Novell
®Access Manager
Product Overview
Kiran Mova
Agenda
Introduction
Architecture
IDP
AG
SSL VPN
Administration Console
How it works?
Web SSO
Federation SSO
Protect HTTP Resources
Introduction
Access Manager is a set of components that help to :
Provide Web and Federated SSO
Protect HTTP/Non-HTTP enterprise servers
Provide SSO to Legacy Web Servers
Also allows customers to extend :
Authentication Mechanisms using Authentication SDK
Authentication against Custom User stores using LDAP Server Plugin
Policy Engine using Policy Extension API
Sample NAM Deployment
InnerWeb
Access Gateway (innerweb.novell.com)
VersionOne (v1.innerweb.novell.com)
Employee Self Service (psselfservice.innerweb.novell.com)
Identity Provider (login.innerweb.novell.com)
SSLVPN (sslvpn.innerweb.novell.com)
Architecture
Mi ssi o n Cri ti c al a n d E n te rp rise D a ta S yst ems . HT T P an d n o n -HT T P User Directory (LDAP) Web UI Load Balancer(s) Identity Servers, Access Gateways, SSLVPNsVPN
A u th en ti ca tio n S e rv ers (RA D IU S , etc .,) User NAM Administrator SSL VPN (Authorized Access)+
Identity Provider (Authenticate) Access Gateway (Authorized Access)+
J2EE Agent (Authorized Access)+
+
Administration Console Federated Identity Providers Audit, Alerts Configuration, Policy Web SSO Federated SSONon-HTTP server Access
1..3
1+
1+
1+
1
SAML 2.0, SAML 1.x, Liberty, WS Fed
Admin Console – Key Features
Administration Console
Configure Components
Monitor Health and Statistics of Individual Components
Policy Administration
Certificate Management
Delegated Administration
Persistent configuration store
Architecture – AC
M is si o n Cr iti ca l a n d E n terp ri s e Dat a S yste ms. HT T P a n d n o n -HT T P Web UI (HTTPS) User NAM Administrator SSL VPN Administration Console Federated Identity Providers User Directory (LDAP) Authenticate Load Balancer Identity ProviderAudit (TCP) Configuration/Commands (HTTPS) Alerts (HTTPS) Configuration, Policy (LDAPS)
+
Authentication Servers (RADIUS, etc.,) Access Gateway+
Audit Cache JCC Config, Policy, Certificate Store Nsure Audit Server eDirectory Device Manager (iManager/Tomcat) LDAPS Clustering (eDirectory Replica) Cert Configure (LDAPS)Identity Provider – Key Features
+
Identity Provider (IdP)
Authentication (includes x509, RADIUS..)
Federated Authentication (SAML/ADFS)
Associate Roles and Attributes with authenticated user
Capable of authenticating against multiple User ID stores like
eDirectory, Active Directory Sun One etc.,
Extensible Authentication and Policy framework
SP (Service Provider) Agent
Shared Component
Redirects all authentication requests to IdP
Maintains a cache of user data fetched from IdP
Architecture - IDP
Configuration (HTTPS) Mi ssi o n Cri ti c al a n d E n te rp rise D a ta S yst ems . HT T P an d n o n -HT T P Web UI Authentication Servers (RADIUS, etc.,) User NAM Administrator SSL VPN+
Identity Provider Access Gateway+
Administration Console Federated Identity Providers JCC RMI Audit (TCP) Alerts(HTTPS)Configuration, Policy (LDAPS) SAML 2.0, SAML 1.x, Liberty, WS Fed (HTTPS) Clustering (JGROUPS)
User Data (LDAP[S] ) User Directory (LDAP) Custom Connections Liberty and Attribute Service (HTTPS) Authenticate Authentication & Attribute Services (Tomcat) Audit Agent Load Balancer 2+
Access Gateway – Key Features
Access Gateway (AG)
Authentication (via Identity Server)
Authorization
Single sign-on to Legacy Web Servers (form-fill, identity
injection)
Identity injection (personalization)
Secure exchange (SSLizer)
Multi Homing
Load Balancing
URL Normalization/ Rewriting
Caching
Architecture - AG
M is si o n Cr iti ca l a n d E n terp ri s e Dat a S yste ms. HT T P a n d n o n -HT T P Web UI User NAM Administrator SSL VPN Access Gateway Administration Console Federated Identity Providers SAML 2.0, SAML 1.x, Liberty, WS Fed (HTTPS) User Directory (LDAP) Authenticate Load Balancer 2+ Identity Provider JCC RMI Liberty and Attribute Service (HTTPS) Audit (TCP) Configuration (HTTPS) Alerts(HTTPS)Configuration, Policy (LDAPS)
Active MQ Session Cache Audit Agent Gateway Manager Messages AJP HTTP Clustering (JGROUPS) Apache Instance
+
HTTP(S) SP Agent+
Authentication Servers (RADIUS, etc.,)Policy Extension API
HTTP(S)
SSLVPN – Key Features
SSL VPN
Provide Secure access to Non-HTTP Applications
Enterprise mode (full access) or KIOSK mode (application access)
Client Integrity Check and Policy Based Access
Architecture – SSLVPN (Server)
M is si o n Cr iti ca l a n d E n terp ri s e Dat a S yste ms. HT T P a n d n o n -HT T P Web UI User NAM Administrator SSL VPN Administration Console Federated Identity Providers SAML 2.0, SAML 1.x, Liberty, WS Fed (HTTPS) User Directory (LDAP) Authenticate Load Balancer 2+ Identity Provider Audit (TCP) Configuration (HTTPS) Alerts(HTTPS) Configuration(LDAPS) TCP Authentication Servers (RADIUS, etc.,) HTTP(S) Access Gateway+
Audit Agent JCC Liberty and Attribute Service (HTTPS) HTTP Conn Mgr Socks Server HTTP(S) STunnel Open VPN Server SSL SSL SP Agent+
Architecture – SSLVPN Client
(KIOSK)
User NAM SSL VPN TCP Audit Agent JCC Conn Mgr Socks Server STunnel Open VPN Server SSL SP Agent+
M iss io n Cri ti c al an d E n te rp ri se Data S ys tems . H T T P an d n o n -H T T P Stunnel Socks Client Application SSL VPN Client Policy EngineArchitecture – SSLVPN Client
(Enterprise)
User NAM SSL VPN TCP/UDP Audit Agent JCC Conn Mgr Socks Server STunnel Open VPN Server SSL over TCP/UDP SP Agent+
M iss io n Cri ti c al an d E n te rp ri se Data S ys tems . H T T P an d n o n -H T T P Open VPN Client TUN Driver Application SSL VPN ClientRecent/Current Initiatives...
Access Management On Demand
Federation Hub
Simplification
Web SSO
User
+
Service Provider
(Web Server)
Identity Provider
User Id Store
1
SP Agent Redirects to IdP for authentication2
Post Credentials3
Validate Credentials4
IdP Redirects to SP Agent with Auth Token5
Verify TokenIf authenticated goto (4) If not, seek credentials
Create User Session, form a token to send to SP Agent
Respond with Assertion, including user attributes/roles Provide Access
Federated SSO
User
Identity Provider
User Id Store
Federated Identity
Provider
(SAML/Liberty/WSFed)
1
Request for Authentication2
Send AuthRequest to Federated IdP5
IdP Receives the authentication6
Verify Token7
Create user session and store persistent federation mappingIf authenticated goto (8)
If not, redirect to “Trusted” Federated Identity Provider
If not authenticated seek credentials
Map to Local user or Auto-provision the user.
Configuration
Store
Protect HTTP Resources
User
+
Access Gateway
Identity Provider
User Id Store
Web Server(s)
1
Access v1.innerweb.novell.com2
SP Agent Redirects to IdP for authentication3
Post Credentials4
Validate Credentials5
IdP Redirects to SP Agent with Auth Token6
Verify Token7
Authorization Policy8
Redirect to Access Resource9
Form fill, Identity Injection, Load Balance10
URL Rewriting, CacheIf authenticated goto (7) If not, redirect to SP Agent
If authenticated goto (5) If not, seek credentials
Create User Session, form a token to send to SP Agent
Respond with Assertion, including user attributes/roles
Access to Non-HTTP Resources
User
+
SSL VPN
Enterprise
Server(s)
1
Login to SSL VPN (using IdP or AG)2
Accept and Install Client3
Access Enterprise Server4
Authorize Access, ForwardIf authorized user, push the SSL VPN Client
Install
Client Integrity Check Establish VPN Tunnel Client Policy Update
SSL VPN Client
VPN Tunnel
Virtual/HookingAdapter, takes request, routes through tunnel.