IBM. Security Access Manager for Enterprise Single Sign-On: AccessProfile Widgets … · 2016. 3. 9. · AccessProfile widgets are modular. For example: On mainframe clients, users

IBM® Security Access Manager for Enterprise SingleSign-OnVersion 8.2

AccessProfile Widgets Guide

SC27-4444-00

��

IBM® Security Access Manager for Enterprise SingleSign-OnVersion 8.2

AccessProfile Widgets Guide

SC27-4444-00

��

NoteBefore using this information and the product it supports, read the information in “Notices” on page 19.

Edition notice

Note: This edition applies to version 8.2 of IBM Security Access Manager for Enterprise Single Sign-On,(product number 5724–V67) and to all subsequent releases and modifications until otherwise indicated in neweditions.

© Copyright IBM Corporation 2002, 2012.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Figures . . . . . . . . . . . . . . . v

Tables . . . . . . . . . . . . . . . vii

About this publication . . . . . . . . ixAccess to publications and terminology . . . . . ixAccessibility . . . . . . . . . . . . . . xiTechnical training . . . . . . . . . . . . xiSupport information . . . . . . . . . . . xi

Chapter 1. AccessProfile widgetsoverview . . . . . . . . . . . . . . 1Benefits of using AccessProfile widgets . . . . . 1Prerequisites . . . . . . . . . . . . . . 1Limitations . . . . . . . . . . . . . . . 2

Chapter 2. Creating and usingAccessProfile widgets . . . . . . . . 3Creating AccessProfile widgets . . . . . . . . 3Adding widgets . . . . . . . . . . . . . 3Editing widgets . . . . . . . . . . . . . 4

Pinning to a state . . . . . . . . . . . . . 5Unpinning a state. . . . . . . . . . . . . 5Expanding and collapsing widgets . . . . . . . 6Deleting widgets . . . . . . . . . . . . . 6Uploading AccessProfile and widgets . . . . . . 6

Chapter 3. Passing values to parameters 9The pass by reference option . . . . . . . . . 9The pass by value option . . . . . . . . . . 9The direct value option . . . . . . . . . . 10Passing values to parameters . . . . . . . . 10Example: Passing values to parameters . . . . . 11

Appendix. Runtime logs . . . . . . . 17

Notices . . . . . . . . . . . . . . 19

Glossary . . . . . . . . . . . . . . 23

Index . . . . . . . . . . . . . . . 31

© Copyright IBM Corp. 2002, 2012 iii

iv IBM® Security Access Manager for Enterprise Single Sign-On: AccessProfile Widgets Guide

Figures

1. Sample AccessProfile widget . . . . . . . 112. Sample main AccessProfile which starts the

sample AccessProfile widget . . . . . . . 12

© Copyright IBM Corp. 2002, 2012 v

vi IBM® Security Access Manager for Enterprise Single Sign-On: AccessProfile Widgets Guide

Tables

1. Parameter details for State A . . . . . . . 112. Parameter details for State C . . . . . . . 11

3. Parameter details for State 1 . . . . . . . 124. Parameter details for State 2 . . . . . . . 12

© Copyright IBM Corp. 2002, 2012 vii

viii IBM® Security Access Manager for Enterprise Single Sign-On: AccessProfile Widgets Guide

About this publication

IBM Security Access Manager for Enterprise Single Sign-On AccessProfile Widgets Guideprovides information about how to create and use widgets.

Access to publications and terminologyThis section provides:v A list of publications in the “IBM Security Access Manager for Enterprise Single

Sign-On library.”v Links to “Online publications” on page xi.v A link to the “IBM Terminology website” on page xi.

IBM® Security Access Manager for Enterprise Single Sign-Onlibrary

The following documents are available in the IBM Security Access Manager forEnterprise Single Sign-On library:v IBM Security Access Manager for Enterprise Single Sign-On Quick Start Guide,

CF38DMLRead this guide for a quick start on the main installation and configuration tasksto deploy and use IBM Security Access Manager for Enterprise Single Sign-On.

v IBM Security Access Manager for Enterprise Single Sign-On Planning and DeploymentGuide, SC23995203Read this guide before you do any installation or configuration tasks. This guidehelps you to plan your deployment and prepare your environment. It providesan overview of the product features and components, the required installationand configuration, and the different deployment scenarios. It also describes howto achieve high availability and disaster recovery.

v IBM Security Access Manager for Enterprise Single Sign-On Installation Guide,GI11930901Read this guide for the detailed procedures on installation, upgrade, oruninstallation of IBM Security Access Manager for Enterprise Single Sign-On.This guide helps you to install the different product components and theirrequired middleware, and also do the initial configurations required to completethe product deployment. It covers procedures for using virtual appliance,WebSphere® Application Server Base editions, and Network Deployment.

v IBM Security Access Manager for Enterprise Single Sign-On Configuration Guide,GC23969201Read this guide if you want to configure the IMS Server settings, theAccessAgent user interface, and its behavior.

v IBM Security Access Manager for Enterprise Single Sign-On Administrator Guide,SC23995103This guide is intended for the Administrators. It covers the differentAdministrator tasks. This guide provides procedures for creating and assigningpolicy templates, editing policy values, generating logs and reports, and backingup the IMS Server and its database. Use this guide together with the IBMSecurity Access Manager for Enterprise Single Sign-On Policies Definition Guide.

© Copyright IBM Corp. 2002, 2012 ix

v IBM Security Access Manager for Enterprise Single Sign-On Help Desk Guide,SC23995303This guide is intended for Help desk officers. The guide helps Help desk officersto manage queries and requests from users usually about their authenticationfactors. Use this guide together with the IBM Security Access Manager forEnterprise Single Sign-On Policies Definition Guide.

v IBM Security Access Manager for Enterprise Single Sign-On Policies Definition Guide,SC23969401Read this guide for the detailed descriptions of the different user, machine, andsystem policies that Administrators can configure in AccessAdmin. Use thisguide along with the IBM Security Access Manager for Enterprise SingleSign-On Administrator Guide.

v IBM Security Access Manager for Enterprise Single Sign-On Troubleshooting andSupport Guide, GC23969301Read this guide if you have any issues with regards to installation, upgrade, andproduct usage. This guide covers the known issues and limitations of theproduct. It helps you determine the symptoms and workaround for the problem.It also provides information about fixes, knowledge bases, and support.

v IBM Security Access Manager for Enterprise Single Sign-On AccessStudio Guide,SC23995603Read this guide if you want to create or edit profiles. This guide providesprocedures for creating and editing standard and advanced AccessProfiles fordifferent application types. It also covers information about managingauthentication services and application objects, and information about otherfunctions and features of AccessStudio.

v IBM Security Access Manager for Enterprise Single Sign-On AccessProfile WidgetsGuide, SC27444400Read this guide if you want to create and use widgets.

v IBM Security Access Manager for Enterprise Single Sign-On Provisioning IntegrationGuide, SC23995703Read this guide for information about the different Java™ and SOAP API forprovisioning. It also covers procedures for installing and configuring theProvisioning Agent.

v IBM Security Access Manager for Enterprise Single Sign-On Web API for CredentialManagement Guide, SC14764600Read this guide if you want to install and configure the Web API for credentialmanagement.

v IBM Security Access Manager for Enterprise Single Sign-On Lightweight AccessAgentmode on Terminal Server SDK Guide, SC14765700Read this guide for the details on how to develop a virtual channel connectorthat integrates AccessAgent with Terminal Services applications.

v IBM Security Access Manager for Enterprise Single Sign-On Serial ID SPI Guide,SC14762600IBM Security Access Manager for Enterprise Single Sign-On has a ServiceProvider Interface (SPI) for devices that contain serial numbers, such as RFID.See this guide to know how to integrate any device with serial numbers and useit as a second authentication factor with AccessAgent.

v IBM Security Access Manager for Enterprise Single Sign-On Context ManagementIntegration Guide, SC23995403Read this guide if you want to install and configure the Context Managementsolution.

x IBM® Security Access Manager for Enterprise Single Sign-On: AccessProfile Widgets Guide

v IBM Security Access Manager for Enterprise Single Sign-On User Guide, SC23995003This guide is intended for the end users. This guide provides instructions forusing AccessAgent and Web Workplace.

v IBM Security Access Manager for Enterprise Single Sign-On Error Message ReferenceGuide, GC14762400This guide describes all the informational, warning, and error messagesassociated with IBM Security Access Manager for Enterprise Single Sign-On.

Online publications

IBM posts product publications when the product is released and when thepublications are updated at the following locations:

IBM Security Access Manager for Enterprise Single Sign-On Information CenterThe http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itamesso.doc/ic-homepage.html site displays the informationcenter welcome page for this product.

IBM Security Information CenterThe http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp sitedisplays an alphabetical list of and general information about all IBMSecurity product documentation.

IBM Publications CenterThe http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss site offers customized search functions to help you find all the IBMpublications you need.

IBM Terminology website

The IBM Terminology website consolidates terminology for product libraries in onelocation. You can access the Terminology website at http://www.ibm.com/software/globalization/terminology.

AccessibilityAccessibility features help users with a physical disability, such as restrictedmobility or limited vision, to use software products successfully. With this product,you can use assistive technologies to hear and navigate the interface. You can alsouse the keyboard instead of the mouse to operate all features of the graphical userinterface.

For additional information, see "Accessibility features" in the IBM Security AccessManager for Enterprise Single Sign-On Planning and Deployment Guide.

Technical trainingFor technical training information, see the following IBM Education website athttp://www.ibm.com/software/tivoli/education.

Support informationIBM Support provides assistance with code-related problems and routine, shortduration installation or usage questions. You can directly access the IBM SoftwareSupport site at http://www.ibm.com/software/support/probsub.html.

About this publication xi

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itamesso.doc/ic-homepage.html

http://pic.dhe.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.itamesso.doc/ic-homepage.html

http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www-05.ibm.com/e-business/linkweb/publications/servlet/pbi.wss

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/globalization/terminology

http://www.ibm.com/software/tivoli/education

http://www.ibm.com/software/support/probsub.html

IBM Security Access Manager for Enterprise Single Sign-On Troubleshooting and SupportGuide provides details about:v What information to collect before contacting IBM Support.v The various methods for contacting IBM Support.v How to use IBM Support Assistant.v Instructions and problem-determination resources to isolate and fix the problem

yourself.

Note: The Community and Support tab on the product information center canprovide additional support resources.

xii IBM® Security Access Manager for Enterprise Single Sign-On: AccessProfile Widgets Guide

Chapter 1. AccessProfile widgets overview

AccessProfile widgets are AccessProfiles that consist of pinnable states, which youcan use to build another AccessProfile.

Benefits of using AccessProfile widgetsCreate AccessProfiles using existing AccessProfile widgets.

The AccessProfile consists of smaller, more focused, pieces of states, triggers, andactions, which can be added as widgets in other AccessProfiles.

An AccessProfile widget, like an AccessProfile, consists of states, triggers, andactions. An AccessProfile widget can be called in other AccessProfiles.

ModularAccessProfile widgets are modular. For example: On mainframe clients,users choose from a list of available mainframe applications. Currently, allof these application workflows must be incorporated in a singleAccessProfile. You can use AccessProfile widgets to break a singleAccessProfile into multiple widgets; one for each application workflow.

Reuse

You can pass values to the parameter variables of AccessProfile widgets,which makes AccessProfile widgets more applicable across differentAccessProfiles. For example: A widget that gets credentials from differentsources like the Privileged Identity Manager server can take the serverURL as a parameter.

The same widget can be embedded multiple times in an AccessProfile andacross AccessProfiles with minor differences, which can easily beparameterized.

Other examples are common UI workflows that can occur in differentkinds of applications. The AccessProfile for a user interface that appears indifferent applications can be made as a widget. It can also be used in theAccessProfiles of those individual applications. For example: Windowslogon prompt that appears when you use Remote Desktop Protocol orWindows Explorer Map Network Drive.

PrerequisitesTo use the AccessProfile widgets feature, you must install IBM Security AccessManager for Enterprise Single Sign-On version 8.2.

Install the following components of IBM Security Access Manager for EnterpriseSingle Sign-On version 8.2. See the IBM Security Access Manager for Enterprise SingleSign-On Installation Guide.v IMS Server ims-8.2.0.0.686

v AccessAgent aa-8.2.0.3001v AccessStudio as-8.2.0.0505

© Copyright IBM Corp. 2002, 2012 1

Existing IBM Security Access Manager for Enterprise Single Sign-On users caninstall the following fix packs to upgrade.v 8.2.0-ISS-SAMESSO-IMS-FP0003

v 8.2.0-ISS-SAMESSO-AA-FP0011

LimitationsAccessProfile widgets have limitations.v You cannot invoke an AccessProfile widget in another widget.v An AccessProfile can be a stand-alone profile and a widget at the same time.

However, if the AccessProfile is a widget, the AccessProfile properties defined inthe General Properties tab in AccessStudio are ignored when it is used as awidget.

2 IBM® Security Access Manager for Enterprise Single Sign-On: AccessProfile Widgets Guide

Chapter 2. Creating and using AccessProfile widgets

Create an AccessProfile widget, edit its properties, add it to an AccessProfile, andpin it to a state.

See the following topics:v “Creating AccessProfile widgets”v “Adding widgets”v “Editing widgets” on page 4v “Pinning to a state” on page 5v “Unpinning a state” on page 5v “Expanding and collapsing widgets” on page 6v “Deleting widgets” on page 6v “Uploading AccessProfile and widgets” on page 6

Creating AccessProfile widgetsAn AccessProfile widget is an AccessProfile that has one or more of its statesdeclared as pinnable. You use an AccessProfile widget to build AccessProfiles. Youcan add the AccessProfile widget to another AccessProfile through its pinnablestates.

Procedure1. Open AccessStudio.2. Select the AccessProfile from the data type pane.3. Click the States tab.4. Select a state from the AccessProfile.5. Select Properties > Form Editor.6. Set Can be pinned in another AccessProfile to Yes.7. Repeat steps 4 to 6 for every state that you want to reuse.

Results

The selected states are pinned. The AccessProfile becomes an AccessProfile widget.

What to do next

Add the AccessProfile widget to another AccessProfile. See “Adding widgets”

Adding widgetsUse the Add Widget function to add the AccessProfile widget with its pinnablestates to another AccessProfile.

About this task

When you add multiple instances of a widget from a single AccessProfile, eachinstance of the widget is automatically labeled in this format: Widget_InstanceName(AccessProfile_WidgetName). For example:


v New Widget1 (Profile2)

v New Widget2 (Profile2)

New Widget1 is the instance name of the widget. Profile2 is the AccessProfile nameof the widget.

When you add the widget in the AccessProfile, it is not automatically added aspart of the AccessProfile. You must pin the widget into the selected AccessProfilestate. See “Pinning to a state” on page 5.

You cannot add widgets in an AccessProfile widget.

Procedure1. Open AccessStudio.2. Select the AccessProfile from the data type pane.3. Click the States tab.4. Click Add Widget.5. Select the name of the AccessProfile widget you want to add.

Results

The selected widget is added to the state diagram canvass.

What to do next

Pin the widget with its pinnable state into the selected AccessProfile state. See“Pinning to a state” on page 5.

You can also customize the name of the AccessProfile widget before you startpinning the widget. See “Editing widgets.”

Editing widgetsYou can edit the AccessProfile name of the widget, the instance name of the widgetor the name of the pinnable state. Edit the names to avoid confusion if you useseveral AccessProfile widgets.

About this task

Editing the AccessProfile name of the widget or the name of the pinnable statereplicates the changes to all instances of the AccessProfile widget.

Editing the instance name of the widget applies the change only to the instancethat you edited. The name for each instance of the added widget is specific for thatAccessProfile widget.

See the IBM Security Access Manager for Enterprise Single Sign-On AccessStudio Guidefor the general AccessProfile concepts and for the AccessStudio standardworkflows.

Procedurev To edit the AccessProfile widget name:

1. Select the AccessProfile widget from the data type pane.2. Click the General Properties tab.


3. Edit the AccessProfile ID. For example: Profile2.v To edit the instance name of the widget:

1. Select the AccessProfile from the data type pane.2. Click the States tab.3. Click the Widget name from the state diagram canvass. For example: New

Widget1 (Profile2).4. Select the Properties pane.5. In the Form Editor tab, edit the Widget Name.6. Click outside the Form Editor tab to apply the changes.

What to do next

Pin the widget with its pinnable state into the selected AccessProfile state. See“Pinning to a state.”

Pinning to a stateWhen you add a widget in the AccessProfile, it is not automatically added as partof the AccessProfile. You must pin the widget with its pinnable state into theselected AccessProfile state. Pinning the pinnable state calls the widget.

About this task

You can select the AccessProfile widget instance and pinnable state that you wantto pin to the selected AccessProfile state.

You can pin the pinnable states of a widget to any AccessProfile state. There are nolimits to the number of pinnable states that you can pin to an AccessProfile state.You can pin 1 or more of these pinnable states to the same state.

If you pin a pinnable state on an instance of an AccessProfile widget to the mainAccessProfile, that state is no longer available for pinning.

Pinning to an AccessProfile state merges the pinned widget's state-machine withthat AccessProfile state machine. When the current state machine reaches the statewith other states pinned, all the triggers of all the states are evaluated. The orderof evaluation of the triggers depends on the order in which the states are pinned.

Procedure1. Open AccessStudio.2. Select the AccessProfile from the data type pane.3. Click the States tab.4. Right-click the name of the state where you want to pin the widget.5. Select Pin State.6. Select the instance of the widget and the specific pinnable state that you want

to pin to the AccessProfile state. The AccessProfile widget and state names aredisplayed in this format:Widget_InstanceName::AccessProfile_WidgetName::Pinnable_state.

Unpinning a stateUnpin a state if you want to remove the connection of a widget instance and itspinnable state from the selected state.

Chapter 2. Creating and using AccessProfile widgets 5

About this task

In the AccessProfile widget properties pane, if you change the setting of thepinnable state to Cannot be pinned in another AccessProfile, that state isautomatically unpinned from the selected AccessProfile state.

Procedure1. Open AccessStudio.2. Select the AccessProfile from the data type pane.3. Click the States tab.4. Right-click the name of the pinned widget.5. Select Unpin State.

Expanding and collapsing widgetsExpand or collapse the AccessProfile widget to view or hide its state details.

When you add the widget in the AccessProfile:v The widget is collapsed by default.v The pinnable states associated with the widget are visible, although the widget

is collapsed.v The states that are not set as pinnable are collapsed.

Click the plus sign beside the instance name of the widget to expand or to collapseits contents.

Deleting widgetsUse the Delete options if you added the wrong widget to the AccessProfile andyou need to replace or remove the widget.

You can delete the widget whether it is pinned or not yet pinned to a state in theAccessProfile. If you delete an AccessProfile widget with pinned states, all thepinned states from this widget are unpinned and deleted from the AccessProfilewhere they are added and pinned.

You cannot delete a pinned state of a widget from an AccessProfile that is using it.In general, you cannot edit a widget from an AccessProfile that is using it.

Use one of the following options to delete the widget from the AccessProfile statediagram canvass:v Click the widget and press the Delete key.v Right-click the widget and select Delete from the menu.

Uploading AccessProfile and widgetsTo activate and use the AccessProfile, upload the AccessProfile and its associatedwidgets to the IMS Server.

About this task

When you upload to the IMS Server, all widgets that are pinned to theAccessProfile are also uploaded.


Procedure1. Select the AccessProfile from the Data type pane.2. Click the Upload selected data to IMS icon from the toolbar.

Alternatively, you can right-click on the selected AccessProfile and associatedwidgets and select Upload to IMS.

Chapter 2. Creating and using AccessProfile widgets 7


Chapter 3. Passing values to parameters

When you create an AccessProfile widget, you declare the parameters throughwhich the main AccessProfile can transfer data to the AccessProfile widget.

You must declare the parameter variables in the AccessProfile widget. Then, set theequivalent parameter variables in the AccessProfile for each AccessProfile widgetparameter.

You can set the following types of parameters:v Account Data Bagv Property Store Item

The values that are passed to these parameters are either provided as direct valuesor are derived from various sources during the AccessProfile run time.

These values can be passed to the AccessProfile widget through any of thefollowing options:v By referencev By valuev By direct value

See the following topics:v “The pass by reference option”v “The pass by value option”v “The direct value option” on page 10v “Passing values to parameters” on page 10v “Example: Passing values to parameters” on page 11

The pass by reference optionUse the pass by reference option if you want the AccessProfile widget parametervariable to use and modify the same value that is assigned to the parametervariable in the main AccessProfile.

When values are passed by reference:v If the value that is assigned to the parameter variable in the main AccessProfile

changes, the new value is reflected on the designated parameter variable that isdeclared in the AccessProfile widget.

v If the value of the parameter variable that is declared in the AccessProfile widgetchanges, the new value is reflected on the originating parameter variable in themain AccessProfile. The AccessProfile widget parameter variable is set from theoriginating parameter variable in the main AccessProfile.

The pass by value optionUse the pass by value option if you want the AccessProfile widget to copy and usethe current value of the variable in the main AccessProfile.

When values are passed by value:


v If the value assigned to the parameter variable in the main AccessProfilechanges, the new value is not reflected on the designated parameter variabledeclared in the AccessProfile widget.

v If the value of the parameter variable declared in the AccessProfile widgetchanges, the value is not reflected on the originating parameter variable in themain AccessProfile.

The direct value optionUse the direct value option if you want the main AccessProfile to pass a hardcodedvalue to a parameter in the AccessProfile widget.

With this option, the value assigned to the parameter variable does not change atrun time.

Passing values to parametersYou can pass values to the parameters that are declared in the AccessProfile widgetby reference, by value, or by specifying the direct value. Define this option in themain AccessProfile.

Procedure1. Create an AccessProfile widget.

a. Add states. See the IBM Security Access Manager for Enterprise Single Sign-OnAccessStudio Guide.

b. Select the state you want to pin in another AccessProfile.c. Declare the parameters that you want the main AccessProfile to pass to the

pinned state.1) Select the type of parameter.2) Specify the parameter ID and display name.

Note: There is no limit to the number of parameters you can add. Repeatstep c until you complete all of the parameters you want to add.

d. Add triggers and actions. See the IBM Security Access Manager for EnterpriseSingle Sign-On AccessStudio Guide.

2. In the main AccessProfile:a. Add the AccessProfile widget. See “Adding widgets” on page 3.b. Pin the pinnable state to a state. See “Pinning to a state” on page 5.c. Select the instance of the pinned state to edit its properties. For example:

Widget_InstanceName::Pinnable_state.

d. In Properties > Form Editor, expand the property details of the parameter.For example: Parameter_name[Type:Account Data Bag].

e. Select the type of parameter and passing parameter option, then click theAdd icon.

For passing parameters by reference

v Account Data Bag (By Reference)v Property Store Item (By Reference)

For passing parameters by value

v Account Data Bag (By Value)v Property Store Item (By Value)


For passing parameters by direct value

1) Select Direct value and the Add icon.2) Specify the String to transfer over.

f. Save the AccessProfile.

Example: Passing values to parametersThis topic provides an example of an AccessProfile widget and a mainAccessProfile. It includes a description of how the parameter values are passed.

Example of an AccessProfile widget:

This AccessProfile widget has the following states:v State A is a pinnable state with the following parameter types and parameter

variables:

Table 1. Parameter details for State A

Parameter variable Parameter type

param_adb1 Account Data Bag

param_ps1 Property Store Item

v State B is not pinnable.v State C is a pinnable state with the following parameter type and parameter

variables:

Table 2. Parameter details for State C

Parameter variable Parameter type

param_ps2 Property Store Item

Figure 1. Sample AccessProfile widget

Chapter 3. Passing values to parameters 11

Example of a main AccessProfile:

This main AccessProfile has the following states:v State 0

v State 1 has the following parameter variables and data transfer item:

Table 3. Parameter details for State 1

Parameter variable Data transfer item

adb1 Account Data Bag (By Reference)

ps1 Property Store Item (By Value)

v State 2 has the following parameter variables and data transfer item:

Table 4. Parameter details for State 2

Parameter variable Data transfer item

ps2 Property Store Item (By Reference)

v State 3

Workflow

The following table describes:v The relationship among the states.v The AccessProfile process flow.v How the values from the main AccessProfile parameter variables are passed to

the parameter variables in the pinned states of the AccessProfile widget.

Figure 2. Sample main AccessProfile which starts the sample AccessProfile widget


Scenario Sub Scenario Result

v State A is pinned to State 1of AccessProfile_main.

v State 1 passes the valuesassigned to its parametervariables to the parametervariables of State A.

v State C is pinned to State 2.

v State 2 passes the valuesassigned to its parametervariable to the parametervariable of State C.

AccessProfile_main movesfrom State 0 to State 1.

v param_adb1 is set to adb1.

v param_ps1 is set to ps1.

v param_ps2 staysuninitialized to an emptystring.

AccessProfile_main movesfrom State 1 to State B insidethe AccessProfile_widget.

v param_adb1 stays set toadb1.

v param_ps1 stays set to ps1.


v Any change to param_adb1is reflected to adb1, butany change to param_ps1 isnot reflected to ps1.

AccessProfile_main movesfrom State B to State C insidethe AccessProfile_widget.

v param_adb1 stays set toadb1 and param_ps1 is stillset to ps1.

v param_ps2 staysuninitialized to emptystring.

v Any change to the valueof param_adb1 is copied toadb1.

v Any change to the valueof param_ps1 is not copiedto ps1.

AccessProfile_main movesfrom State C to State 3.

v The last value set forparam_adb1 is copied toadb1

v The value for ps2 remainsunchanged.

AccessProfile_main movesfrom State 3 to State 0 andthen to State 1.

v param_adb1 and param_ps1are reinitialized with thecurrent values of adb1 andps1.





v param_adb1 staysinitialized to the recentvalue of adb1.

v param_adb1 always usesthe most recent value ofadb1.

v Any change to the valueof adb1 in the profile ismade available toparam_adb1.

v param_ps1 stays initializedto the value of ps1.

v Any change to the valueof ps1 does not affect thevalue of param_ps1.

v param_ps2 is initializedwith the latest value ofps2.

v Any change to the valueof param_ps2 inside theAccessProfile_widget iscopied back to ps2.


v param_adb1stays initializedto the most recent value ofadb1.

v param_ps1 stays initializedto the last set value of ps1.

v param_ps2stays initializedto the most recent value ofps2.

v State A is pinned to State 1of AccessProfile_main.

v State 1 passes the valuesassigned to its parametervariables to the parametervariables of State A.

v State C of theAccessProfile_widget is leftdangling.

AccessProfile_main moves toState 1 from State 0.

v param_adb1 is set to adb1and param_ps1 is set to ps1.


AccessProfile_main movesfrom State 1 to State B insidethe AccessProfile_widget.

v param_adb1 stays set toadb1 and param_ps1 isstays set to ps1.


v Any change to the valueof param_adb1 is copied toadb1, but any change tothe value of param_ps1 isnot copied to ps1.



AccessProfile_main movesfrom State B to State C insidethe AccessProfile_widget.

v param_adb1 stays set toadb1 and param_ps1 is stillset to ps1.


v Any change to the valueof param_adb1 is copied toadb1, but any change tothe value of param_ps1 isnot copied to ps1.



Appendix. Runtime logs

Check the runtime logs of the main AccessProfile or the associated AccessProfilewidget if an issue occurs while using the AccessProfile or widget.

You can view the runtime logs from the AccessStudio Messages pane.

Example of a runtime log:18:46:26.3437500 [State Machine Id - 0]Action: Run a VBScript or JScript. Property line is set to ’auth_ibm_intranet’.

This runtime log includes the time and action that was triggered.

When you click a state name, trigger name or action name from the runtime log, itopens the AccessProfile that contains the trigger and not the widget.

The runtime logs include information about:v When an AccessProfile is loadedv When a state is transitionedv When a trigger is firedv When an action is runv When a widget is not found

Note: The runtime logs do not include information about the state transitionbetween the start and end of a pinned state.



Notices

This information was developed for products and services offered in the U.S.A.IBM may not offer the products, services, or features discussed in this document inother countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not give youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBMIntellectual Property Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan, Ltd.1623-14, Shimotsuruma, Yamato-shiKanagawa 242-8502 Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law :

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE.

Some states do not allow disclaimer of express or implied warranties in certaintransactions, therefore, this statement might not apply to you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases payment of a fee.

The licensed program described in this document and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurement may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

All statements regarding IBM's future direction or intent are subject to change orwithdrawal without notice, and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subjectto change without notice. Dealer prices may vary.

This information is for planning purposes only. The information herein is subject tochange before the products described become available.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

COPYRIGHT LICENSE:

This information contains sample application programs in source language, whichillustrate programming techniques on various operating platforms. You may copy,modify, and distribute these sample programs in any form without payment to


IBM, for the purposes of developing, using, marketing or distributing applicationprograms conforming to the application programming interface for the operatingplatform for which the sample programs are written. These examples have notbeen thoroughly tested under all conditions. IBM, therefore, cannot guarantee orimply reliability, serviceability, or function of these programs. You may copy,modify, and distribute these sample programs in any form without payment toIBM for the purposes of developing, using, marketing, or distributing applicationprograms conforming to IBM's application programming interfaces.

If you are viewing this information in softcopy form, the photographs and colorillustrations might not be displayed.

Trademarks

IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks ofInternational Business Machines Corp., registered in many jurisdictions worldwide.Other product and service names might be trademarks of IBM or other companies.A current list of IBM trademarks is available on the Web at Copyright andtrademark information; at www.ibm.com/legal/copytrade.shtml.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registeredtrademarks or trademarks of Adobe Systems Incorporated in the United States,other countries, or both.

IT Infrastructure Library is a registered trademark of the Central Computer andTelecommunications Agency which is now part of the Office of GovernmentCommerce.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo,Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks orregistered trademarks of Intel Corporation or its subsidiaries in the United Statesand other countries.

Linux is a trademark of Linus Torvalds in the United States, other countries, orboth.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

ITIL is a registered trademark, and a registered community trademark of the Officeof Government Commerce, and is registered in the U.S. Patent and TrademarkOffice.

UNIX is a registered trademark of The Open Group in the United States and othercountries.

Java and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Notices 21

Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in theUnited States, other countries, or both and is used under license therefrom.

Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo aretrademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.

Other company, product, and service names may be trademarks or service marksof others.


Glossary

AccessAdmin. A web-based management console thatAdministrators and Helpdesk officers use to administerthe IMS Server and to manage users and policies.

AccessAgent plug-in. A piece of script, written inVBscript or Javascript, that is embedded within anAccessProfile to perform custom checking of conditionsor to execute custom actions. It is used for extendingthe capability of an AccessProfile beyond the built-intriggers and actions.

AccessAgent. The client software that manages theidentity of the user, authenticates the user, andautomates single sign-on and sign-off.

AccessAssistant. The web-based interface that helpsusers to reset their passwords and retrieve theirapplication credentials.

AccessProfile widget / widget. An independentAccessProfile that consists of pinnable states, which canbe used to build another AccessProfile.

AccessProfiles. AccessAgent uses these XMLspecifications to identify application screens that it canperform single sign-on and automation.

AccessStudio. An application used by Administratorsfor creating and maintaining AccessProfiles.

Account data bag. A data structure that holds usercredentials in memory while single sign-on isperformed on an application.

Account data item template. A template that definesthe properties of an account data item.

Account data item. The user credentials required forlogon.

Account data template. A template that defines theformat of account data to be stored for credentialscaptured by using a specific AccessProfile.

Account data. The logon information required toverify an authentication service. It can be the username, password, and the authentication service whichthe logon information is stored.

Action. In profiling, an act that can be performed inresponse to a trigger. For example, automatic filling ofuser name and password details as soon as a sign-onwindow displays.

Active Directory (AD). A hierarchical directory servicethat enables centralized, secure management of anentire network, which is a central component of theMicrosoft Windows platform.

Active Directory credentials. The Active Directoryuser name and password.

Active Directory password synchronization. An IBMSecurity Access Manager for Enterprise Single Sign-Onfeature that synchronizes the ISAM ESSO passwordwith the Active Directory password.

Active RFID (ARFID). ARFID is both a secondauthentication factor and a presence detector. It candetect the presence of a user and AccessAgent can beconfigured to perform specific actions. In previousreleases, it is called Active Proximity Badge.

ActiveCode. Short-lived authentication codes that aregenerated and verified by IBM Security AccessManager for Enterprise Single Sign-On. There are twotypes of ActiveCodes: Mobile ActiveCodes andPredictive ActiveCodes.

Mobile ActiveCodes are generated by IBM SecurityAccess Manager for Enterprise Single Sign-On anddispatched to the mobile phone or email account of theuser. Predictive ActiveCodes, or One Time Passwords,are generated from OTP tokens when a user presses itsbutton.

Combined with alternative channels or devices,ActiveCodes provide effective second-factorauthentication.

Administrator. A person responsible foradministrative tasks such as access authorization andcontent management. Administrators can also grantlevels of authority to users.

Application policies. A collection of policies andattributes governing access to applications.

Application programming interface (API). Aninterface that allows an application program written ina high-level language to use specific data or functionsof the operating system or another program.

Application. One or more computer programs orsoftware components that provide a function in directsupport of a specific business process or processes. InAccessStudio, it is the system that provides the userinterface for reading or entering the authenticationcredentials.

Audit. A process that logs the user, Administrator, andHelpdesk activities.

Authentication factor. The different devices,biometrics, or secrets required as credentials forvalidating digital identities. Examples of authentication


factors are passwords, smart card, RFID, biometrics,and one-time password tokens.

Authentication service. In IBM Security AccessManager for Enterprise Single Sign-On, a service thatverifies the validity of an account against their ownuser store or against a corporate directory. Identifies theauthentication service associated with a screen. Accountdata saved under a particular authentication service isretrieved and auto-filled for the logon screen that isdefined. Account data captured from the logon screendefined is saved under this authentication service.

Authorization code. An alphanumeric code generatedfor administrative functions, such as password resets ortwo-factor authentication bypass with AccessAgent,AccessAssistant, and Web Workplace.

Auto-capture. A process that allows a system to collectand reuse user credentials for different applications.These credentials are captured when the user entersinformation for the first time, and then stored andsecured for future use.

Automatic sign-on. A feature where users can log onto the sign-on automation system and the system logson the user to all other applications.

Base distinguished name. A name that indicates thestarting point for searches in the directory server.

Bidirectional language. A language that uses a script,such as Arabic and Hebrew, whose general flow of textproceeds horizontally from right to left, but numbers,English, and other left-to-right language text arewritten from left to right.

Bind distinguished name. A name that specifies thecredentials for the application server to use whenconnecting to a directory service. The distinguishedname uniquely identifies an entry in a directory. Seealso Distinguished name.

Biometrics. The identification of a user based on aphysical characteristic of the user, such as a fingerprint,iris, face, voice, or handwriting.

Card Serial Number (CSN). A unique data item thatidentifies a hybrid smart card. It has no relation to thecertificates installed in the smart card

Cell. In WebSphere Application Server, a cell is avirtual unit that consists of a deployment manager andone or more nodes.

Certificate authority (CA). A trusted organization orcompany that issues the digital certificates. Thecertificate authority typically verifies the identity of theindividuals who are granted the unique certificate.

IMS Server Certificate. Used in IBM Security AccessManager for Enterprise Single Sign-On. The IMS ServerCertificate allows clients to identify and authenticate anIMS Server.

Client AccessAgent. AccessAgent installed andrunning on the client machine.

Client workstation, client machine, client computers.Computers where AccessAgent installed.

Clinical Context Object Workgroup (CCOW). Avendor independent standard, for the interchange ofinformation between clinical applications in thehealthcare industry.

Clustering. In WebSphere Application Server,clustering is the ability to group application servers.

Clusters. A group of application servers thatcollaborate for the purposes of workload balancing andfailover.

Command line interface. A computer interface inwhich the input command is a string of text characters.

Credentials. Information acquired duringauthentication that describes a user, group associations,or other security-related identity attributes, and that isused to perform services such as authorization,auditing, or delegation. For example, a user ID andpassword are credentials that allow access to networkand system resources.

Cryptographic application programming interface(CAPI). An application programming interface thatprovides services to enable developers to secureapplications using cryptography. It is a set ofdynamically-linked libraries that provides anabstraction layer which isolates programmers from thecode used to encrypt the data.

Cryptographic Service Provider (CSP). A feature ofthe i5/OS® operating system that provides APIs. TheCCA Cryptographic Service Provider enables a user torun functions on the 4758 Coprocessor.

Data source. The means by which an applicationaccesses data from a database.

Database (DB) server. A software program that uses adatabase manager to provide database services tosoftware programs or computers.

DB2®. A family of IBM licensed programs forrelational database management.

Deployment manager profiles. A WebSphereApplication Server runtime environment that managesoperations for a logical group, or cell, of other servers.

Deployment manager. A server that manages andconfigures operations for a logical group or cell ofother servers.


Deprovision. To remove a service or component. Forexample, to deprovision an account means to delete anaccount from a resource.

Desktop application. Application that runs in adesktop.

Desktop Manager. Manages concurrent user desktopson a single workstation

Direct auth-info. In profiling, direct auth-info is adirect reference to an existing authentication service.

Directory service. A directory of names, profileinformation, and computer addresses of every user andresource on the network. It manages user accounts andnetwork permissions. When a user name is sent, itreturns the attributes of that individual, which mightinclude a telephone number, or an email address.Directory services use highly specialized databases thatare typically hierarchical in design and provide fastlookups.

Directory. A file that contains the names andcontrolling information for objects or other directories.

Disaster recovery site. A secondary location for theproduction environment in case of a disaster.

Disaster recovery. The process of restoring a database,system, policies after a partial or complete site failurethat was caused by a catastrophic event such as anearthquake or fire. Typically, disaster recovery requiresa full backup at another location.

Distinguished name. The name that uniquelyidentifies an entry in a directory. A distinguished nameis made up of attribute:value pairs, separated bycommas. For example, CN=person name andC=country or region.

Distributed IMS Server. The IMS Servers aredeployed in multiple geographical locations.

Domain name server (DNS). A server program thatsupplies name-to-address conversion by mappingdomain names to IP addresses.

Dynamic link library (DLL). A file containingexecutable code and data bound to a program at loadtime or run time, rather than during linking. The codeand data in a DLL can be shared by severalapplications simultaneously.

Enterprise directory. A directory of user accounts thatdefine IBM Security Access Manager for EnterpriseSingle Sign-On users. It validates user credentialsduring sign-up and logon, if the password issynchronized with the enterprise directory password.An example of an enterprise directory is ActiveDirectory.

Enterprise Single Sign-On (ESSO). A mechanism thatallows users to log on to all applications deployed inthe enterprise by entering a user ID and othercredentials, such as a password.

Enterprise user name. The user name of a useraccount in the enterprise directory.

ESSO audit logs. A log file that contains a record ofsystem events and responses. ESSO audit logs arestored in the IMS Database.

ESSO Credential Provider. Previously known as theEncentuate Credential Provider (EnCredentialProvider),this is the IBM Security Access Manager for EnterpriseSingle Sign-On GINA for Windows Vista and Windows7.

ESSO credentials. The ISAM ESSO user name andpassword.

ESSO GINA. Previously known as the EncentuateGINA (EnGINA). IBM Security Access Manager forEnterprise Single Sign-On GINA provides a userinterface that is integrated with authentication factorsand provide password resets and second factor bypassoptions.

ESSO Network Provider. Previously known as theEncentuate Network Provider (EnNetworkProvider).An AccessAgent module that captures the ActiveDirectory server credentials and uses these credentialsto automatically log on the users to their Wallet.

ESSO password. The password that secures access tothe user Wallet.

Event code. A code that represents a specific eventthat is tracked and logged into the audit log tables.

Failover. An automatic operation that switches to aredundant or standby system in the event of asoftware, hardware, or network interruption.

Fast user switching. A feature that allows users toswitch between user accounts on a single workstationwithout quitting and logging out of applications.

Federal Information Processing Standard (FIPS). Astandard produced by the National Institute ofStandards and Technology when national andinternational standards are nonexistent or inadequate tosatisfy the U.S. government requirements.

Fix pack. A cumulative collection of fixes that is madeavailable between scheduled refresh packs,manufacturing refreshes, or releases. It is intended toallow customers to move to a specific maintenancelevel.

Fully qualified domain name (FQDN). In Internetcommunications, the name of a host system that

Glossary 25

includes all of the subnames of the domain name. Anexample of a fully qualified domain name isrchland.vnet.ibm.com.

Graphical Identification and Authentication (GINA).A dynamic link library that provides a user interfacethat is tightly integrated with authentication factors andprovides password resets and second factor bypassoptions.

Group Policy Object (GPO). A collection of grouppolicy settings. Group policy objects are the documentscreated by the group policy snap-in. Group policyobjects are stored at the domain level, and they affectusers and computers contained in sites, domains, andorganizational units.

High availability (HA). The ability of IT services towithstand all outages and continue providingprocessing capability according to some predefinedservice level. Covered outages include both plannedevents, such as maintenance and backups, andunplanned events, such as software failures, hardwarefailures, power failures, and disasters.

Host name. In Internet communication, the namegiven to a computer. The host name might be a fullyqualified domain name such asmycomputer.city.company.com, or it might be a specificsubname such as mycomputer.

Hot key. A key sequence used to shift operationsbetween different applications or between differentfunctions of an application.

Hybrid smart card. An ISO-7816 compliant smart cardwhich contains a public key cryptography chip and anRFID chip. The cryptographic chip is accessible throughcontact interface. The RFID chip is accessible throughcontactless (RF) interface.

IBM HTTP server. A web server. IBM offers a webserver, called the IBM HTTP Server, that acceptsrequests from clients and forward to the applicationserver.

IMS Bridge. A module embedded in third-partyapplications and systems to call to IMS APIs forprovisioning and other purposes.

IMS Configuration Utility. A utility of the IMS Serverthat allows Administrators to manage lower-levelconfiguration settings for the IMS Server.

IMS Configuration wizard. Administrators use thewizard to configure the IMS Server during installation.

IMS Connector. A module that connects IMS toexternal systems to dispatch a mobile active code to amessaging gateway.

IMS data source. A WebSphere Application Serverconfiguration object that defines the location andparameters for accessing the IMS database.

IMS Database. The relational database where the IMSServer stores all ESSO system, machine, and user dataand audit logs.

IMS Root CA. The root certificate authority that signscertificates for securing traffic between AccessAgentand IMS Server.

IMS Server. An integrated management system forISAM ESSO that provides a central point of secureaccess administration for an enterprise. It enablescentralized management of user identities,AccessProfiles, authentication policies, provides lossmanagement, certificate management, and auditmanagement for the enterprise.

Indirect auth-info. In profiling, indirect auth-info is anindirect reference to an existing authentication service.

Interactive graphical mode. A series of panels thatprompts for information to complete the installation.

IP address. A unique address for a device or logicalunit on a network that uses the Internet Protocolstandard.

Java Management Extensions (JMX). A means ofdoing management of and through Java technology.JMX is a universal, open extension of the Javaprogramming language for management that can bedeployed across all industries, wherever management isneeded.

Java runtime environment (JRE). A subset of a Javadeveloper kit that contains the core executableprograms and files that constitute the standard Javaplatform. The JRE includes the Java virtual machine(JVM), core classes, and supporting files.

Java virtual machine (JVM). A softwareimplementation of a processor that runs compiled Javacode (applets and applications).

Keystore. In security, a file or a hardwarecryptographic card where identities and private keysare stored, for authentication and encryption purposes.Some keystores also contain trusted, or public, keys.

Lightweight Directory Access Protocol (LDAP). Anopen protocol that uses TCP/IP to provide access todirectories that support an X.500 model. An LDAP canbe used to locate people, organizations, and otherresources in an Internet or intranet directory.

Lightweight mode. A Server AccessAgent mode.Running in lightweight mode reduces the memoryfootprint of AccessAgent on a Citrix/Terminal Serverand improves the single sign-on startup duration.


Load balancing. The monitoring of application serversand management of the workload on servers. If oneserver exceeds its workload, requests are forwarded toanother server with more capacity.

Lookup user. A user who is authenticated in theEnterprise Directory and searches for other users. IBMSecurity Access Manager for Enterprise Single Sign-Onuses the lookup user to retrieve user attributes from theActive Directory or LDAP enterprise repository.

Main AccessProfile. The AccessProfile that containsone or more AccessProfile widgets

Managed node. A node that is federated to adeployment manager and contains a node agent andcan contain managed servers.

Microsoft Cryptographic application programminginterface (CAPI). An interface specification fromMicrosoft for modules that provide cryptographicfunctionality and that allow access to smart cards.

Mobile ActiveCode (MAC). A one-time password thatis used by users for two-factor authentication in WebWorkplace, AccessAssistant, and other applications.This OTP is randomly generated and dispatched touser through SMS or email.

Mobile authentication. An authentication factorwhich allows mobile users to sign-on securely tocorporate resources from anywhere on the network.

Network deployment. Also known as a clustereddeployment. A type of deployment where the IMSServer is deployed on a WebSphere Application Servercluster.

Node agent. An administrative agent that manages allapplication servers on a node and represents the nodein the management cell.

Nodes. A logical group of managed servers.

One-Time Password (OTP). A one-use passwordgenerated for an authentication event, sometimescommunicated between the client and the serverthrough a secure channel.

OTP token. A small, highly portable hardware devicethat the owner carries to authorize access to digitalsystems and physical assets.

Password aging. A security feature by which thesuperuser can specify how often users must changetheir passwords.

Password complexity policy. A policy that specifiesthe minimum and maximum length of the password,the minimum number of numeric and alphabeticcharacters, and whether to allow mixed uppercase andlowercase characters.

Personal applications. Windows and web-basedapplications where AccessAgent can store and entercredentials.

Some examples of personal applications are web-basedmail sites such as Company Mail, Internet bankingsites, online shopping sites, chat, or instant messagingprograms.

Personal desktop. The desktop is not shared with anyother users.

Personal Identification Number (PIN). InCryptographic Support, a unique number assigned byan organization to an individual and used as proof ofidentity. PINs are commonly assigned by financialinstitutions to their customers.

Pinnable state. A state from the AccessProfile widgetthat is declared as 'Can be pinned in anotherAccessProfile'.

Pinned state. A pinnable state that is attached to astate in the main AccessProfile.

Policy template. A predefined policy form that helpsusers define a policy by providing the fixed policyelements that cannot be changed and the variablepolicy elements that can be changed.

Portal. A single, secure point of access to diverseinformation, applications, and people that can becustomized and personalized.

Presence detector. A device that, when fixed to acomputer, detects when a person moves away from it.This device eliminates manually locking the computerupon leaving it for a short time.

Primary authentication factor. The IBM SecurityAccess Manager for Enterprise Single Sign-Onpassword or directory server credentials.

Private desktop. Under this desktop scheme, usershave their own Windows desktops in a workstation.When a previous user return to the workstation andunlocks it, AccessAgent switches to the desktop sessionof the previous user and resumes the last task.

Private key. In computer security, the secret half of acryptographic key pair that is used with a public keyalgorithm. The private key is known only to its owner.Private keys are typically used to digitally sign dataand to decrypt data that has been encrypted with thecorresponding public key.

Provisioning API. An interface that allows IBMSecurity Access Manager for Enterprise Single Sign-Onto integrate with user provisioning systems.

Provisioning bridge. An automatic IMS Servercredential distribution process with third partyprovisioning systems that uses API libraries with aSOAP connection.

Glossary 27

Provisioning system. A system that provides identitylifecycle management for application users inenterprises and manages their credentials.

Provision. To provide, deploy, and track a service,component, application, or resource.

Public Key Cryptography Standards. A set ofindustry-standard protocols used for secure informationexchange on the Internet. Domino® CertificateAuthority and Server Certificate Administrationapplications can accept certificates in PKCS format.

Published application. Application installed on CitrixXenApp server that can be accessed from Citrix ICAClients.

Published desktop. A Citrix XenApp feature whereusers have remote access to a full Windows desktopfrom any device, anywhere, at any time.

Radio Frequency Identification (RFID). An automaticidentification and data capture technology thatidentifies unique items and transmits data using radiowaves.

Random password. An arbitrarily generated passwordused to increase authentication security between clientsand servers.

Registry hive. In Windows systems, the structure ofthe data stored in the registry.

Registry. A repository that contains access andconfiguration information for users, systems, andsoftware.

Remote Authentication Dial-In User Service(RADIUS). An authentication and accounting systemthat uses access servers to provide centralizedmanagement of access to large networks.

Remote Desktop Protocol (RDP). A protocol thatfacilitates remote display and input over networkconnections for Windows-based server applications.RDP supports different network topologies andmultiple connections.

Replication. The process of maintaining a defined setof data in more than one location. Replication involvescopying designated changes for one location (a source)to another (a target) and synchronizing the data in bothlocations.

Revoke. To remove a privilege or an authority froman authorization identifier.

Root certificate authority (CA). The certificateauthority at the top of the hierarchy of authorities bywhich the identity of a certificate holder can beverified.

Scope. A reference to the applicability of a policy, atthe system, user, or machine level.

Secret question. A question whose answer is knownonly to the user. A secret question is used as a securityfeature to verify the identity of a user.

Secure Remote Access. The solution that providesweb browser-based single sign-on to all applicationsfrom outside the firewall.

Secure Sockets Layer (SSL). A security protocol thatprovides communication privacy. With SSL,client/server applications can communicate in a waythat is designed to prevent eavesdropping, tampering,and message forgery.

Secure Sockets Layer virtual private network (SSLVPN). A form of VPN that can be used with astandard web browser.

Security Token Service (STS). A web service used forissuing and exchanging of security tokens.

Security trust service chain. A group of moduleinstances that are configured for use together. Eachmodule instance in the chain is called in turn toperform a specific function as part of the overallprocessing of a request.

Self-service features. Features in IBM Security AccessManager for Enterprise Single Sign-On which users canuse to perform basic tasks such as resetting passwordsand secrets with minimal assistance from Help desk oryour Administrator.

Serial ID Service Provider Interface (SPI). Aprogrammatic interface intended for integratingAccessAgent with third-party Serial ID devices used fortwo-factor authentication.

Serial number. A unique number embedded in theIBM Security Access Manager for Enterprise SingleSign-On Keys, which is unique to each Key and cannotbe changed.

Server AccessAgent. AccessAgent deployed on aMicrosoft Windows Terminal Server or a Citrix server.

Server locator. A locator that groups a related set ofweb applications that require authentication by thesame authentication service. In AccessStudio, serverlocators identify the authentication service with whichan application screen is associated.

Service Provider Interface (SPI). An interface throughwhich vendors can integrate any device with serialnumbers with IBM Security Access Manager forEnterprise Single Sign-On and use it as a second factorin AccessAgent.

Session management. Management of user session onprivate desktops and shared desktops.

Shared desktop. A desktop configuration wheremultiple users share a generic Windows desktop.


Shared workstation. A workstation shared amongusers.

Sign up. To request a resource.

sign-on automation. A technology that works withapplication user interfaces to automate the sign-onprocess for users.

sign-on information. Information required to provideaccess to users to any secure application. Thisinformation can include user names, passwords,domain information, and certificates.

Signature. In profiling, unique identificationinformation for any application, window, or field.

Silent mode. A method for installing or uninstalling aproduct component from the command line with noGUI display. When using silent mode, you specify thedata required by the installation or uninstallationprogram directly on the command line or in a file(called an option file or response file).

Simple Mail Transfer Protocol (SMTP). An Internetapplication protocol for transferring mail among usersof the Internet.

Simple Object Access Protocol (SOAP). Alightweight, XML-based protocol for exchanginginformation in a decentralized, distributedenvironment. SOAP can be used to query and returninformation and invoke services across the Internet.

Single sign-on. An authentication process in which auser can access more than one system or application byentering a single user ID and password.

Smart card middleware. Software that acts as aninterface between smart card applications and thesmart card hardware. Typically the software consists oflibraries that implement PKCS#11 and CAPI interfacesto smart cards.

Smart card. An intelligent token that is embeddedwith an integrated circuit chip that provides memorycapacity and computational capabilities.

Stand-alone deployment. A deployment where theIMS Server is deployed on an independent WebSphereApplication Server profile.

Stand-alone server. A fully operational server that ismanaged independently of all other servers, and it usesits own administrative console.

Strong authentication. A solution that usesmulti-factor authentication devices to preventunauthorized access to confidential corporateinformation and IT networks, both inside and outsidethe corporate perimeter.

Strong digital identity. An online persona that isdifficult to impersonate, possibly secured by privatekeys on a smart card.

System modal message. A system dialog box that istypically used to display important messages. When asystem modal message is displayed, nothing else canbe selected on the screen until the message is closed.

Terminal emulator. A program that allows a devicesuch as a microcomputer or personal computer to enterand receive data from a computer system as if it were aparticular type of attached terminal

Thin client. A client machine that has little or noinstalled software. It has access to applications anddesktop sessions that is running on network serversthat are connected to it. A thin client machine is analternative to a full-function client such as aworkstation.

Tivoli® Common Reporting tool. A reportingcomponent that you can use to create, customize, andmanage reports.

Tivoli Identity Manager adapter. An intermediarysoftware component that allows IBM Security AccessManager for Enterprise Single Sign-On to communicatewith Tivoli Identity Manager.

Transparent screen lock. A feature that, whenenabled, permits users to lock their desktop screens butstill see the contents of their desktop.

Trigger. In profiling, an event that causes transitionsbetween states in a states engine, such as, the loadingof a web page or the appearance of window on thedesktop.

Trust service chain. A chain of modules operating indifferent modes. For example: validate, map and issue.

Truststore. In security, a storage object, either a file ora hardware cryptographic card, where public keys arestored in the form of trusted certificates, forauthentication purposes in web transactions. In someapplications, these trusted certificates are moved intothe application keystore to be stored with the privatekeys.

TTY (terminal type). A generic device driver for a textdisplay. A tty typically performs input and output on acharacter-by-character basis.

Two-factor authentication. The use of two factors toauthenticate a user. For example, the use of passwordand an RFID card to log on to AccessAgent.

Uniform resource identifier. A compact string ofcharacters for identifying an abstract or physicalresource.

Glossary 29

User credential. Information acquired duringauthentication that describes a user, group associations,or other security-related identity attributes, and that isused to perform services such as authorization,auditing, or delegation. For example, a user ID andpassword are credentials that allow access to networkand system resources.

User deprovisioning. Removing the user account fromIBM Security Access Manager for Enterprise SingleSign-On.

User provisioning. The process of signing up a userto use IBM Security Access Manager for EnterpriseSingle Sign-On.

Virtual appliance. A virtual machine image with aspecific application purpose that is deployed tovirtualization platforms.

Virtual channel connector. A connector that is used ina terminal services environment. The virtual channelconnector establishes a virtual communication channelto manage the remote sessions between the ClientAccessAgent component and the Server AccessAgent.

Virtual Member Manager (VMM). A WebSphereApplication Server component that providesapplications with a secure facility to access basicorganizational entity data such as people, logonaccounts, and security roles.

Virtual Private Network (VPN). An extension of acompany intranet over the existing framework of eithera public or private network. A VPN ensures that thedata that is sent between the two endpoints of itsconnection remains secure.

Visual Basic (VB). An event-driven programminglanguage and integrated development environment(IDE) from Microsoft.

Wallet caching. When performing single sign-on foran application, AccessAgent retrieves the logoncredentials from the user credential Wallet. The usercredential Wallet is downloaded on the user machineand stored securely on the IMS Server. So users canaccess their Wallet even when they log on to IBMSecurity Access Manager for Enterprise Single Sign-Onfrom a different machine later.

Wallet manager. The IBM Security Access Manager forEnterprise Single Sign-On GUI component that userscan use to manage application credentials in thepersonal identity Wallet.

Wallet Password. A password that secures access tothe Wallet.

Wallet. A secured data store of access credentials of auser and related information, which includes user IDs,passwords, certificates, encryption keys.

Web server. A software program that is capable ofservicing Hypertext Transfer Protocol (HTTP) requests.

Web service. A self-contained, self-describing modularapplication that can be published, discovered, andinvoked over a network using standard networkprotocols. Typically, XML is used to tag the data, SOAPis used to transfer the data, WSDL is used fordescribing the services available, and UDDI is used forlisting what services are available.

Web Workplace. A web-based interface that users canlog on to enterprise web applications by clicking linkswithout entering the passwords for individualapplications. This interface can be integrated with theexisting portal or SSL VPN of the customer.

WebSphere Administrative console. A graphicaladministrative Java application client that makesmethod calls to resource beans in the administrativeserver to access or modify a resource within thedomain.

WebSphere Application Server profile. TheWebSphere Application Server administrator user nameand profile. Defines the runtime environment.

WebSphere Application Server. Software that runs ona web server and that can deploy, integrate, execute,and manage e-business applications.

Windows logon screen, Windows logon UI mode.The screen where users enter their user name andpassword to log on to the Windows desktop.

Windows native fast user switching. A Windows XPfeature which allows users to quickly switch betweenuser accounts.

Windows Terminal Services. A Microsoft Windowscomponent that users use to access applications anddata on a remote computer over a network.

WS-Trust. A web services security specification thatdefines a framework for trust models to establish trustbetween web services.


Index

AAccessAgent, widget prerequisite 1accessibility xiAccessProfile

actions 1general properties 2IMS. uploading to 6pinnable state 1, 3runtime logs 17states 1triggers 1using widgets 1

AccessProfile widgetsAccessProfile name 3AccessProfile, adding to 3actions 1Add Widget function 3adding 3

pinnable states 3widget instances 3

benefitsmodular 1reuse 1

creating 3creation procedure 3customization 3deleting 6description 1details

collapsing 6editing 4expanding 6

editingpinnable state name 3widget instance name 3

IMS. uploading to 6instance name 3limitations 2log details 17multiple widgets 3overview 1parameter variable 9passing parameters 9pinning 3pinning to a state 5prerequisites 1runtime logs 17state

pinning to 5unpinning from 6

state diagram canvass 3states 1triggers 1unpinning from a state 5using 3

AccessStudio, widget prerequisite 1

Bbenefits, using widgets 1

Ddelete option 6

Eeducation xi

IIBM

Software Support xiSupport Assistant xi

IMS Serveruploading AccessProfile widgets 6uploading AccessProfiles 6

IMS Server, widget prerequisite 1installation

fix packs 1AccessAgent 1AccessStudio 1IMS Server 1

product components 1

Llimitations

AccessProfile widget, cannot call 2general properties 2general properties, ignored 2

MMethod for passing parameter value

by direct value 10by reference 9by value 9

Oonline

publications ixterminology ix

Pparameters

example 11limit 9states, AccessProfile widget 9states, main AccessProfile 9transfer data 9types of

account data bag 9property store item 9

valuespassing to 9variable 9

variables 9

pass by direct valuedescription 9example 11

pass by reference 9description 9example 11

pass by valuedescription 9example 11

pinnable stateadd 3description 1edit 4example 11format 5instance 5, 9limitation 3, 5main AccessProfile 9name 4name format 5passing values to parameters 9pinning to a widget 5unpinning 6

problem-determination xipublications

accessing online ixlist of for this product ix

Rruntime logs

AccessStudio messages pane 17details

excluded 17included 17

troubleshoot 17

SSecurity Access Manager for Enterprise

Single Sign-On 1state

AccessProfile state 5AccessProfile widget instance,

pinning 5pin 5pinnable 3pinnable state 5reuse 3state-machine, merging 5triggers, evaluation 5unpin 5

Tterminology ixtraining xitroubleshooting xi


Uunpin state

procedure 6

VVBScript 1

runtime logs 17

Wworkflow 9

result 9scenario 9subscenario 9


��

Printed in USA

SC27-4444-00

Documents

IBM. Security Access Manager for Enterprise Single Sign-On: AccessProfile Widgets … · 2016. 3. 9. · AccessProfile widgets are modular. For example: On mainframe clients, users