirect *
• Self Profile Management *
• Allow *
• Deny *
* Termination Points
Przykładowa polisa
Employee?Call the employee
access sub-rule
Else deny access
Allow access
Else logoff user
Authenticate by certificate
Check levelof encryption
Check users’LDAP profile
No cert? Use password
Limit ports and source addresses
Możliwości rozwoju
• XML provides a common data exchange format, encapsulating both meta-data and data
− Different applications and databases exchanging information without having to know each others format
• XML and Open APIs− Overall framework is fully extensible
− Developer API suite in C/C++ and Java
− Policy API for customizing users view of resources
− Plug-ins for new services/applications, decision criteria, authentication types, discovery & GUI extensions
− Current features implemented using the products own APIs and plug-in ability
Dostępne API
Directory Server
Admin ServerSecure Audit Server
Audit Logs(File, JDBC, syslog, event log, email)
Validator
Cac
he
Enforcer Plug-In
Web Server
Portal
Java App Server
Application
SAML Server
Lista dostępnych APIPolicy Validator Plugin API
Enforcer Plugin API
C++ XML Manipulation API
User Data Management API
The Logging API
Exception Handling API
String Manipulation API
The Java Enforcer API
The Policy Builder API
The Java XML Manipulation API
The COM API
Resource Discovery API (crude but it exists)
User Properties API (new in 6.0)
Customizing Audit Reports (loose API)
Forms based User Admin API (new in 6.0)
Wyróżniki rozwiązania
• Unlike other identity management products, Select Access is an adaptive and accountable solution
− Fastest time to deployment
− Easiest to manage
− Built on standards supporting the most heterogeneous environments, diverse users, and Web services models
− One-of-a-kind secured audit and visual change management
Ocena produktu z 2002
Ocena produktu z 2004
Select Federation
Federation and Identity-enabled Web ServicesHP OpenView Select Federation
Federation and Identity-enabled Web ServicesSelect Federation
Select FederationWspierane protokoły
Federation and Identity-enabled Web ServicesSelect FederationSelect FederationWspierane protokoły
Select FederationKluczowe funkcjonalności
Federation and Identity-enabled Web ServicesSelect FederationSelect FederationWspierane protokoły
Select FederationKluczowe funkcjonalności
Select FederationŁatwość administracji
© 2004 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
DEMO
© 2004 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without notice
Dziękuje za uwagę