Identity Systems Overview
Learn about supported Identity Systems (Claims-based, Cookie Authentication Module, Directory Server, Kerberos, SAML, and CA SiteMinder) and how to configure them in a variety of use cases.
Table of Contents
- About Identity Systems
- Identity Management Functions
- Identity Management Components
- About Identity Integration
- Identity System Types
- About Identity System Configuration
- Add Identity System
- Modify Identity System
- Delete Identity System
- Change Domain Sequence
About Identity Systems
Identity management technologies provide tools for simplifying the management of data for users of an organization's information technology systems.
Identity management applications provide a method of storing data and making this data available to network users and administrators. Authentication Protocols provide authentication for client/server applications and validate the identity of a communicating entity. An identity management application is referred to as an "Identity System." Each Identity System provides a method for storing data and making this data available to network users and administrators. Data is typically stored in what is called a "Directory."
Data for a single user is stored in a user account. A user account includes values such as Name, Password, Phone Numbers. This information can be accessed by authorized users on the same network. User accounts can also be assigned to a group. This is referred to as a "User Group" or "Group Account." Rights and permissions are assigned to the user group and members of the group assume these rights and permissions.
Identity Management Functions
- Identity Administration—Provided through the identity management application.
- Community Management—Provided through the identity management application. Addresses the connection and security of relationships between identities.
- Identity Integration—Provided through Policy Manager's "Identity Integration" functionality. Focuses on the connection and cooperation of multiple identity repositories based on business rules.
Identity Management Components
- Directory Service—Provides a central identity repository and reconciliation of identity details between application-specific directories.
- Identity Management Service—Provides tools to manage identity details stored in the directory.
- Access Management Service—Implements authentication of web based users and enforces access control over the web-based transactions.
- Provisioning Service—Provides a personalized interface for all user interactions with the system.
View the Identity Systems Summary screen by going to Configure > Security > Identity Systems.
About Identity Integration
The process of identity integration enables Policy Manager's Policy Manager Subsystem to authenticate with a third party identity system. The ability to connect to an enterprise organization's identity system significantly reduces the Policy Manager deployment time and increases the manageability of the security administration process.
Identity integration is established between Policy Manager, the client application, and a third-party identity system using a set of business rules. These business rules are called connector properties. Connector properties generally include configuration details for connecting to the host machine where the identity system resides, configuring the authentication method, and specifying user identity information (for example, user/user group name, description, attributes). These connector properties are packaged in an "Identity System Option Pack."
When an identity system is successfully integrated with Policy Manager, a trust is established between the client application user and the Policy Manager Subsystem and a domain name is added to the drop-down list box on the Policy Manager Login Screen and on the User Groups Summary screen in Security > User Groups. When a user who is present in the identity system directory logs into the Policy Manager "Management Console," the Management Console authenticates with the identity system, then sends a request for a token to the Policy Manager Subsystem. Once this trust is established, access is granted to all Policy Manager functions based on assigned privileges.
Authentication credentials for identity system users that will be accessing Policy Manager are stored in the identity system. Policy Manager application users must be stored in the Policy Manager.
Policy Manager provides an Add Identity System Wizard that is used to add an Identity System to Policy Manager ( integrate) and to maintain the associated connection properties (modify and delete). This wizard is accessible via the Configure > Security > Identity Systems section of the Management Console.
Identity System Types
The following types of identity systems are supported:
- Claims-based
- Cookie Authentication Module
- Directory Server (Active Directory)
- Kerberos
- SAML
- CA-SiteMinder
About Identity System Configuration
The Add Identity System Wizard provides a method of integrating your Identity Management Application or Authentication Protocol with Policy Manager through the use of "Identity System Option Packs." Each Identity System Option Pack includes a set of connector properties and settings that must be configured to successfully integrate with Policy Manager.
Two approaches are used for distributing option packs:
- They can be distributed separately as a Feature and installed using the Akana Administration Console.
- They can come pre-installed in a Policy Manager release. The distribution approach varies based on the Policy Manager release cycle. Installed option packs are accessible via a drop-down list box in the Add Identity System Wizard.
After Policy Manager is updated with a new Option Pack, the feature set for the associated identity system is integrated with the Add Identity System Wizard. This wizard is used to configure and maintain identity system domains to be integrated with Policy Manager.
When you add a new identity system to Policy Manager, the identity system domain is displayed in the Configure > Security > Identity Systems section of the Policy Manager Management Console.
Add Identity System
The Add Identity System Wizard provides a series of options that are used to configure and maintain Identity Systems that you would like to integrate with Policy Manager.
Note: The number of identity systems available to select is based on how many "Identity System Option Packs" you have installed using the Akana Administration Console or have come pre-installed in your Policy Manager release.
Modify Identity System
Follow all steps outlined in the various Add Identity System instruction sets, except, in each case, substitute the following for step 2:
Click Modify Identity System. The Modify Identity System Wizard launches and displays the Identity System Domain Details screen.
Delete Identity System
- Go to Configure > Security > Identity Systems.
- On the Identity Systems Summary screen, select the identity system you would like to delete.
- Click Delete Identity System.
- At the confirmation message, click OK.
Change Domain Sequence
Update the display sequence of Identity System domains that are selectable from drop-down menus throughout Policy Manager. Used if your organization has integrated two or more identity system domains and you would like to configure the default menu selection for a specific Policy Manager deployment.
- Go to Configure > Security > Identity Systems. The Identity Systems Summary screen displays.
- Click Change Domain Sequence. The Change Domain Sequence screen displays and presents the list of identity system domains in the current display sequence.
- Select the line item you would like to re-position and the use the Move Up and/or Move Down buttons to move its position in the list.
- Click Apply.