Identity and Access Management
Solution Overview
The Netegrity Solution
The Netegrity Identity and Access Management Solution
Access Management
SiteMinder
Web Services Access
Mgmt
TransactionMinder
Enforcement
Administration
User Administration
Resource Provisioning
IdentityMinder, Web
Edition
IdentityMinder,
Provisioning Edition
For Legacy, Web and Service-Oriented Architectures
The Application Silo Challenge
High security administration costs
Expensive coding and maintenance
Poor user experience
No centralized security enforcement
No standardized security process
No central auditing capability
Customers
Security
Layer
Customer SelfService
E-Commerce
J_Doe
1211960
John Doe
A23JJ4
SunONE
LDAP
SQL 2000
Partners
Employees
ERP
HR
Partner
Extranet
John Doe
PKI Cert
John_D
Johnd
LDAP
Oracle
OID
Oracle
RDBMS
CRM
SCM
Mobile Phone
Application
Layer
User Store
Operating
System
Active
Directory
Oracle
SiteMinder in Action
Web Server
With
SiteMinder Agent
Secured Applications
• CRM Service
Customer
Supply
ChainService
• Customer
Intranet
• Channel
• e-Commerce
Secured Applications
•
•
•
SiteMinder
Policy Server
Employees
jdoe
User & Entitlement Stores
7
********
Partners
6
Customers
•LDAP
•RDBMS
•Mainframe
•NT Domain
1) Is Resource Protected?
Secured Applications
Firewall
Firewall
2) Is User
Authenticated?
3) Is User
Authorized?
•
•
•
•
Finance
HR / Payroll
eCommerce
Extranet
Native Directory Enabled
 Map to existing user stores
– No embedded database required
– Eliminates user store synchronization issues
 Separate authentication & authorization stores
– Chain directories
 Supports multiple user directories
– Including databases & mainframes
DMZ
No User Data
Stored in
SiteMinder
NT, LDAP, AD
ODBC, RACF
Authorization
Namespace
Authentication
Namespace
Users
Web Server With
SiteMinder Agent
SiteMinder
Policy Server
Single Sign-On Microsoft Environment
Windows Integrated Security
Authenticate to your desktop & access all your enterprise
web applications
Outlook Web Access
MS IIS Web Server
SiteMinder Agent
Active Directory
mycompany.com
SiteMinder
Policy Server
Microsoft Application
Login
SQLServer
Web Server on Unix SiteMinder
Agent
Single Sign-On Netegrity Secure Proxy Server
Firewalls
Backend Resources
Turnkey Proxy Solution
DMZ
Web Apps
ERP/CRM
J2EE Apps
Destination
Web Servers
– Mini cookie
– SSL-ID
– URL rewrite
 Enhanced security
Firewalls
Users
 SSO
Proxy
Server
 Define target destination
servers
Deployed at VISA VOL
SiteMinder
Policy Server
User &
Entitlement
Stores
Single Sign-on Application Server Environment
Firewalls
Backend Resources
Web Apps
J2EE Application
Server Agents
ERP/CRM
IBM WebSphere & BEA
WebLogic
J2EE Apps
J2EE
Application
Server
Firewalls
Users
Web
Server
Enables SSO across the
enterprise
Including J2EE
application server based
applications
Leverages SiteMinder’s
broad range of authentication
system support
SiteMinder
Policy Server
User &
Entitlement
Stores
Centralized authorization
management & audit services
Single Sign-on Enterprise Applications
Firewalls
SAP
Siebel
Enterprise
Applications
Peoplesoft
Firewalls
Users
Web
Server
Enables SSO across the
enterprise, including
ERP/CRM systems
–SAP, Siebel,
Peoplesoft, & Oracle
Leverages SiteMinder’s
broad range of integrated
authentication systems
Provides centralized
authorization management &
audit services
Netegrity
Policy Server
User &
Entitlement
Stores
Authentication Management
Broad Support for Authentication Systems
Methods











Passwords
Two factor tokens
X.509 certificates
Passwords over SSL
Smart cards
SAML
Combination of methods
Forms-based
Custom methods
Full CRL & OCSP support
Biometric devices
Management



Authentication Levels
Directory chaining
Configured fallbacks to other authentication
schemes
Authentication Management
Password Management
 Expiration with warning & grace period
 Composition rules
–
–
–
–
Max/Min lengths, repeating characters, case sensitivity, reusability
Difference (%) measures between before & after passwords
Editable password dictionary to prohibit certain word use
Prohibition of use of user profile attributes (name, address etc…)
 Account Management & Auditing
–
–
–
–
Forgotten password support
Redirects
Password & Login history
Lock-out
o
o
o
o
o
o
Permanently
Successive failed passwords
Inactivity
Until or after certain date
Login before a specific date
Disable field in MS AD & Sun One
Authorization Management
Centralized Policy Management
SiteMinder
Policy
Rule or
Rule Group
=
Users or Groups
In a Directory
+
Allows or
denies
access to
a resource
Response or
Response
Group
User, Groups
Exclusions,
Roles
+
eTelligent
Rule
+
Action that
occurs when
a rule fires
e
Expression
using
Contextual
Data, Web
Services
Time
IP Address
+
+
Time when the
policy can or
cannot fire
1.2.3.4
IP address
that the policy
applies to
Option(s)
 Restrict access by user, role, groups, dynamic groups, or exclusions
– Controlled “impersonation” of users by other users
 Fine-grained authorization at the file, page, or object level
 Determine access based on location and time
 Policies
– Send static, dynamic (SQL queries), or profile attributes in responses
– Redirect users based on type of authentication or authorization failure
– Can have global or local policies
Active
Response
Dynamic
extension of
the policy
(optional)
Federated Security Services
www.PartnerA.com
SAML Producer
SAML Consumer
SSO
SAA
SAML Affiliate Agent
www. SiteMinder.com
Internet
User
Authenticate
www. PartnerB.com
SSO
SAA
Federated Security Services:
SAML Producer with SAML Affiliate Agent (SAA)
www.PartnerA.com
SiteMinder site conducts authentication
–User profile must exist at
www.SiteMinder.com
SSO
Light-weight Web plug-in at partners
SAA
–Security product/SAML support not
required at partners
www. SiteMinder.com
–Converts SAML attribute assertions
into HTTP header variables
Internet
oProvides user profile information
to Web application
–Synchronized session between sites
User
Authenticate
oSingle sign-on/off
–Centralized auditing & reporting
–Event notification services
www. PartnerB.com
SSO
SAA
Federated Security Services: SAML Producer
www.PartnerA.com
SiteMinder site conducts
authentication
–User profile must exist at
www.SiteMinder.com
SSO
–Generates SAML artifact
SAML Consumer capability required at
Partners
www. SiteMinder.com
–SiteMinder or equivalent capability
oCompetitive IAM system,
toolkit, standards compliant
platform
Internet
User
Authenticate
–Functionality available to partners
dependent on capability of local
security tool
–No Netegrity software required at
partners
www. PartnerB.com
SSO
Federated Security Services: SAML Consumer
www.PartnerA.com
Security product at PartnerA/B
conducts authentication
Authenticate
–May or may not be SiteMinder
–Could be competitive IAM system,
toolkit, or standards compliant
platform
•SiteMinder conducts SAML-based
authorization & SSO
www. SiteMinder.com
Internet
SSO
User
–Partner-user to SiteMinder-user
mapping is flexible
oOne-to-one (account-toaccount)
www. PartnerB.com
oMany-to-one
Authenticate
Enterprise Class Manageability
Auditing & Reporting
 Managers need reports to:
– Fine tune infrastructure
– Show compliance with security policies &
regulations
 SiteMinder provides:
– Schema for reporting RDBMS
– Stored procedures which can be used to
generate:
o
o
o
o
Access reports
Activity reports
Intrusion reports
Audit reports
Access Reports
Hourly Rollup Access Report
Daily Rollup Access Report
Hourly Authentication Access Report
Daily Authentication Access Report
Hourly Authorization Access Report
Daily Authorization Access Report
Hourly Administrator Access Report
Daily Administrator Access Report
Activity Reports
Activity Rollup Report
User Activity Report
Agents Activity Report
Resource Usage/Activity Report
Intrusion Reports
Intrusion Rollup Report
Intrusion by User Report
Intrusion by Agent Report
Audit Reports
Audit Rollup Report
Audit by Resource Report
Audit by Administrator Report
High Performance Architecture
 Automatic fail-over
– Cluster-to-cluster
fail-over (SM 6.0)
 Agent to Policy Server
dynamic load balancing
 Policy Server to
directory server load
balancing & failover
 2-level caching
in Policy Server
& agents
 8 processor support (SM
6.0)
Web Server
Web Server
Web Server
Web Agent w/Cache
Web Agent w/Cache
Web Agent w/Cache
128 Bit RC4
encryption
Policy Server
Policy Server
Audit Log
(ODBC)
Policy
Cache
Rules
Cache
Policy
Cache
Directory Server
Rules
Cache
Directory Server
Replication
Broad Platform Support
Leverages Existing Investments
User
Directories
Platforms

Web Agents
 Microsoft IIS








Sun ONE
Apache
HP Apache
Lotus Domino
IBM HTTP
Oracle HTTP
Domino Go
Policy Server
 MS NT/Win
2000/Win2003
 Sun Solaris
 HP-UX
 Red Hat Enterprise
Linux










Sun Java System
Directory Server
NT Domains
Microsoft Active
Directory
IBM Directory Server
Novell eDirectory
MS SQL Server
Oracle RDBMS
Siemens DirX
Oracle Internet
Directory
Critical Path Directory
Server

Lotus Domino LDAP

CA eTrust
Authentication
Systems












Passwords
Passwords over SSL
Forms-based
X.509 certificates
Full CRL & OSCP
support
Smart cards
Two factor tokens
Method Chaining
SAML
Custom methods
Biometric devices
Combination of
methods
Other Systems


Application Servers
 BEA WebLogic
 IBM WebSphere
ERP/CRM
 Peoplesoft
Siebel
 SAP
 Oracle
RADIUS Network
Access Devices
 Firewalls
 Communication
Servers


Solution Modules
 Mobile Authentication Module
– Authentication by passcodes delivered wirelessly to your handled devices
 User Context Gateway
– Provides SSO to Microsoft applications like OWA and Citrix NFuse
 Limit Concurrent Login
– Prevents users from authenticating twice and accessing the site from two or more
browsers simultaneously
 Impersonation (SM 5.x – OOB in SM 6.0)
– Allows one user to impersonate another while still maintaining control, security
and the ability to audit
 SmFTP Server
– SiteMinder enabled FTP server
TransactionMinder®
Key Features
 Deployed at VISA ROL and CCDR
 Centralized policy-based authentication,
authorization, and audit
– Provides single point of access control
and administration for the whole enterprise
 Synchronized sessioning
– Enables single sign-on across multiple
Web services used in the same transaction
Provisioning
Resource
and User
Provisioning
Administration
Authentication &
Access Management
User
Administration
TransactionMinder
The industry’s first
policy-based solution
to protect access to
Web services
 Shared Web services security platform
– Avoids creation of an isolated island of security:
Web services are one of many resources that must be secured by the enterprise
 Seamless integration with existing SiteMinder®-enabled sites
 Open, platform-neutral architecture
– Support all major relevant web services standards (XML/SOAP, WS-Security,
SAML, XML Signature)
– No investment in proprietary technologies is required.
Introducing TransactionMinder
Complete Web services security solution



Designed to provide secure access to
Web services
– Authentication based on message
content and Web services standards
such as WS-Security, SAML, XML
Signature
– Runtime authorization rules based
on the content of a business
payload, e.g., a purchase order
Centralized authentication,
authorization, audit, and federation
services
– Leverages and extends the core
Netegrity Policy Server
– Delivers security policy as a
“shared service”
Support for industry-leading Web
services frameworks and standards
Web Services
Provider
Web Service(s)
TransactionMinder
XML Agent
Back-end
Application
Internet
Netegrity
Policy Server
Web Services
Consumer
Policies define:
- Authentication
- Authorization
- Audit
- Federation
- Session Mgt
User
Directories
TransactionMinder Features
 Content-based Authentication
–
–
–
–
XML Document Credentials Collector (DCC)
XML Signature
Sessioning (expressed as a SAML session assertion)
WS-Security (supporting three security tokens: password digest, X.509 certs,
and SAML assertions)
o XML Encryption (New in TransactionMinder v6.0)
 New Policy Server XML response types
– SAML session assertion generation (in SOAP envelope, HTTP header, or cookie)
– WS-Security header generation (supporting three security tokens: password
digest, X.509 certs, and SAML assertions)
 Dynamic Authorization Policy Model
– eTelligent™ Rules using TransactionMinder-specific variables in policy
expressions
WS-Security Authentication Scheme
 Producing and consuming three WS-Security-bound security
tokens (WSSE)
– Password digest
– X.509 certificates
– SAML 1.1 assertions
 WS-Security utilities (WSU)
– Digital signatures (using TransactionMinder v6.0’s key database
functionality)
– Message timestamps
 WS-Security Encryption (Production & Consumption) (New in
TransactionMinder v6.0)
– Encryption / decryption of tokens and message elements that are included
in SOAP messages using WS-Security
TransactionMinder Deployments Based on the Netegrity Reference Architecture
 Simple Direct Deployment
 Simple Proxy Deployment
 IAM / WSM Deployment with Security Appliance
Simple Direct Deployment
Network
Firewall
Network
Firewall
Legacy
HTTP
SMTP
FTP
JMS/MQ
.NET
SOAP
TxMinder
XML
Agent
Web
Service
Container (IIS,
iPlanet, Apache)
J2EE
Netegrity
Policy Server
User Stores
(LDAP, RDBMS, etc.)
Simple Proxy Deployment
Network
Firewall
HTTP
SMTP
FTP
JMS/MQ
Network
Firewall
SOAP
Reverse
Proxy
Server
SOAP
Proprietary
Security
Legacy
.NET
Security
.NET
Container
Security
J2EE
TxMinder
XML Agent
Netegrity
Policy Server
User Stores
(LDAP, RDBMS, etc.)
IAM/WSM Deployment w/ Security Appliance
Network
Firewall
Network
Firewall
Propriatary
Security
Proxy
HTTP
SMTP
FTP
JMS/MQ
SOAP
SOAP
Security
Appliance(2)
SOAP
SAML
WSM (1)
Legacy
WSM
Agt
TxM
Agt
.NET
WSM
Agt
TxM
Agt
J2EE
TxMinder
XML Agent
WSM
Policies
Netegrity
Policy Server
User Stores
(LDAP, RDBMS, etc.)
Notes
Dotted lines materialize integration between TransactionMinder and Netegrity partners
(1): Web Services Management
(2): XML Firewall providing “wire speed” XML processing (parsing, transformation, crypto math, etc.)
Integration with Complementary Third-Party Offerings
 Purpose
– Create a TransactionMinder ecosystem that provides more complete customer solutions
 Integration Approach
– Based on Netegrity’s Reference Architecture
– Use of TransactionMinder’s Agent API
 Integration of XML Gateways with TxMinder
– Vendors involved: Forum, Reactivity, Sarvega, Layer7
– Customer Benefits
o Intrusion detection (XML Gateway)
o Accelerated, first-level, entry point authentication (XML Gateway)
o Integration with Enterprise infrastructure (TransactionMinder)
 Centralized security policies, multiple-factor user stores, etc.
o Web services federation, sessioning (TransactionMinder)
 Integration of Web Services Management (WSM) Platforms with TxMinder
– Vendors involved: Digital Evolution, Actional, Amberpoint, Blue Titan
– Customer Benefits
o Provides SLA and business policies management (WSM Platform)
o Integration with Enterprise infrastructure (TransactionMinder)
 Centralized security policies, multiple-factor user stores, etc.
o Web services federation, sessioning (TransactionMinder)
IdentityMinder Features Overview
Deployed at VISA DPS, Risk Mgmt
 Stuctured Administration
– Leverage administrator roles, groups, organizations, & attributes to
maximize administrative productivity & control
– Enable role-based access control (RBAC)
 Integrated Workflow
– Improve security and reduce costs through on-line workflows
– On-line requests, approvals, & notifications
 Delegated User Administration
– Improve efficiency by distributing administration
– To partners & internal administrators
 Auditing & Reporting
– Improve security through comprehensive auditing and management
reporting
 User Self-Service
– Reduce costs by allowing end-users to manage their own profiles,
passwords, & entitlements
J2EE application that provides a customizable
interface for delegating user administration
and granting users entitlements. IMWE leverages
the power of SiteMinder
including support for role-based access control.
Key Functionality
 Self-Service
 Integrated Workflow Approvals
 Delegation
 Role-based Entitlement Support
 Auditing and Reporting
 Customizable Interface
 Extensibility
 Scalable Architecture
 Integrated Provisioning
Self Service
Reduces administrative cost and improves user experience
3
User Store
4
1
SelfRegister to NeteAuto
Name: Jsmith
Pwd: xyz
Email: jsmith@os.com
Enter Code: x23z
Sign Me Up:
Free Stuff
Credit Line
Groups
User Object
FreeStuff
2
cn=JSMITH
userPassword=##
mail=OS.COM
org=DEALER
CreditLine
NeteAuto WebSite
Welcome: Jsmith
Select One:
 Edit My Profile
 Reset My Password
 Change Memberships
Approval Required
1. User Self registers
o
Requests access to applications and group memberships
2. Workflow approval is conditionally triggered for group assignments
3. The user object is created
4. The user can now change profile and password attributes and memberships
Self-Registration
 Support for multiple self-registration schemes
– Multiple user communities (Partners vs. Contractors)
– Multiple languages
 Options for customizing self-registration
– Use default form
– Redesign form using the form designer
o
Prompts, Fields, Hints, Layout, Branding, Formatting
– For additional customization, generate WSDL for fully
customized web service interface
Redesigned form:
Prompts, Fields, Hints, Layout,
Branding, Formatting
Default form:
Self Management
 Benefits:
– Reduce administrative costs
– Speed delivery of service to users
– Improved user experience
 Forgotten Password Support
– Multiple Challenge/Response questions
– Integration with SiteMinder password policy
 Self Management options
–
–
–
–
–
Modify specific attributes
View Group and Role memberships
Request additional entitlements
Subscribe to self-subscribing groups
Change password
Key Functionality
 Self-Service
 Integrated Workflow Approvals
 Delegation
 Role-based Entitlement Support
 Auditing and Reporting
 Customizable Interface
 Extensibility
 Scalable Architecture
 Integrated Provisioning
Integrated Workflow
Supplier
registers
for Gold
status
A
Is Credit rating
A or B
B
Worklist for COO
• Approve gold status for I. Supply
• Approve …
NO
COO
approves
YES
Name: I. Supply
Status: bronze
Configurable Workflow Engine Supports:
 Multi-step, non-linear approvals
 Design workflow process variants
–
Name: I. Supply
Status: gold
TO: I. Supply
CC: Supplier Mgr
Create Contractor vs Create Partner
 Customizable rules defining approvers
–
–
Member of role or group, meets filter condition, custom
AutoApprove if no approvers are assigned
 Customizable rules to identify who is notified
 Customizable e-mail templates
–
Approved, pending, completed, rejected
 Workflow API enables integration with other user management processes
Workflow Customization
1. Copy Create User Approve
process to generate Create
Contactor Approve process
2. Specify HR group as approver
3. Specify Contractor Supervisor as
approver
Key Functionality
 Self-Service
 Integrated Workflow Approvals
 Delegation
 Role-based Entitlement Support
 Auditing and Reporting
 Customizable Interface
 Extensibility
 Scalable Architecture
 Integrated Provisioning
Delegation

Delegation is based on IdentityMInder roles and tasks
–
–
–
–
IM Admin roles allow management of users, groups, orgs, roles
Roles contain granular tasks (Modify User)
Create new roles by re-combining tasks
Create new tasks to meet business needs (Create Contractor)
Delegation Creating Admin Roles
 During role creation, specify ALL the rules about the role
– What are the tasks associated with this role?
o HelpDeskAdmin has Enable/disable User, Reset User Password, Modify User
– Who are the role members?
o Can initiate the tasks of the role
o While performing this role, what users, groups,
orgs are in scope?
– Who are the role administrators?
o Can delegate the role to others
o While delegating this role, what users are in scope?
– Who are the role owners?
o Can modify the role using this interface
 Each role may have multiple member policies
– People in HelpAdmin group
– Title=ITManager
 All role metadata stored in Policy Store
Delegation Membership Rule Examples
Member Requirement
Rule Type
Example
Must match one attribute value
User
Users where title starts with senior
Must match multiple attribute values
User
Users where title=mgr and locality<>east
Must be a member of another role
User
Users in admin role helpdeskadmin
Must belong to named org(s)
Org
Users in org sales and lower
Must belong to org(s) which meet a
condition specified by attribute(s) on the
org
Org
Users in orgs where Business Type=gold or
Business Type=platinum
Must belong to specific org(s) and match
specific user attributes
Org + User
Users where title=mgr and locality=east and who
are in org sales or org marketing
Must belong to specific group(s)
Group
Users who are members of group ORGADMIN
Must belong to group(s) which meet a
condition specified by attribute(s) on the
group
Group
Users who are members of groups where
owner=CIO
Must meet some condition which is
beyond scope of rule syntax
Query
Users returned by the query ldap_query
Delegation Managing User Store Objects
 Delegate responsibility for managing segments of the user store
to the best qualified individuals
– Non-intrusive support for the corporate user store
– User stores supported
o Relational Database
 Single/multiple table based objects
 Objects retrieved by stored procedures
 Database generated unique identifier
 Delimited or row-based multiple values
 Native database datatypes
o LDAP v3
 Hierarchical, Flat structure
 Auxiliary classes
 Groups
Delegation Managing Groups
 Delegated group management provides for separation of duties:
– Group Manager
o Create/modify/delete group
o Assign Group Admin(s)
– Group Admin
o Manage group membership
o Can manage groups regardless of organizational context
 Group management can be hidden behind role assignment
– Membership rule is a group
 Support for
–
–
–
–
Self-subscribing groups
Nested groups
Dynamic groups
For example: All technicians (employeetype) with cell phones (mobile)
ldap:///ou=NeteAuto,o=security.com??sub?(employeetype= technician)
(!mobile=NULL)
Key Functionality
 Self-Service
 Integrated Workflow Approvals
 Delegation
 Role-based Entitlement Support
 Auditing and Reporting
 Customizable Interface
 Extensibility
 Scalable Architecture
 Integrated Provisioning
RBAC Support in SiteMinder®
Step 1: Use SM UI
to link Access roles
to security policies
RBAC Support in SiteMinder®
Step 2:
User defined variable
Application name
(optional)
SiteMinder generated attributes
 SM_User_Application_Roles
 SM_User_Application_Tasks
 Response returns user’s roles/tasks for authorization
 Role & Task names are passed to the Application
Why RBAC?
 SiteMinder® role based policies secure applications
– Efficiency, scalability, flexibility
– Reduces administrative cost
– Coexist with user based policies
Delegated User Admins
Security Policy Admins
Web App
Employees
Contractors
Partners
Sales
Support
Role
ERP App
OTShelf App
Custom App
Key Functionality
 Self-Service
 Integrated Workflow Approvals
 Delegation
 Role-based Entitlement Support
 Auditing and reporting
 Customizable Interface
 Extensibility
 Scalable Architecture
 Integrated Provisioning
Auditing & Reporting
 Configurable auditing logged to relational DB
– Which objects?
o User Store objects – User, Org, Group
o IdentityMinder® objects – Roles, Tasks
– Which state transitions?
o Approve, reject, executing, pending, completed, cancel, done
– What data?
o Old values, new values, or both
 Reports can be derived from audit data
– Report types
o Auditing (for example, “what changes were made to UserB”)
o Administrative (for example, “what roles can AdminA grant?”)
– Control access through the delegation model
o Specify which users can access which reports
Key Functionality
 Self-Service
 Integrated Workflow Approvals
 Delegation
 Role-based Entitlement Support
 Auditing and Reporting
 Customizable interface
 Extensibility
 Scalable Architecture
 Integrated Provisioning
Customization Options
 Rebrand, change look and feel of the IM UI
 Provide interfaces for users in different geographies
– Fully internationalized and localized to support multi-national companies
 Reduce clicks for administrators with few responsibilities
– Assure that IM administrators ‘first screen’ is optimized
 Redesign forms used by delegated admins
– Significant opportunities for customizing the interface using the IM
interface
 Use web services interface (WSDL)
– Generate WDSL files then perform additional customization if necessary
– Enables embedding in the company portal
Customizing Look & Feel
 Skin has components that may be edited to change look and feel
– Headers and footers
– Images
– Colors and fonts
 IM supports multiple skins, each consisting of
– Cascading Style Sheet
– Images (.jpeg, .gif, .png)
– A .properties file that defines the components of a skin
 Addresses accessibility requirements specified in Section 508 of the Rehabilitation Act
Tailoring the First Screen
1
2
First screen may vary by user
1. Few tasks – Listed in left nav
2. Many tasks – Categories in left nav
3. Workflow approver sees worklist first
Creating Custom Tasks for Admins
 Tasks - the building blocks of custom views
– Supports fine grained delegation
 Use IM task designer to create new tasks
– Copying and modifying existing tasks
– Copy all or parts of tasks
User Mgmt
Create User
Modify User
View User
Contractor Mgmt
Modify Contractor
View Contractor
Employee Info:
Name:
Employee ID:
Department:
Supervisor:
Contractor Profile:
Name:
Dealer ID:
Classification:
User Object
cn
EmployeeNumber
departmentNumber
manager
employeeType
Design Custom Forms with IM
• Rebrand, add links, text, etc
• Add/remove/rename tabs
• Remove the Org search
• Re-label prompts
• Add field hints
Key Functionality
 Self-Service
 Integrated Workflow Approvals
 Delegation
 Role-based Entitlement Support
 Auditing and Reporting
 Customizable Interface
 Extensibility
 Scalable Architecture
 Integrated Provisioning
Web Service Support

Business Case:
– IM is web service enabled
o
o
Enables additional customization beyond
supported through the IM interface
Support embedding into corporate portal
– Support industry standard - WSDL

Steps:
1.
2.
3.
4.
5.
Identity which tasks will be enabled as web service
Customize those tasks as much as possible using IM interface
Export WSDL
Modify WSDL to complete customization
Use tools such as Apache Axis to generate web clients
what is
IdentityMinder APIs
 Logical Attribute API —Enables you to display an attribute differently than
how it is stored physically in a user directory.
 Business Logic Task Handler API —Allows you to perform custom business
logic during data validation or transformation operations.
 Workflow API —Provides information to a custom script in a workflow
process. The script evaluates the information and determines the path of the
workflow process accordingly.
 Participant Resolver API --Enables you to specify the list of participants
who are authorized to approve a workflow activity.
 Event Listener API —Enables you to create a custom event listener that
listens for a specific IdentityMinder event or group of events. When the
event occurs, the event listener can perform custom business logic.
 Notification Rule API —Lets you determine the users who should receive an
email notification.
 Email Template API —Includes event-specific information in an email
notifi-cation.
Key Functionality
 Self-Service
 Integrated Workflow Approvals
 Delegation
 Role-based Entitlement Support
 Auditing and Reporting
 Customizable Interface
 Extensibility
 Secure & Scalable
 Integrated Provisioning
Secure Architecture
Scalability for Fault Tolerant Deployment
J2EE Cluster
WS-3
SiteMinder
Policy Server
WS-2
Load
Balancer
User
Store
WS-1
Browser
Web Tier
Application Tier
Data Tier
Supported Platforms
Leverages enterprise architecture
 User store
– LDAP Directories (SunOne, MS AD/ADAM, Novell eDirectory, Oracle
OID, IBM SecureWay, Siemens DirX, InJoin Critical Path)
– Relational Databases (Oracle, MS SQL Server)
 Application Servers
– IBM WebSphere
– BEA WebLogic
– JBoss
 OS Support: Windows, Solaris
Integrated Identity and Access Management