Documentation. CloudAnywhere. Page 1

Page 1

Documentation

CloudAnywhere

Table of Contents

1 INTRODUCTION

3

2 OVERVIEW

4

2.1 K

F

4

2.2 P

5

3 FEATURES

6

3.1 A

U

P

.

6

3.2 C

S

S

7

3.3 I

7

4 CONFIGURATION

9

4.1 S

9

4.2 S

10

4.3 D

11

4.4 R

13

5 MAIN OPERATIONS

18

5.1 M

19

5.2 M

19

5.3 P

20

6 SYNCHRONIZING PASSWORDS

22

6.1 O

23

6.2 O

365

G

24

6.3 R

P

P

24

7 ACCESS REQUEST MANAGEMENT PORTAL

27

1 INTRODUCTION

Companies have always faced the challenge of managing identities and access to a growing number of applications and platforms hosted and deployed in heterogeneous environments.

Typically, a user who joins a large company is provisioned in 17 different systems and de-provisioned in only 13 when they leave.

These can include HR systems, LDAP directories for authentication and authorization, messaging systems, PBX systems, swipe cards for physical access to the restaurant or business, etc.

These issues are now controlled much more effectively thanks to IAM (Identity and Access Management) solutions based on meta-directories.

However, with the advent of the Cloud and hosted SaaS applications, this problem is back on the agenda with the need to integrate SaaS applications into the company’s information system. Companies are forced to manage more and more online services (messaging, e-Learning, CRM, storage, etc.) and, in order to control both costs and access, must ensure that their users can access only the services relevant to them:

When a new employee joins a company their account should be created automatically in the range of services to which they need access. If they leave the company, or change roles, their access should be automatically revoked or updated to reflect their new position.

Organizations are faced with three main problems:

-

To put in place role management, which is both effective and granular, in order to keep

control of access to resources in the Cloud.

-

Grant and revoke access in a flexible and responsive way to track changes in its organization

(the arrival and departure of employees, changes in use).

-

Minimize the number of user accounts and passwords necessary to access each user's

distributed information system.

2 OVERVIEW

CloudAnywhere is an Identity Management Solution for hosted services. It synchronizes the users, groups, contacts, Organizational Units (OU) and passwords in your source directory (Active Directory, LDAP, etc.) with all your SaaS or ASP suppliers. Connectors are also available to synchronize LDAP directories, Exchange and Lync platforms.

This software meets the challenges of integrating SaaS applications into your global information system. It helps you to build a business strategy for the Cloud, guaranteeing you control over the administration and access for any present or future SaaS provider.

CloudAnywhere replaces your Active Directory as the heart of your Cloud strategy by allowing you to manage access to your resources in the Cloud from your local Active Directory.

The Active Directory source may be replaced by any other enterprise source (LDAP, based Google Apps accounts, etc.).

Based on the definition of roles stored in the source directory (group membership, the value of an LDAP attribute, etc.), CloudAnywhere makes decisions for provisioning/de-provisioning users and groups connected to different targets.

It ensures that users who require access to their resources have an account with the service provider based on roles and permissions defined in the source directory.

CloudAnywhere fulfils the following objectives:

-

It provides SaaS resources access to your information system users.

-

It manages access from your local Active Directory.

-

It minimizes the number of user accounts and passwords needed to access all the various

services.

2.1 K

EY

F

UNCTIONALITY

CloudAnywhere is a so-called “On-Premises" solution that installs on your internal network.

 A Universal Provisioning solution.

 Active Directory synchronization <-> Cloud

 Synchronize your users

 Synchronize your groups

 Synchronize your contacts

 Synchronize your "Organizational Units (OU)"

 Synchronize your passwords

 Role and access management.

 A Reset Password Portal for end users and support teams.

 Multi-domain and multi-forest.

CloudAnywhere can also be used to consolidate internal directory or provision Exchange and Lync platforms (Powershell Connector to run the scripts of your choice).

Sources available:

-

Active Directory

-

LDAP directories

-

CSV files

-

Google Apps

-

Google

-

Postini

-

SalesForce

-

Office 365

-

RunMyProcess

-

DropCloud

-

WikiPixel

-

Cloudiway Provisioning Portal (for ASP hosts)

-

Active Directory

-

LDAP directories

-

Exchange (Powershell Connector)

-

Lync (Powershell Connector)

The CloudAnywhere SDK also means that new connectors can be developed in less than five days. Please contact us if you want us to develop a new target to meet your needs.

2.2 P

REREQUISITES

 Installs on Windows Server 2003, 2008 or 2008 R2.

 32 or 64 bit.

 Requires at least DotNet 4.0.

 Requires a Microsoft SQL Server: Any version. Also supports the free version, SQLExpress.

 Requires IIS (if the Reset Password Portal is installed).

 Supports virtual environments.

3 FEATURES

CloudAnywhere is a universal provisioning platform for your SaaS applications. The provisioning is done by synchronizing your source directories used as repositories.

3.1 A

U

NIVERSAL

P

ROVISIONING SOLUTION

.

CloudAnywhere comes with a range of connectors as standard for SaaS applications such as:

-

Google Apps

CloudAnywhere comes with an SDK (Software Development Kit) for creating new connectors to SaaS

applications. Thanks to this SDK the CloudAnywhere community regularly develops new connectors

and expands the list of suppliers which can be managed by the solution.

These connectors are all available on the CLOUDIWAY website.

To set-up a new target, simply move the associated connector into the CloudAnywhere "Connectors"

directory.

In order to develop a connector for an SaaS application the supplier must have an Provisioning API

(Application Programming Interface) available online (e.g. CreateUser, DeleteUser, ModifyUser,

ChangePassword, etc.). If they don’t have an API available CLOUDIWAY can approach the vendor and

make its technology and provisioning server available to them to act as gateway between

CloudAnywhere provisioning and the host system.

3.2 C

ONNECTING DIRECTLY TO A

S

AA

S

PROVIDER

If the supplier has an SaaS Provisioning API, the connector can communicate natively with the SaaS

application and provisioning.

Any changes in the source AD (i.e. creation, deletion, modification) of users, groups or passwords will

be propagated in the connected targets.

3.3 I

NDIRECT CONNECTIONS

4 CONFIGURATION

4.1 S

OURCE CONFIGURATION

CloudAnywhere connects to the various local Active Directories. It is multi-domain and multi-forest and connects to all the directory sources of the information system.

By default all the AD source is read. However, it is possible to exclude certain OUs, or conversely to synchronize only the OUs selected.

You can also pull the users of your AD based on a group Membership.

Disable Pulling is an option that you check if you plan to work with/extend a platform like FIM 2010.

Additional connectors (e.g. for Google, Novell) are under development.

4.2 S

ELECTING ATTRIBUTES AND EXCLUSIONS

Defining a filter.

4.3 D

EFINING TARGETS

In the ‘Targets’ tab, you can define the targets you want to connect to.

For each target, the appropriate configuration window is shown.

The deletion rules define how a target should react on receiving a delete event. This is a safety feature to avoid deleting a target’s content by mistake. This parameter can be used to transform a ‘delete’ request into a ‘disable’ request.

Some targets have organizational concepts equivalent to Active Directory Organizational Units (OU). It is then possible to synchronize them and to provision users in the respective OUs.

-

not synchronize the OUs (Create Users in the root organization).

-

Synchronize users without using an existing OU (Create users to Existing Organizations)

-

Synchronize the OUs, making it possible to map them to different names. In this case, a

mapping file is used:

<?xml version="1.0" encoding="utf-8"?> <OUMapping>

<Domain domainName="ilinfo.fr">

<OU source="OU=EMEA,DC=domvirtu,DC=com" target="BusinessOU"/> <OU source="OU=computers,OU=BCP,DC=domvirtu,DC=com" target="ILINFO.FR/Business2"/> <OU source="OU=Users,OU=BCP,DC=domvirtu,DC=com" target="ILINFO.FR/Business"/> </Domain> </OUMapping> OUMapping.xml

4.4 R

ECONCILIATION AND PROVISIONING RULES

-

Provisioning decision: should the current object being provisioned be created or deleted in

the target?

4.4.1 P

4.4.2 A

In this section you can choose which attributes to synchronize with this target.

4.4.3 R

When you connect to a new SaaS target, it is likely that it will already contain objects (user accounts, groups or contacts).

In this situation, all rules are evaluated from top to bottom. Once a rule matches, a connection is made between the source and target object. If, after the attempt at reconciliation, no match could be made the object will be created in the target.

The connection is made between the construction rule defined here and the attribute value defining the unique identifier in the target.

FLastName: <First letter of First Name><Surname> FDotLastName: <First letter of First Name><Surname> FirsNameDotLastName : <First Name>.<Surname> samAccountName :

Email Processing: With email migration it’s possible that the domain name will change. This rule is used to retrieve the email source, to apply the transformation to the target domain and to attempt a match.

MailExactMatch: the attribute value for storing email

Programmatic: A programmatic extension where you can put your own business rules.

UpperCase : Converts the login to uppercase LowerCase : Converts the login to lowercase

PascalCasing : Capitalizes the first letter of each word.

5 MAIN OPERATIONS

The CloudAnywhere overview shows all the connected sources and targets.

The management console shows each managed account in a source or a target, displays its properties and shows to which source or target accounts it is connected.

You can manually change the status of an object:

-

Forcing an object to be filtered.

o In this case the synchronization rules will never be applied.

o If it is connected to an existing object the target object is deleted / deactivated. (You

can break the link before disabling an account to avoid deleting the target)

-

Bind / unbind two objects manually

o This is useful for managing any problems with homonyms and for forcing an account

to bind to the target object of your choice.

o These manually forced connections are then no longer checked.

5.1 M

ANUAL READING

You can manually read a source or a target to pull the data and then manually test the reconciliation and provisioning rules.

5.2 M

ANUAL RECONCILIATION

You can test your reconciliation and provisioning rules manually. Firstly, synchronize your sources and targets and then click ‘Reconcile’. The list of pending changes appears.

If you click the ‘Simulate’ button you will see the expected result in the different targets for each entry.

If everything is correct you can save your changes by clicking ‘Commit’.

When all your rules are working the way you want, you can automate the synchronization and leave the service to periodically perform synchronizations.

5.3 P

LANNING

The CloudAnywhere service carries out regular synchronizations.

You just need to decide how often synchronization should be carried out. Synchronization once or twice a day is adequate for most companies.

If your administrators occasionally create accounts in the target SaaS, it will be necessary to rescan the targets during each synchronization.

6 SYNCHRONIZING PASSWORDS

CloudAnywhere works with your SSO (Single Sign On) solutions. These SSO solutions do not work in all cases.

-

Some protocols do not support SSO. Eg: IMAP,POP3,SMTP

-

The SSO may not work on all devices (e.g. some smartphones).

-

Some SaaS vendors have not implemented an SSO solution.

Your SSO infrastructure is critical to your business and becomes your SPOF (Single Point of Failure).

Therefore it requires special attention and a ‘high availability’ implementation. If such a disaster

should happen your whole company will lose access to the SaaS applications.

CloudAnywhere does not include an SSO engine. It relies on its network of technology partners to

offer an SSO solution if you want to use this technology. On the other hand, CloudAnywhere

complements your SSO solution by enabling the synchronization of passwords between your local

Active Directory and your various connected targets.

6.1 O

PERATION

CloudAnwyhere synchronizes passwords between Active Directory and your SaaS suppliers.

The Active Directory passwords cannot be extracted. They are actually stored in an attribute whose

permissions are set to "Write Only" for everyone: no one can read them.

Moreover, this attribute stores a hash which is not reversible. Even if you were to succeed in

capturing the value of this attribute you could not extract the actual password from the hash.

CloudAnywhere therefore relies on the password change-capture function provided by the Active

Directory infrastructure.

A password filter extension must be installed on each domain controller (DC).

When a user changes their password from any computer on the domain, this password is captured

on one of the DCs and sent to a local service so as not to impact on the DC’s performance. The local

service then sends the password to the CloudAnywhere server over a secure connection.

The CloudAnywhere service then searches all the targets where the source account is provisioned

and then proceeds to change the password in the targets wherever password synchronization is

enabled.

When setting up CloudAnywhere and password synchronization it is recommended that a password

changing policy is set up in Active Directory to synchronize your users passwords from the start.

Retransmissions Mechanisms :

Various retransmission mechanisms are implemented:

-

Retransmission mechanisms between the local DC service and the CloudAnywhere server.

-

Retransmission mechanisms between the CloudAnywhere server and the targets.

Security:

Passwords are not permanently stored on the hard disk. They are stored in memory only while they

are waiting to be processed. They are encrypted in memory to avoid being revealed as plain text in a

possible memory dump.

In the case of a power failure pending password changes are lost.

Passwords Compliance Strategies :

The possible passwords rules (password length etc.) are not checked when the password is changed

in the different targets.

The resulting errors in the passwords changes are logged in the CloudAnywhere database.

The Active Directory password policy rules must be stronger than your SaaS providers’ strongest

password strategies to ensure that your users’ passwords will be synchronized with all your targets.

Key Elements:

-

Multi-domain and multi-forest

-

Does not require a trust relationship

-

Does not require a schema extension.

6.2 O

FFICE

365

AND

G

OOGLE PASSWORD COMPLEXITY

When a user changes his password in the Active Directory, CloudAnywhere can force to respect the password complexity requested by Office 365 or Google Apps.

When a password doesn’t meet the required complexity of the SAAS application, the password change is refused and the user must type a compliant one.

6.3 R

ESET

P

ASSWORD

P

ORTAL

In addition to the password synchronization solution the full version of CloudAnywhere comes with a

reset passwords portal.

It allows users who have forgotten their passwords to reset them themselves.

The portal allows you to change the password in the Active Directory Source as well as in the target

and can be used in On-Premise only, Cloud only or hybrid modes.

For example, If you have enabled password synchronization between Active Directory and the Cloud,

you can configure the portal to allow the password to be changed only in the local AD. The password

will then be captured and sent to CloudAnywhere.

The portal can also be used by your support staff to reset passwords.

7 ACCESS REQUEST MANAGEMENT PORTAL

The portal also includes a request feature for access management.

The portal administrator can define a number of resources and assign a manager and a management

group in Active Directory.

Once logged in, the user can see the list of available resources and make an access request to be sent

to the resource manager or his backup.

8 INTEGRATION WITH META-DIRECTORIES

CloudAnywhere operates autonomously.

It knows how to connect all your sources and how to consolidate and synchronize them with all your SaaS and ASP vendors.

If you are already have a meta-directory identity management solution, which is connected to your sources and currently provides consolidation, CloudAnywhere will work with and complement this existing service.

CloudAnywhere is built around a SQL database that provides centralized storage of consolidated data. Using your meta-directory identity manager (e.g. Fim 2010), you can completely configure an SQL Server type connector and automatically update the CloudAnywhere database. In this case it is only necessary to disable the connection to the data sources.

It will then synchronize its data with the SaaS suppliers or simply carry out password synchronization, leaving provisioning actions to your current platform.

The data required for the proper operation of your CloudAnywhere will be made by your third-party solution.

This solution provides a range of benefits.