Identity as a Service Powered by NetIQ Solution Overview Guide

(1)

www.netiq.com/documentation

Identity as a Service Powered by

NetIQ

®

Solution Overview Guide

(2)

Legal Notice

THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.

For purposes of clarity, any module, adapter or other similar material ("Module") is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.

This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.

U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 227.7202-48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the

government’s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.

(3)

Contents 3

About this Book and the Library

The Identity as a Service Powered by NetIQ® Solution Overview Guide provides conceptual

information, architecture, and deployment scenarios about the Identity as a Service Powered by NetIQ solution.

Intended Audience

This book provides information for individuals responsible for hosting and deploying the Identity as a Service Powered by NetIQ solution for their tenants. The providers of this solution must understand firewalls, ports, networking, and virtual machines.

Other Information in the Library

The library provides the following information resources:

Identity as a Service Powered by NetIQ Services Director Installation Guide

Provides detailed planning and installation information for the Services Director.

Identity as a Service Powered by NetIQ Provider Administration Guide

Provides step-by-step guidance for the many tasks a provider performs for tenants. The guide also contains information on how to manage and maintain your Services Director.

Identity as a Service Powered by NetIQ Tenant Administration Guide

Provides step-by-step guidance for the tasks a tenant performs.

Identity as a Service Powered by NetIQ IdentityAccess Service Installation Guide

Provides detailed installation information for the IdentityAccess Service appliance.

Identity as a Service Powered by NetIQ IdentityAccess Service Configuration and Administration Guide

Provides detailed configuration and administration information for the IdentityAccess Service appliance.

Identity as a Service Powered by NetIQ IdentityAccess Service Connectors Guide

Provides detailed installation and configuration information for the connectors that you use with the IdentityAccess Service appliance.

Identity as a Service Powered by NetIQ IdentityAccess Service Mobile Users QuickStart

Contains basic steps for users to configure and use the MobileAccess service that is part of the IdentityAccess Service.

Identity as a Service Powered by NetIQ Account Management Service Installation and Administration Guide

(6)

Identity as a Service Powered by NetIQ Privileged Account Manager Service Guide

Provides installation and configuration information on how to make NetIQ Privileged Account Manager a service that the Services Director hosts.

Identity as a Service Powered by NetIQ Technical References

Provide more detailed information about different features of the Identity as a Service Powered by NetIQ solution.

Help

(7)

About NetIQ Corporation 7

About NetIQ Corporation

We are a global, enterprise software company, with a focus on the three persistent challenges in your environment: Change, complexity and risk—and how we can help you control them.

Our Viewpoint

Adapting to change and managing complexity and risk are nothing new

In fact, of all the challenges you face, these are perhaps the most prominent variables that deny you the control you need to securely measure, monitor, and manage your physical, virtual, and cloud computing environments.

Enabling critical business services, better and faster

We believe that providing as much control as possible to IT organizations is the only way to enable timelier and cost effective delivery of services. Persistent pressures like change and complexity will only continue to increase as organizations continue to change and the technologies needed to manage them become inherently more complex.

Our Philosophy

Selling intelligent solutions, not just software

In order to provide reliable control, we first make sure we understand the real-world scenarios in which IT organizations like yours operate — day in and day out. That's the only way we can develop practical, intelligent IT solutions that successfully yield proven, measurable results. And that's so much more rewarding than simply selling software.

Driving your success is our passion

We place your success at the heart of how we do business. From product inception to

deployment, we understand that you need IT solutions that work well and integrate seamlessly with your existing investments; you need ongoing support and training post-deployment; and you need someone that is truly easy to work with — for a change. Ultimately, when you succeed, we all succeed.

Our Solutions

Identity & Access Governance Access Management

Security Management

Systems & Application Management Workload Management

(8)

Contacting Sales Support

For questions about products, pricing, and capabilities, contact your local partner. If you cannot contact your partner, contact our Sales Support team.

Contacting Technical Support

For specific product issues, contact our Technical Support team.

Contacting Documentation Support

Our goal is to provide documentation that meets your needs. The documentation for this product is available on the NetIQ website in HTML and PDF formats on a page that does not require you to log in. If you have suggestions for documentation improvements, click comment on this topic at the

bottom of any page in the HTML version of the documentation posted at www.netiq.com/

documentation. You can also mail [email protected]. We value your input and look forward to hearing from you.

Contacting the Online User Community

NetIQ Communities, the NetIQ online community, is a collaborative network connecting you to your peers and NetIQ experts. By providing more immediate information, useful links to helpful resources, and access to NetIQ experts, NetIQ Communities helps ensure you are mastering the knowledge you need to realize the full potential of IT investments upon which you rely. For more information, visit http://community.netiq.com.

Worldwide: www.netiq.com/about_netiq/officelocations.asp United States and Canada: 1-888-323-6768

Email: [email protected]

Website: www.netiq.com

Worldwide: www.netiq.com/support/contactinfo.asp

North and South America: 1-713-418-5555 Europe, Middle East, and Africa: +353 (0) 91-782 677

Email: [email protected]

(9)

1

Solution Overview 9

1

Solution Overview

Cloud computing provides enterprises with the opportunity to quickly deploy applications and

infrastructure at lower costs while maximizing resource utilization in the face of declining budgets and IT staff, but there is the fear that sensitive data can be compromised in the cloud. In addition, as more and more applications move to the cloud, managing these applications can add more complexity and administration costs.

NetIQ provides a framework for service providers, consisting of a series of product offerings designed to provide multi-tenant management and per-tenant usage-based licensing and audit reporting. The framework allows providers to host NetIQ products as services for their tenants. The NetIQ Services Director is the framework.

(10)

Figure 1-1 Overview N N N N N N N N NN Private Cloud Privileged Account Manager Agent

Account Management Service IdentityAccess Service IdentityAccess Service Public Cloud Provi

der H_{osted Services}

NetIQ Services Director

Privileged Account Manager

Tenant Management Subscription Design

Delegated

(11)

Solution Overview 11

Using the Services Director provides the following benefits:

 Delegated Administration: The Services Director allows you to delegate administration to other provider administrators or to tenant administrators, in turn allowing tenants to administer their own services and systems. You can also assign different levels of administration. For more

information, see “Managing Administrators” in the Identity as a Service Powered by NetIQ®

Provider Administration Guide.

 Health Monitoring: The Services Director provides the ability to see the health of the different components. The health tool is embedded throughout the administration consoles. You can see the health of your system and the health of the tenants from one interface, called the provider console. The provider console also contains a list of recommended actions and alerts to show you what you must do to either complete configuration tasks or address issues to keep the system healthy.

 Subscription Design: The Services Director allows you, as a provider, to assign services to tenants on a subscription basis. This helps you manage your tenants and the services you provide to them.

 Tenant Management: The Services Director provides multi-tenant management through a single interface, the provider console, which saves a lot of time and effort. You can add tenants and new services all through the provider console.

(12)

(13)

2

Identity as a Service Powered by NetIQ Solution Architecture 13

2

Identity as a Service Powered by NetIQ

Solution Architecture

The Services Director is the framework that supports the services you want to host. You must always have the Services Director installed and configured before installing any additional services. The Services Director currently supports the IdentityAccess Service, Account Management Service, and NetIQ Privileged Account Manager Service.

The following sections describe the Services Director and the separate services architecture: Section 2.1, “The Services Director,” on page 13

Section 2.2, “NetIQ IdentityAccess Service Architecture,” on page 14 Section 2.3, “NetIQ Account Management Service Architecture,” on page 15 Section 2.4, “NetIQ Privileged Account Manager Service Architecture,” on page 16

2.1 The Services Director

The Services Director controls administration and operation functions. It consists of components depicted in the following graphic.

Figure 2-1 Services Director

A provider console for provider administrators. From this console, you can manage and configure tenants, import application connectors, delegate administration functions, manage security, and configure auditing.

A tenant console for tenant administrators. From this console, tenants can manage the secure tunnel, specify required roles and attributes, and manage reports and auditing.

A remote MySQL database for storing provider configuration information such as the provider name, the DNS name of the Services Director appliance, the definitions for auditing services, connector templates, connector configurations, and tenant records. Most of the information you configure in the provider console is stored in this database.

The Services Director virtual appliance for storing administration information such as provider and tenant roles (Viewer, Auditor, Admin, or Super Admin), assignments, and access rights (full or read-only). The Services Director is clustered for fault tolerance with the L4 switch.

NetIQ Services Director

Remote Database Services Director

(14)

For installation information, see the Identity as a Service Powered by NetIQ® Services Director Framework Installation Guide.

2.2 NetIQ IdentityAccess Service Architecture

The NetIQ IdentityAccess Service allows users to securely authenticate to the web services hosted in the cloud. The IdentityAccess Service consists of multiple components depicted in the following graphic.

Figure 2-2 IdentityAccess Service Architecture

The clustered Services Director provides administration of the system for the provider and the tenants. It also stores configuration information, health statuses, and reporting information for the entire system.

The provider administrator assigns the different web services to the different tenants. The users

IdentityAccess Service Tenant A IdentityAccess Service Cluster Audit Service LDAP/JDBC Identity Source Services Director Administrator Users Users Tenant

Administrator Console Tenant Tenant B IdentityAccess Service Cluster Audit Service LDAP/JDBC Identity Source Services Director User Authentication User Authentication L4 Switch L4 Switch L4 Switch SalesForce GoogleApps Simple Proxy Accellion Tenant

(15)

Identity as a Service Powered by NetIQ Solution Architecture 15

The IdentityAccess Service appliance connects to the remote identity source, whether that is an LDAP directory or a JDBC database. The identity source stores the user accounts that have access to the web services.

The IdentityAccess Service appliance allows you to configure audit services for each tenant. The audit information from the appliance can be sent to a syslog server or to a NetIQ Sentinel Log Manager server.

For installation and configuration information, see the Identity as a Service Powered by NetIQ®

IdentityAccess Service Configuration and Administration Guide.

2.3 NetIQ Account Management Service Architecture

The NetIQ Account Management Service allows you to import your identity data, more than likely from an HR system, into a flat, defined structure. The following graphic shows how the Account Management Service solution fits into the Identity as a Service Powered by NetIQ solution. Figure 2-3 Account Management Service

The Account Management Service appliance accepts only CSV files. You import the CSV files into the appliance, and then the appliance populates the information to any system you connect to Account Management Service. You can populate the following systems:

JDBC database LDAP directories CSV file

L4 Switch

Account Management Service

L4 Switch

Services Director Administrator

Account Management Service IdentityAccess Service

L4 Switch CSV Files as an export IdentityAccess Service LDAP Directory JDBC Database LDAP Directory JDBC Database L4 Switch L4 Switch Tenant B CSV Files CSV Files CSV Files as an export CSV Files as an export Services Director Tenant Administrator Tenant Console Tenant Administrator Tenant Console

(16)

Account Management Service also supports custom NetIQ Identity Manager drivers. You can import the custom Identity Manager drivers to connect the Account Management Service to almost any

system you want. For more information, see the Identity as a Service Powered by NetIQ® Account

Management Service Installation and Administration Guide.

2.4 NetIQ Privileged Account Manager Service

Architecture

NetIQ Privileged Account Manager Service allows you to control the administrative user accounts for Windows and Linux servers. The Services Director allows you to manage Privileged Account

Manager workloads that contain administrative accounts for your tenants. You can deploy the workloads in to a corporate data center, a private cloud, or a public cloud.

Figure 2-4 Privileged Account Manager Architecture

The Services Director allows you to manage the workloads of each tenant that wants to use Privileged Account Manager.

For more information, see the Identity as a Service Powered by NetIQ® Privileged Account Manager

Service Installation and Configuration Guide.

Privileged Account Manager NetIQ Services Director Administration Privileged Account Manager Workloads Secure Workload Management Secure Workload Management Secure Workload Management Data Center Privileged Account Manager Workloads Private Cloud Privileged Account Manager Workloads Public Cloud NetIQ Services Director

Provider Console Tenant Console

(17)

3

Deployment Scenarios 17

3

Deployment Scenarios

The following sections describe different possible configuration scenarios for your Identity as a Service Powered by NetIQ solutions for your tenants. The scenarios contain different components and show where the components reside between the provider’s network and the tenants’ networks.

3.1 IdentityAccess Service Only

The following graphic depicts a possible network configuration of the Services Director with only the IdentityAccess Service. The graphic shows the tenants’ network boundaries, L4 switch placements, firewalls, and the Services Director network boundaries.

Figure 3-1 Network Diagram for IdentityAccess Service

In this configuration, the identity sources would always be in the internal network for the tenants. The IdentityAccess Service must be in the DMZ so it can access the SaaS applications and the Services Director. The Services Director must be in the provider’s DMZ and the remote MySQL databases must be in the provider’s internal network.

You must have ports 80, 443, and 61616 open for the Services Director and the IdentityAccess Service to communicate with each other.

DMZ Internal Remote Database L4 Switch Clustered Appliance DNS Name IdentityAccess Service Identity Source L4 Switch L4 Switch

Services Director load balancing rules need to forward ports 80, 443, 61616

(18)

3.2 IdentityAccess Service with Account Management

Service

The following graphic depicts a possible network configuration of the Services Director with the IdentityAccess Service and the Account Management Service deployed. The graphic shows the tenants’ network boundaries, L4 switch placement, firewalls, and the Services Director network boundaries.

Figure 3-2 Network Diagram for Account Management Service and IdentityAccess Service

The Account Management Service is just another identity source for the IdentityAccess Service. The

DMZ Internal Internal DMZ Internet Remote Database L4 Switch Clustered Appliance DNS Name IdentityAccess Service Account Management Service Identity Source L4 Switch L4 Switch

Services Director load balancing rules need to forward ports 80, 443, 61616