Novell Access Manager 3.1

Transcription

1 Technical White Paper IDENTITY AND SECURITY Novell Access Manager 3.1 Access Control, Policy Management and Compliance Assurance

2

3 Novell Access Manager 3.1 Table of Contents: Complete Access Management Novell Access Manager Components Deployment and Usage Scenarios Frequently Asked Questions p. 1

4 Complete Access Management Novell Access Manager is the next-generation access management and federated identity solution from Novell. Organizations use Access Manager to control internal and external users access to network content, applications and services. Fundamental to the technologies in Access Manager is the emphasis on using industry-leading standards, including Liberty Alliance, Web Services Federation (WS-Federation), Web Services Security (WS-Security), and Security Assertion Markup Language (SAML). Novell Access Manager Components The seamless integration of Novell Access Manager components ensures access control at all levels. Figure 1 illustrates these components: Figure 1. Novell Access Manager components Novell Access Manager components are depicted in the center. Multiple user ID stores can be aggregated by a single Identity Server, which supports different LDAP stores, including: Novell edirectory Microsoft* Active Directory* Sun* ONE* Directory Server The following sections provide additional detail about Novell Access Manager components and functionality. p. 2

5 Novell Access Manager Novell Access Manager Policy Management Policy management and enforcement are fundamental strengths of Novell Access Manager. In fact, all Access Manager components are guided by administrator-definable policies that are enforced and logged for regulatory compliance reporting. Policies can be simplified by using roles, and external processes can participate via the Policy API. Identity Server Identity Server provides authentication services for all Novell Access Manager components. It also features provider and consumer services for SAML (versions 1.1 and 2.0), WS-Federation, Liberty Alliance and Information Cards. As with all Access Manager components, Identity Server provides authentication services according to Access Manager policy declarations. Identity Server authenticates users and provides role information to facilitate authorization decisions. It also includes the full Liberty Alliance Web Service Framework, which can be used to distribute identity information and simplify policy management. Organizations can leverage the standard Liberty Alliance Employee and Person profiles or define custom attributes, all of which can be used in policy decision and enforcement processes. Identity Server also facilitates federated provisioning, which automatically creates user accounts on a federation request. Without this feature, users would need to register (create a user account) with a service provider before they could federate their identities. Access Gateway Access Gateway is the component that integrates with Access Manager s centralized identity and policy management to provide authentication, authorization, Web single sign-on and personalization for any standard Web server. With Access Gateway, organizations can transform identity provider authentication and services into standard Web headers, form-fill responses and basic authentication responses. In other words, Access Gateway enables an organization s existing Web applications to support new identity standards without modification. For example, the policy-enabled Identity Injection feature of Access Gateway can leverage the Liberty Alliance Web Services Framework to extract identity information, and then inject it into Web headers or query strings. Java Application Server Agents There are three Java* application server agents: IBM* WebSphere*, BEA* WebLogic*, and JBoss*. These agents utilize Java Authentication and Authorization Service (JAAS), Java Authorization Contract for Containers (JACC), and internal Web-server APIs for authentication, and also provide policy-controlled access to Java Servlets and Enterprise JavaBeans* (EJBs). In some cases, organizations achieve tighter and more robust integration by using platformspecific APIs. Service Provider Agent (SP Agent) SP Agent is a shared component that provides a common implementation of identity and federation standards and protocols. This agent redirects all authentication requests to Identity Server, which in turn returns a SAML assertion to the component. The presence of SAML assertions in each Access Manager component protects confidential information. Specifically, it removes the need to transfer user credentials between components to handle session management. Access Gateway enables an organization s existing Web applications to support new identity standards without modification. p. 3

6 The Novell Access Manager administration interface provides a central place to configure and manage all product components and policies. SP Agent allows components to use an identity provider for authentication and service. It also allows an identity provider to chain to other identity providers. This process is known as IDP proxying, and it helps organizations create groups of interlinked identity providers. Secure Sockets Layer Virtual Private Network (SSL VPN) The SSL VPN provides secure access to non-http-based applications. After a user successfully authenticates through the SSL VPN, an Active X plug-in or Java applet is delivered to the client. The role-based access control feature in Novell Access Manager determines authorization decisions for all back-end applications. SSL VPN also performs client-integrity validation and rolebased client selection. Automatic desktop cleanup and a secure folder maintain the confidentiality of information accessed outside corporate firewalls. Policy Engine The Novell Access Manager Policy Engine provides all policy-statement resolution for all product components. To simplify policy management, it also supports the definition of policies in terms of user roles. Management Interface The Novell Access Manager administration interface provides a central place to configure and manage all product components and policies. Organizations can also use this interface to group multiple Access Gateways, and then deploy configuration changes to them simultaneously. Delegated administration is available for individual devices, agents and policy control. Figure 2. Novell Access Manager Management Console Deployment and Usage Scenarios This section outlines various deployment and usage scenarios for Novell Access Manager. Managing Novell Access Manager The administrators who oversee Novell Access Manager devices, groups and policies have typically been assigned the Device Administrator and/or Policy Administrator roles in the directory. p. 4

7 Novell Access Manager Policies can be seg mented into one or more groups, and Policy Administrators can be assigned to a select set of those policy groups. Figure 3. Novell Access Manager Dashboard Figure 3 depicts the Dashboard view provided by the Novell Access Manager administration interface. In this view, administrators can see the status of all devices and policies as well as any warning or alert conditions. Each of the boxes in the figure indicates the total number of devices in the category and the aggregate alert status of all devices in the category. For example, the Identity Servers box shows that there are three Identity Servers in a state of full functionality. Its status is represented by the green circle in the third alert-status position of the Identity Servers control box. The Policies control box is different from the other boxes because of its lack of an alertstatus indicator. This control box allows an authorized administrator (one with access control over the policy management section of the administration interface), to create, edit and manage the policies assigned to specific components. The Policy Administration section provides an additional layer of administrator access control. Policies can be segmented into one or more groups, and Policy Administrators can be assigned to a select set of those policy groups. This allows a separation of duty among Policy Administrators and also provides a way to address many regulatory compliance issues. Novell Access Manger Policy Administration The inclusion of a system-wide policy administration feature provides a compelling reason to deploy Novell Access Manager. Policies are based on Policy Enforcement Points (PEP), several of which are defined for each Novell Access Manager component. To create a policy, an administrator starts p. 5

8 Novell Access Manager delivers access to legacy Web services by processing the policies that govern these systems and by using components such as J2EE agents and Access Gateways. by declaring which PEP will be controlled via the policy. This initial declaration provides several advantages: Policy configuration options will display only those values and features available for selection at the PEP. Assignment of a policy to a device can be audited so that only appropriate devices with a compatible PEP can be selected for policy deployment. Certain policy values can be required for some policies and remain optional for others. However, the field containing the value is the same in all cases, which provides a single point of policy-engine maintenance. Policy administration also allows for the assignment of policies to multiple Access Manager components. This remains in effect as long as the components support the PEP upon which the policy is authored to operate. The administrator has tools to review what policies are being used and what devices are using them. To facilitate regulatory compliance reporting, policies are segmented into groups, which are then the subject of access control among the policy administrators. This provides a configurable separation of duty among the staff who maintain policies. Thus, an administrator with the background necessary to author and maintain Access Gateway or Agent policies could be prevented from authoring or maintaining Identity Server policy. Novell Access Manager logs all policyrelated activities and provides valuable regulatory compliance reporting. The creation, modification, deactivation and final deletion of policies as well as policy assignments and usage are all logged. This log can be queried to determine what policy was governing access at any point in time during the policy s existence. Novell Access Manager Federated Provisioning Some legacy systems require organizations to store all identity information in a specific directory and format. All users of the legacy system must have an account in the directory before they can use the legacy services. Novell Access Manager can automatically provision these types of accounts without requiring users to manually add themselves to the legacy system s directory. In Novell Access Manager, Federated Provisioning is performed by the Identity Server when it acts as a Service Provider. When enabled to auto-provision user accounts, the Identity Server first reviews each authentication request to verify that the legacy directory contains the user account. If it already contains the account, then the authentication is processed normally. If it does not contain the account, Novell Access Manager pulls information from Identity Server (via the SAML assertion or a Web service that vends the information) to create the user s account. Note that the account on the legacy system may use an alias user ID and a randomly generated password. This information is maintained by Identity Server and used each time the legacy system is accessed. Legacy Web Services and Integration Novell Access Manager delivers access to legacy Web services by processing the policies that govern these systems and by using components such as J2EE agents and Access Gateways. These components perform tasks like form-fill, basic authentication and header injection to provide users with seamless access to legacy Web systems. p. 6

9 Novell Access Manager In some cases, organizations require their legacy Web services to use an alias user ID and password. Novell Access Manager allows any combination of attributes from the identity store(s) to be used as the user ID and password. Either the user or an automated process can maintain the attributes that contain associated user IDs and passwords. This provides a user-friendly way to implement strong password policies. This feature of Novell Access Manger, coupled with the Federated Provisioning feature, provides a powerful integration tool for legacy-based systems. Legacy-system Access Management Novell Access Manager controls access to legacy systems in a variety of ways: Figure 4. Novell Access Manager overview Identity Server provides policy-based identity management, including federated identities and/or roles. Access Gateway features Web-based resource access control, using the identities managed by Identity Server. This includes the Novell Access Manager Policy component for specifying policy and role-based access to local resources. The SSL VPN ensures secure identity and role-based access to resources behind the firewall. Access Management and Standards-based Federation Each deployment of Novell Access Manager includes one or more Identity Servers that orchestrate the user identity lifecycle, including federation with other federation partners. This means that a successful authentication at a single trusted partner can result in authentication assurances at other trusted federation partners. For example, a successful authentication to an Access Manager Identity Server might be used by a disparate system not associated with the Access Manager deployment. This could provide the user with access to resources at the disparate system without the user first authenticating to that system. p. 7

10 At any time, an authorized admin istrator can use the Access Manager administration component to cancel, suspend or modify the federation agreement. Figure 5. Single Sign-on between internal and multiple federated or trusted systems Novell Access Manager Identity Server fully complies with the SAML 1.1 and SAML 2.0, WS-Federation and Liberty Alliance specifications. Moreover, federated identities from external systems are provided to all Access Manager components by the Access Manager Identity Server. Each federated identity is marshaled into the Access Manager trust perimeter according to local policies. Once a federation agreement is configured with an external system, it remains in force according to time-to-live policies that are monitored and enforced by Novell Access Manager. At any time, an authorized administrator can use the Access Manager administration component to cancel, suspend or modify the federation agreement. Any federated identity can be allowed, by policy, to provide full single sign-on to local legacy applications via Web single-sign on, form-fill, HTTP headers and other methods. This provides a rich identity-management system that is fully manageable by both the enterprise and the user. Access Management and Enterprise Federation Simplified Access to Microsoft SharePoint The federation capabilities in Novell Access Manager can also be used to simplify access to enterprise resources, such as Microsoft SharePoint*, especially when user identities exist across multiple LDAP stores and trusted partners need access via Identity Federation. Through its built-in support for WS-Federation, Novell Access Manager integrates with Active Directory Federation Services to provide claims-based authentication to Microsoft SharePoint. This allows SharePoint administrators to map received claims to SharePoint groups, essentially removing the need to create individual identities in the SharePoint identity store. p. 8

11 Novell Access Manager Frequently Asked Questions Will my existing Novell ichain deployment work with the new Access Gateway? Novell Access Manager features essential compliance-assurance logging functionality. While legacy Novell ichain deployments will continue to function as they always have, they are not a part of the new Novell Access Manager administration console. If a connection fails-over via an L4 switch between ichain and Access Gateway, the user will be required to re-authenticate so that the proper policy specifications can be invoked. Figure 6. Access Manager claims-based authentication to MS SharePoint Regulatory Compliance Logging Novell Access Manager features essential compliance-assurance logging functionality. Each component creates log entries that can be stored locally or forwarded to Novell Sentinel. Multi-factor Resource Protection Policy specification controls access to all resources safeguarded by Novell Access Manager. Thus, access to a particular resource may require that multiple policies be satisfied before access is granted. Each policy can evaluate a different identity factor independent of other policy specifications. This facility provides fine-grained, multifactor resource protection at the policyspecification level. Access Manager documentation does provide an ichain co-existence strategy that enables single sign-on between ichain and Access Manager, while services are gradually migrated from ichain to Access Manager. Can I manage multiple Access Gateways as a group even though the IP addresses on each Access Gateway are different? Yes, IP addresses are handled in a way that still allows for group management of Access Gateways. Administrators define Access Gateway Clusters to enable single-point administration of multiple devices. Can Access Manager help me manage access to Microsoft SharePoint for different communities of users? Yes, Access Manager provides built-in support for WS-Federation, which integrates with Microsoft Active Directory Federation Services to provide claims-based authentication to Microsoft SharePoint. This eliminates the need to manage individual identities in the MS SharePoint identity store. p. 9

12 Do my users need to authenticate to the SSL VPN after authenticating to Access Manager-protected Web applications? No, a user doesn t need to authenticate to the SSL VPN server once authenticated to Access Manager. They will still need to authenticate to each application, unless an enterprise single sign-on solution such as Novell SecureLogin has has been deployed. Can I integrate Access Manager with other federation-enabled services within my enterprise? Yes, Novell Access Manager can integrate with any service either as provider or consumer that supports SAML, WS-Federation or Liberty Alliance. Can I configure Identity Server to accept proxy authentications? Yes, proxy authentication is supported by the Identity Server. Contact your local Novell Solutions Provider, or call Novell at: U.S./Canada Worldwide Facsimile Novell, Inc. 404 Wyman Street Waltham, MA USA / Novell, Inc. All rights reserved. Novell, the Novell logo, the N logo and ichain are registered trademarks, and Access Manager, edirectory and Sentinel are trademarks of Novell, Inc. in the United States and other countries. *All third-party trademarks are the property of their respective owners.