Novell Nsure Identity Manager 2:
Overview & Futures
Bob Bentley
Product Line Manager
Identity Management
bbentley@novell.com
Deven Macdonald
Product Manager
Identity Management
dmacdonald@novell.com
Agenda
Overview and Future of Novell’s Nsure Identity Manager
Introduction
How does it work?
Highlights of Nsure Identity Manager 2
Roadmap
Question and Answer
2
© March 24, 2016 Novell Inc.
Overview
Business goal = the agile enterprise
Employees
Partners
B2B
Marketing
Sales
Customers
Your business
Finance
4
© March 24, 2016 Novell Inc.
Customer service
What’s
drivingthread:
the agile
enterprise?
The
common
Identity
“Audits are focusing on identity issues because corporate governance,
regulatory compliance, and security rely on identity, and the lack of solid
identity management infrastructure
business risk.”
Businesscreates
Drivers
―Jamie Lewis, The Burton Group July 2003
Business
Facilitation
Security
Cost Reduction
& Productivity
•Reach global
customers
•Consistent
security policy
•Tighter supplier
relationships
•Immediate
system-wide
access updates
•More productive
partnerships
•Consistent
identity data
•Eliminate
redundant
administration
tasks
•Reduce helpdesk
burden
Service
Level
•Focused,
personalized
content
•Comprehensive
profile view
•Self-service
•Fast employee
ramp-up
Identity Management
5
© March 24, 2016 Novell Inc.
Regulatory
Compliance
•Role-based access
•Protect personal
information
•Enable individuals
to update profiles
•Real-time
visibility and
disclosure
Achieving the Agile Enterprise
The critical first step
Gain Control of Identity
“The ability to use and manage digital identity—
while balancing legal, regulatory, privacy, and
security concerns—is a prerequisite for securing
and managing the virtual enterprise.”
―Jamie Lewis, The Burton Group, July 2003
6
© March 24, 2016 Novell Inc.
What is Identity Management?
Identity = How user information is represented in all the IT systems throughout the
organization…
•
Directories
•
Human Resource Systems
•
Applications
•
Databases
•
PBX/Telephone Systems
•
Physical Access Systems
•
Etc.
Identity Management = Setting and acting on policies for identity information, regarding
security, organization, granting of access, etc.
Why do we care about Identity Management?
•
Reduce administration and help desk costs
•
Improve security
•
Enhance end-users’ productivity and satisfaction
•
Ensure business policies are followed
•
Provide confidence to be able to do business
7
© March 24, 2016 Novell Inc.
Novell Identity Management Leadership
“The metadirectory service
Magic Quadrant shows the
metadirectory market is
maturing quickly, with Novell
leading the pack toward the
future.”
Gartner Research Note
August 2002
“We continue to view [Novell]
DirXML as market leading
technology”
Gartner Research Note
September 2003
8
© March 24, 2016 Novell Inc.
Burton Group: Novell has strongest position
“Novell is best positioned to leverage the obvious and
important relationship between directory services and
provisioning, and is doing so with new products.”
“Novell is currently in the strongest position.”
“Novell Nsure Identity Manager offers a logical migration path
for existing eDirectory and DirXML customers, and its features
and capabilities will also benefit non-Novell customers.”
--Gerry Gebel, Burton Group,
Quotes from 2002 & 2003
9
© March 24, 2016 Novell Inc.
Quotes from Recent Press Tour
Nsure Identity Manager 2 improves the tools used by network administrators for
managing and synchronizing passwords across different network directories. The update
introduces a visual tool to establish company password policies for assigning access
rights to applications...
Novell is integrating its identity management and Web services software in a way that it
says will ease customers' ability to secure corporate networks.
CNET, Martin LaMonica, January 2004
Novell, along with Microsoft and IBM, is leading a trend toward merging meta-directory
and provisioning software. With Identity Manager 2, Novell is adding a more userfriendly interface, easier mechanisms for setting user access rules, and better password
management and auditing capabilities.
Network World, John Fontana, January 2004
Nsure Identity Manager 2 allows IT administrators to deploy an integrated identity
management solution, rather than rely on a slew of stand-alone programs for such
chores as ID provisioning, single sign-on, and password management.
TechWeb, Greg Keizer, January 2004
12
© March 24, 2016 Novell Inc.
How does it work?
Islands of Isolated Data
HR
ERP
Operating
System
Database
Mail
Directory
PBX
14
© March 24, 2016 Novell Inc.
Sharing data through an identity
vault
HR
Database
ERP
Identity Manager
Mail
Directory
PBX
15
© March 24, 2016 Novell Inc.
Operating
System
Managing the User Lifecycle
Provisioning
Relationship
Begins
Promotion
Move
Locations
USER
LIFECYCLE
Routine User
Administration
New
Project
Forgot
Password
De-Provisioning
16
Relationship
Ends
© March 24, 2016 Novell Inc.
Password
Expires
Password
Management
Role-based User Provisioning
Scenario: New employee, customer, partner, supplier
HR System
1) A new user record is created in the
HR system (or another authoritative
source)
Database
HR
Manager
Waldo Wilkes
wwilkes
Waldo
Accounting
Waldo_Wilkes
Microsoft Exchange
Nsure
Identity
Manager
2) Identity Manager captures the new user event
3) Identity Manager then creates an account in each connected
system and synchronizes the appropriate information based on
established business rules
17
© March 24, 2016 Novell Inc.
CRM
wwildes@company.com
Physical Resources
801-555-4567
De-provisioning
Scenario: Relationship ends with employee or customer
HR System
1) The User record is deleted or disabled in
the HR system (or other authoritative source)
Database
X
Accounting
X
X
Employee
Waldo Wilkes
18
© March 24, 2016 Novell Inc.
X
Microsoft Exchange
X
Nsure
Identity
Manager
2) Identity Manager captures the terminated user event
3) Identity Manager then revokes access to each
connected system
CRM
Physical Resources
X
Routine User Administration
Scenario: Employee changes throughout user lifecycle
Examples of Administration Tasks Performed
1.
Remove access to systems based on policy needs
2.
Provision Access to New Systems
3.
Passwords Set on New Systems
Internal App
CRM
X
Microsoft Exchange
Database
X
Nsure
Identity
Manager
Physical Resources
Accounting
Employee
19
© March 24, 2016 Novell Inc.
Nsure Identity Manager Product
Architecture
Policies
Identity
Vault
Subscriber Channel
Engine
Driver
Publisher Channel
Identity Manager
Policies
20
© March 24, 2016 Novell Inc.
Application
Identity Vault
Identity Vault
•
Identity
Vault
•
•
•
•
•
21
Leverages eDirectory
Hosts the meta data
Where policy definitions are stored for a particular
driver
Maintains relationships between users and their
respective applications
Where password policies are defined
Where events are generated and propagated to
subscribing applications
© March 24, 2016 Novell Inc.
Identity Manager Engine
Interface to the identity vault
•
•
Engine
•
Supports the loading of multiple driver shims
Guaranteed delivery of events within the identity
vault
Event loop-back detection
Join engine
•
•
•
22
Handles data transformations
Processes based on filtering
Policy and XSLT processor
© March 24, 2016 Novell Inc.
Identity Manager Driver Shim
XML Interface
•
•
Driver
App
Shim
Application’s native interface
•
•
23
Issues and receives XML documents
Document Object Model
Does not require application to change
Can be accessed by the engine either locally or
remotely
© March 24, 2016 Novell Inc.
Associations
Identity Manager
Bobby
CN
Sales
Department
EmpId
003456
E-mail
bdoe@ab.com
2/15/1965
Date of birth
EmpId
E-mail
Assoc.
HR
bdoe@ab.com
003456
003456
Dept
Sales
DOB
15.2.1965
HR
24
Assoc.
© March 24, 2016 Novell Inc.
Address
Dept
Birthdate
E-mail
bdoe@ab.com
Sales
2/15/65
Authoritative Relationships
Identity Manager
Bobby
CN
Marketing
Sales
Department
003456
E-mail
bdoe@ab.com
2/15/1965
Date of birth
Dept
Publisher only
EmpId
Assoc.
E-mail
Assoc.
HR
bdoe@ab.com
Dept
003456
Subscriber only
003456
Address
Dept
Marketing
Sales
Dept
DOB
15.2.1965
Birthdate
HR
25
EmpId
© March 24, 2016 Novell Inc.
E-mail
bdoe@ab.com
Sales
Marketing
2/15/65
Data transformation
Identity Manager
Bobby
CN
Sales
Department
2/15/1965
E-mail
bdoe@ab.com
Dept
Sales
DOB
15.2.1965
© March 24, 2016 Novell Inc.
2/15/1965
2/15/1965
Assoc.
E-mail
Assoc.
HR
bdoe@ab.com
003456
003456
HR
26
003456
Date of birth
15.2.1965
EmpId
EmpId
2-15-65
Address
Dept
Birthdate
E-mail
bdoe@ab.com
Sales
2-15-65
Highlights of
Nsure Identity Manager 2
Foundational Features (DirXML)
What we’re building on…
Features
Benefits
Bi-directional, real-time connection Works the way your business does
28
Distributed authority
Overcomes deployment politics
Rule-based Provisioning
Controlled, automatic distribution
of resources
Robust/flexible policy definition
Compatible with existing business
processes
Cross-platform freedom
Maps to real-life heterogeneous
environments
Scalable, fault-tolerant
architecture
Highly reliable and robust
Extensive connectivity
Relevant to your business
Ability to create custom connectors
Extensible to unique environments
© March 24, 2016 Novell Inc.
Primary Enhancements in Version 2
Features
29
Benefits
New policy definition model
Greatly simplified configuration
Expanded effective delivery force
Role-based entitlements
Administration leverage
Password management suite
Comprehensive, automatic
password policy enforcement
Empowered users
White pages & self-service
Expanded self-service
Logging, monitoring & auditing
Non-repudiative security
© March 24, 2016 Novell Inc.
New Policy Development Model
Policy Builder
Nsure Identity Manager 2 Policy Builder
•
A simple, browser-based, point & click way to create and
modify policies
–
–
•
•
Reduces dependence on XSLT to accomplish common tasks
Use Policy Builder to define:
–
–
–
–
–
–
–
30
Policy: a collection of rules
Rule: a set of actions, and conditions under which those
actions are executed
Creation policies
Default naming policies
Placement policies
Initial password policies
Schema mapping policies
Event transformation policies
And so on…
© March 24, 2016 Novell Inc.
Policy Development Model
Policy Builder- Example of a Rule
31
© March 24, 2016 Novell Inc.
A Matching Rule Using XSLT
32
© March 24, 2016 Novell Inc.
The Equivalent Rule
(Generated from Nsure Identity Manager 2 Policy Builder)
33
© March 24, 2016 Novell Inc.
Role-based Entitlements
Provides resource entitlements to users based on their
memberships in a role.
•
•
•
34
Role membership is determined dynamically or statically
– Dynamic memberships can be defined by combinations
of attributes
– Uses inclusion and/or exclusion to define membership
Sample entitlements:
– Accounts on connected systems
– Inclusion in a NOS group
– Inclusion in an email distribution list
Entitlements are re-calculated and provisioned when users
are added or changed
© March 24, 2016 Novell Inc.
Entitlement Policy Screen Shot
35
© March 24, 2016 Novell Inc.
Password Management Suite
A suite of password-related security functions:
•
System-wide password policy
–
•
Password self-service
–
•
Specify connected systems that will receive the organization’s
common password, as defined in password policy
Bi-directional password synchronization
–
36
Empower users to help themselves with forgotten passwords,
password resets, changing passwords
Password distribution
–
•
Establish password policy that will be used for and enforced on
connected systems
Manage the native password management activities in
connected systems, ensuring consistency
© March 24, 2016 Novell Inc.
Password Management Suite
Password Policy
Password Policy
•
•
Administrators specify required properties of an acceptable
password for systems throughout the enterprise
Examples of password policy controls:
–
–
–
–
–
–
•
37
Minimum/maximum number of characters
Minimum number of upper case characters
Minimum number of numerals
Password re-use forbidden
Password exclusion lists
And so on…
Conformance is checked before allowing password to be set
in the Nsure Identity Manager 2 identity vault
© March 24, 2016 Novell Inc.
Password Management Suite
Password Policy Features (Admin UI)/Advanced Password Rules
38
© March 24, 2016 Novell Inc.
Password Management Suite
Administrative Wizards
Wizards make it easy
Policy Wizard showing
policies may include:
• Universal Password
• Advanced Password Rules
• Challenge sets
• Forgotten password
• Assign to users
or containers in tree
• External applications
to subscribe to Universal Password
39
© March 24, 2016 Novell Inc.
Password Management Suite
Password Self-Service
Password Self-Service
•
•
40
Administrators configure self-service policies
– Challenge/Response options
– Challenge/Response success actions (for example:)
– Email hint
– Reset to last good password
– Display hint on the page
– Allow users to change their password
Users configure their own hints and/or answers to challenge
questions
– Hint is not allowed to contain the password
© March 24, 2016 Novell Inc.
Password Management Suite
Password Distribution
Password Distribution
•
•
•
•
41
User sets a new common password
using the self-service password
interface
New password is checked against
password policy
New password is set on user
object within the Nsure Identity
Manager 2 identity vault
Password is distributed to
associated user objects on
connected systems
© March 24, 2016 Novell Inc.
Connected Systems
•
•
•
•
•
•
•
•
•
•
eDirectory
Legacy NDS
Active Directory/Exchange 2000
Windows NT Domains
Network Information Service
(NIS)
• Linux
• Solaris
• other UNIX
GroupWise
Lotus Notes
SunOne
SAP User Management
Relational databases
• Oracle
• DB2
• Sybase
Password Management Suite
Bi-directional Password Synchronization
Bi-directional Password Synchronization
•
Users can perform password management functions through native
password interfaces
–
–
–
–
–
•
•
•
Nsure Identity Manager 2 detects the change and checks against
policy
If successful, password is distributed throughout the connected
system
If unsuccessful
–
–
42
Windows NT (NT Domains)
Windows 2000 (Active Directory)
Windows 2003 (Active Directory)
eDirectory (all platforms)
NIS (Unix, Linux)
Failure Notice sent via email
Password is reset to a ‘good’ password according to policy
© March 24, 2016 Novell Inc.
White Pages & Self-Service
eGuide
•
•
•
•
•
43
Look up information on objects in eDirectory and/or other
LDAP repositories
Anonymous mode or Authenticated mode
Allows user to maintain their own information
Integrated Organizational Chart view
Supports digital photos, etc.
© March 24, 2016 Novell Inc.
Nsure Audit Integration
Novell’s official logging & auditing framework
•
•
•
•
44
Centralized log for all systems throughout the enterprise
– SQL, flat file or SYSLOG
– Standard for all Novell applications
– Open to 3rd party integration
Nsure Identity Manager 2 logs all identity management
activity
Includes reporting and notification capabilities
Optional upgrades
– Non-repudiative log
– Real-time monitor
© March 24, 2016 Novell Inc.
Nsure Audit
Reporting, Logging and Notification
Reporting:
•
•
•
Filters may be defined to report on specific events
Integrates with Crystal Reports
Export data to Microsoft Excel, or text file
Logging:
•
Examples of what Nsure Identity Manger events are logged:
–
–
–
–
•
Engine events – Start/stop driver, engine errors, engine warnings
Status events – Success, error, retry, warning, …
Operation events – Search, Add, Modify, Remove, & etc.
Transformation events – Initial doc, placement, create, & etc.
Events stored in flat file, Syslog, MySQL, Oracle, etc.
Notification:
•
•
45
Setup conditions
Specify notification channel (SMTP, flat file, & etc.)
© March 24, 2016 Novell Inc.
Roadmap
Visual Deployment Studio
Visual, drag & drop IDE for IDM2 Deployment
•
•
•
•
•
•
47
Lay out the system visually, then configure
Leverages Policy Builder and DirXML Script for
defining policies
Based on Eclipse framework
Work online or offline
Save projects/configurations with version control
Document new or existing deployments
© March 24, 2016 Novell Inc.
To be presented under NDA Only
Visual Deployment Studio
Graphical Modeling Tool
48
© March 24, 2016 Novell Inc.
To be presented under NDA Only
Visual Developer Studio
Graphical Modeling Tool – Policy Management
49
© March 24, 2016 Novell Inc.
To be presented under NDA Only
Visual Development Studio
Project Documentation Tool
50
© March 24, 2016 Novell Inc.
Advanced Identity Application Suite
Web Portal-based End-User Identity Suite
•
•
51
End-user oriented applications for:
– Approval workflow
– Advanced white pages
– Advanced Organizational charting
– Delegated administration
– Password Management
Based on exteNd v5.x enterprise-class workflow
engine and user portal
© March 24, 2016 Novell Inc.
Advanced Identity Application Suite
Sample Screen
52
© March 24, 2016 Novell Inc.
Advanced Identity Application Suite
Sample Screen
53
© March 24, 2016 Novell Inc.
Other Sessions of Interest
Other Sessions of Interest
Introductions, Case Studies, Dev Hands-on
INTRODUCTIONS, OVERVIEWS, AND FUTURES
IO160: Provisioning Comes of Age
IO144: Nsure Audit: What's New and Beyond
IO163: Understanding the Big Picture of Secure Identity Management
IO164: Identity Integration: The Foundation for Becoming an Agile Enterprise
IO165: Novell Account Management Overview and Futures
IO166: Nsure Identity Manager 2 (formerly DirXML) Competitive Comparisons
IO264: Overview of the Nsure Identity Manager 2 (formerly DirXML) Deployment Studio
BUSINESS CASE STUDIES
BUS163: Making the Business Case for Secure Identity Management
BUS165: Case Study: Asset Management within the Context of Identity Management
BUS166: Layered Secure Identity Management: Balancing Business and Technical Needs
BUS250: Combining Corporate Trees with Nsure Identity Manager 2
BUS251: Creating an Identity-Based Portal at the State of Nebraska with Novell
BUS261: Implementing Secure Identity Management in Government Organizations
BUS269: Case Study: DirXML Implementation at Waste Management
BUS361: Building the Employee Portal at Lufthansa with SAP Enterprise Portal 6
DEVELOPER HANDS-ON
DHO260: Implementing DirXML Style sheets
DHO262: Provisioning for Developers with Novell Identity Manager
DHO361: Nsure Identity Manager 2 Hands-On Developer Lab
55
© March 24, 2016 Novell Inc.
Other Sessions of Interest
Developer Lectures, Technical Tutorials
DEVELOPER LECTURES
DL263: Nsure Identity Manager 2 (formerly DirXML) Developer Overview
DL361: Nsure Audit: Instrumenting Custom Applications
DL362: Nsure Audit Essentials
TECHNICAL TUTORIALS
TUT105: Hands-On: Implementing Nsure Identity Manager 2 (formerly DirXML)
TUT163: Configuring Nsure Identity Manager 2 (formerly DirXML) for Enterprise Applications
TUT165: Configuring Nsure Identity Manager 2 (formerly DirXML) for Schools Interoperability Framework
TUT166: Configuring Nsure Identity Manager 2 (formerly DirXML) for GroupWise®3
TUT259: Password Synchronization Across Novell eDirectory, Microsoft Active Directory* and Windows NT* 4
TUT264: Password Management with Novell Identity Manager 2 (formerly DirXML)
TUT265: Troubleshooting Nsure Identity Manager 2 (formerly DirXML)
TUT266: Implementing Nsure Identity Manager 2 (formerly DirXML) Policies
TUT267: Configuring Novell Nsure Identity Manager 2 (formerly DirXML) for JDBC
TUT268: Advanced Configuration for Active Directory Using Nsure Identity Manager 2 (formerly DirXML)
TUT285: Architecting Identity Management Solutions
TUT286: Comprehensive Password Management: From Policy Definition to Deployment
TUT287: Configuring Novell Nsure Identity Manager 2 for IBM Lotus Notes
TUT366: Designing Secure Identity Management Solutions
TUT367: Secure Identity Management: Assessing Your Requirements
TUT381: Installing and Configuring the Novell DirXML Mainframe and IBM AS/400* Drivers
TUT383: Upgrading to Nsure Identity Manager 2 (formerly DirXML)
TUT384: Understanding the Architecture of Nsure Identity Manager 2 (formerly DirXML)
56
© March 24, 2016 Novell Inc.
Questions & Answers
Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret
information of Novell, Inc. Access to this work is restricted to Novell employees who have
a need to know to perform tasks within the scope of their assignments. No part of this
work may be practiced, performed, copied, distributed, revised, modified, translated,
abridged, condensed, expanded, collected, or adapted without the prior written consent
of Novell, Inc. Any use or exploitation of this work without authorization could subject
the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to
develop, deliver, or market a product. Novell, Inc., makes no representations or
warranties with respect to the contents of this document, and specifically disclaims any
express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this document and to make changes to its
content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered
trademarks of Novell, Inc. in the United States and other countries. All third-party
trademarks are the property of their respective owners.