• No results found

Novell Access Manager

N/A
N/A
Protected

Academic year: 2021

Share "Novell Access Manager"

Copied!
25
0
0

Loading.... (view fulltext now)

Full text

(1)

Novell

®

Access Manager

Product Overview

Kiran Mova

(2)

Agenda

Introduction

Architecture

IDP

AG

SSL VPN

Administration Console

How it works?

Web SSO

Federation SSO

Protect HTTP Resources

(3)

Introduction

Access Manager is a set of components that help to :

Provide Web and Federated SSO

Protect HTTP/Non-HTTP enterprise servers

Provide SSO to Legacy Web Servers

Also allows customers to extend :

Authentication Mechanisms using Authentication SDK

Authentication against Custom User stores using LDAP Server Plugin

Policy Engine using Policy Extension API

(4)

Sample NAM Deployment

InnerWeb

Access Gateway (innerweb.novell.com)

VersionOne (v1.innerweb.novell.com)

Employee Self Service (psselfservice.innerweb.novell.com)

Identity Provider (login.innerweb.novell.com)

SSLVPN (sslvpn.innerweb.novell.com)

(5)

Architecture

Mi ssi o n Cri ti c al a n d E n te rp rise D a ta S yst ems . HT T P an d n o n -HT T P User Directory (LDAP) Web UI Load Balancer(s) Identity Servers, Access Gateways, SSLVPNs

VPN

A u th en ti ca tio n S e rv ers (RA D IU S , etc .,) User NAM Administrator SSL VPN (Authorized Access)

+

Identity Provider (Authenticate) Access Gateway (Authorized Access)

+

J2EE Agent (Authorized Access)

+

+

Administration Console Federated Identity Providers Audit, Alerts Configuration, Policy Web SSO Federated SSO

Non-HTTP server Access

1..3

1+

1+

1+

1

SAML 2.0, SAML 1.x, Liberty, WS Fed

(6)

Admin Console – Key Features

Administration Console

Configure Components

Monitor Health and Statistics of Individual Components

Policy Administration

Certificate Management

Delegated Administration

Persistent configuration store

(7)

Architecture – AC

M is si o n Cr iti ca l a n d E n terp ri s e Dat a S yste ms. HT T P a n d n o n -HT T P Web UI (HTTPS) User NAM Administrator SSL VPN Administration Console Federated Identity Providers User Directory (LDAP) Authenticate Load Balancer Identity Provider

Audit (TCP) Configuration/Commands (HTTPS) Alerts (HTTPS) Configuration, Policy (LDAPS)

+

Authentication Servers (RADIUS, etc.,) Access Gateway

+

Audit Cache JCC Config, Policy, Certificate Store Nsure Audit Server eDirectory Device Manager (iManager/Tomcat) LDAPS Clustering (eDirectory Replica) Cert Configure (LDAPS)

(8)

Identity Provider – Key Features

+

Identity Provider (IdP)

Authentication (includes x509, RADIUS..)

Federated Authentication (SAML/ADFS)

Associate Roles and Attributes with authenticated user

Capable of authenticating against multiple User ID stores like

eDirectory, Active Directory Sun One etc.,

Extensible Authentication and Policy framework

SP (Service Provider) Agent

Shared Component

Redirects all authentication requests to IdP

Maintains a cache of user data fetched from IdP

(9)

Architecture - IDP

Configuration (HTTPS) Mi ssi o n Cri ti c al a n d E n te rp rise D a ta S yst ems . HT T P an d n o n -HT T P Web UI Authentication Servers (RADIUS, etc.,) User NAM Administrator SSL VPN

+

Identity Provider Access Gateway

+

Administration Console Federated Identity Providers JCC RMI Audit (TCP) Alerts(HTTPS)

Configuration, Policy (LDAPS) SAML 2.0, SAML 1.x, Liberty, WS Fed (HTTPS) Clustering (JGROUPS)

User Data (LDAP[S] ) User Directory (LDAP) Custom Connections Liberty and Attribute Service (HTTPS) Authenticate Authentication & Attribute Services (Tomcat) Audit Agent Load Balancer 2+

(10)

Access Gateway – Key Features

Access Gateway (AG)

Authentication (via Identity Server)

Authorization

Single sign-on to Legacy Web Servers (form-fill, identity

injection)

Identity injection (personalization)

Secure exchange (SSLizer)

Multi Homing

Load Balancing

URL Normalization/ Rewriting

Caching

(11)

Architecture - AG

M is si o n Cr iti ca l a n d E n terp ri s e Dat a S yste ms. HT T P a n d n o n -HT T P Web UI User NAM Administrator SSL VPN Access Gateway Administration Console Federated Identity Providers SAML 2.0, SAML 1.x, Liberty, WS Fed (HTTPS) User Directory (LDAP) Authenticate Load Balancer 2+ Identity Provider JCC RMI Liberty and Attribute Service (HTTPS) Audit (TCP) Configuration (HTTPS) Alerts(HTTPS)

Configuration, Policy (LDAPS)

Active MQ Session Cache Audit Agent Gateway Manager Messages AJP HTTP Clustering (JGROUPS) Apache Instance

+

HTTP(S) SP Agent

+

Authentication Servers (RADIUS, etc.,)

Policy Extension API

HTTP(S)

(12)

SSLVPN – Key Features

SSL VPN

Provide Secure access to Non-HTTP Applications

Enterprise mode (full access) or KIOSK mode (application access)

Client Integrity Check and Policy Based Access

(13)

Architecture – SSLVPN (Server)

M is si o n Cr iti ca l a n d E n terp ri s e Dat a S yste ms. HT T P a n d n o n -HT T P Web UI User NAM Administrator SSL VPN Administration Console Federated Identity Providers SAML 2.0, SAML 1.x, Liberty, WS Fed (HTTPS) User Directory (LDAP) Authenticate Load Balancer 2+ Identity Provider Audit (TCP) Configuration (HTTPS) Alerts(HTTPS) Configuration(LDAPS) TCP Authentication Servers (RADIUS, etc.,) HTTP(S) Access Gateway

+

Audit Agent JCC Liberty and Attribute Service (HTTPS) HTTP Conn Mgr Socks Server HTTP(S) STunnel Open VPN Server SSL SSL SP Agent

+

(14)

Architecture – SSLVPN Client

(KIOSK)

User NAM SSL VPN TCP Audit Agent JCC Conn Mgr Socks Server STunnel Open VPN Server SSL SP Agent

+

M iss io n Cri ti c al an d E n te rp ri se Data S ys tems . H T T P an d n o n -H T T P Stunnel Socks Client Application SSL VPN Client Policy Engine

(15)

Architecture – SSLVPN Client

(Enterprise)

User NAM SSL VPN TCP/UDP Audit Agent JCC Conn Mgr Socks Server STunnel Open VPN Server SSL over TCP/UDP SP Agent

+

M iss io n Cri ti c al an d E n te rp ri se Data S ys tems . H T T P an d n o n -H T T P Open VPN Client TUN Driver Application SSL VPN Client

(16)

Recent/Current Initiatives...

Access Management On Demand

Federation Hub

Simplification

(17)
(18)
(19)

Web SSO

User

+

Service Provider

(Web Server)

Identity Provider

User Id Store

1

SP Agent Redirects to IdP for authentication

2

Post Credentials

3

Validate Credentials

4

IdP Redirects to SP Agent with Auth Token

5

Verify Token

If authenticated goto (4) If not, seek credentials

Create User Session, form a token to send to SP Agent

Respond with Assertion, including user attributes/roles Provide Access

(20)

Federated SSO

User

Identity Provider

User Id Store

Federated Identity

Provider

(SAML/Liberty/WSFed)

1

Request for Authentication

2

Send AuthRequest to Federated IdP

5

IdP Receives the authentication

6

Verify Token

7

Create user session and store persistent federation mapping

If authenticated goto (8)

If not, redirect to “Trusted” Federated Identity Provider

If not authenticated seek credentials

Map to Local user or Auto-provision the user.

Configuration

Store

(21)

Protect HTTP Resources

User

+

Access Gateway

Identity Provider

User Id Store

Web Server(s)

1

Access v1.innerweb.novell.com

2

SP Agent Redirects to IdP for authentication

3

Post Credentials

4

Validate Credentials

5

IdP Redirects to SP Agent with Auth Token

6

Verify Token

7

Authorization Policy

8

Redirect to Access Resource

9

Form fill, Identity Injection, Load Balance

10

URL Rewriting, Cache

If authenticated goto (7) If not, redirect to SP Agent

If authenticated goto (5) If not, seek credentials

Create User Session, form a token to send to SP Agent

Respond with Assertion, including user attributes/roles

(22)

Access to Non-HTTP Resources

User

+

SSL VPN

Enterprise

Server(s)

1

Login to SSL VPN (using IdP or AG)

2

Accept and Install Client

3

Access Enterprise Server

4

Authorize Access, Forward

If authorized user, push the SSL VPN Client

Install

Client Integrity Check Establish VPN Tunnel Client Policy Update

SSL VPN Client

VPN Tunnel

Virtual/HookingAdapter, takes request, routes through tunnel.

5

Logout

(23)
(24)

+1 713.548.1700 (Worldwide)

888.323.6768 (Toll-free)

info@netiq.com

NetIQ.com

Worldwide Headquarters

1233 West Loop South

Suite 810

(25)

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.

References

Related documents

These 35 individuals included the 15 patients with congenital adrenal hypoplasia and IMAGe association reported previously by our group; 16 10 additional patients with FGD who

It could be shown that addition of IL-10 decreased the TNF-α-induced expression of matrix degrading enzymes, release of GAGs and formation on NITEGE fragments, which suggests that

The main outcome is plantar pressure during foot rollover, and the secondary outcomes are kinetic and kinematic parameters of gait, neuropathy signs and symptoms, foot and ankle

This study aims to assess the sleep variables and masticatory dynamics by means of PSG and EMG, respectively, prior and after neuromuscular electrical stimulation, associated or

Effect of bone marrow transplantation on soluble P-selectin (sP-sel) and soluble E-selectin (sE-sel) levels.. The endothelial-specific expression of E-sel indicates that the

As a result of the earlier control signal in the hop cycle, the peak muscle–tendon force, peak ground reaction force and duration of the aerial phase were greater at higher values

Scenario A (Treatment induction in immunosuppressive- naive): This will be applicable to patients with newly diag- nosed lupus nephritis or having history of lupus nephritis

The present study sought to determine the characteristics of the patient population and the types of treatment for patients with shoulder syndromes in both general practice and