Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Novell® Access Manager Product Overview
Kiran Mova
2 © 2011 NetIQ Corporation. All rights reserved.
Agenda
Introduction
Architecture
IDP AGSSL VPNAdministration Console
How it works?
Web SSOFederation SSOProtect HTTP ResourcesProtect non-HTTP Resources
3 © 2011 NetIQ Corporation. All rights reserved.
Introduction
Access Manager is a set of components that help to :Provide Web and Federated SSO
Protect HTTP/Non-HTTP enterprise servers
Provide SSO to Legacy Web Servers
Also allows customers to extend :
Authentication Mechanisms using Authentication SDK
Authentication against Custom User stores using LDAP Server Plugin
Policy Engine using Policy Extension API
4 © 2011 NetIQ Corporation. All rights reserved.
Sample NAM Deployment
InnerWebAccess Gateway (innerweb.novell.com)
VersionOne (v1.innerweb.novell.com)
Employee Self Service (psselfservice.innerweb.novell.com)Identity Provider (login.innerweb.novell.com)
SSLVPN (sslvpn.innerweb.novell.com)
5 © 2011 NetIQ Corporation. All rights reserved.
ArchitectureM
ission Critical and
Enterprise Data System
s. H
TTP and non-HTTP
User Directory(LDAP)
Web UI
Load Balancer(s)Identity Servers,
Access Gateways, SSLVPNs
VPN
Authentication Servers
(RA
DIU
S, etc.,)User
NAM
Administrator
SSL VPN(Authorized Access)
+
Identity Provider (Authenticate)
Access Gateway(Authorized Access)
+
J2EE Agent(Authorized Access)
++
AdministrationConsole
Federated Identity Providers
Audit, Alerts
Configuration, Policy
Web SSO Federated SSO Non-HTTP server Access
1..3
1+
1+
1+
1
SAML 2.0, SAML 1.x, Liberty, WS Fed
6 © 2011 NetIQ Corporation. All rights reserved.
Admin Console – Key Features
Administration ConsoleConfigure ComponentsMonitor Health and Statistics of Individual ComponentsPolicy Administration Certificate ManagementDelegated AdministrationPersistent configuration store Granular Auditing (embedded NSure Audit Server)
7 © 2011 NetIQ Corporation. All rights reserved.
Architecture – ACM
ission Critical and
Enterprise Data System
s. H
TTP and non-HTTP
Web UI(HTTPS)
User
NAM
Administrator
SSL VPN
AdministrationConsole
Federated Identity Providers
User Directory(LDAP)
Authenticate
Load Balancer
Identity Provider
Audit (TCP)Configuration/
Commands(HTTPS)
Alerts(HTTPS)
Configuration, Policy
(LDAPS)
+
Authentication Servers
(RADIUS, etc.,)
Access Gateway
+
Audit Cache JCC
Config,Policy,
CertificateStore
Nsure AuditServer
eDirectory
Device Manager(iManager/Tomcat)
LDAPS
Clustering(eDirectory Replica)
Cert Configure(LDAPS)
8 © 2011 NetIQ Corporation. All rights reserved.
Identity Provider – Key Features
+
Identity Provider (IdP)Authentication (includes x509, RADIUS..)Federated Authentication (SAML/ADFS)Associate Roles and Attributes with authenticated user Capable of authenticating against multiple User ID stores like eDirectory, Active Directory Sun One etc., Extensible Authentication and Policy framework SP (Service Provider) AgentShared Component Redirects all authentication requests to IdPMaintains a cache of user data fetched from IdPEvaluates Policies by requesting additional data from IdP.
9 © 2011 NetIQ Corporation. All rights reserved.
Architecture - IDP
Configuration (HTTPS)
Mission C
ritical andEnterprise D
ata Systems.
HTTP and non-H
TTP
Web UI
Authentication Servers
(RADIUS, etc.,)
User
NAM
Administrator
SSL VPN
+
Identity Provider
Access Gateway
+
AdministrationConsole
Federated Identity Providers
JCCRMI
Audit (TCP)Alerts(HTTPS)
Configuration, Policy (LDAPS)
SAML 2.0, SAML 1.x, Liberty, WS Fed(HTTPS)
Clustering(JGROUPS)
User Data (LDAP[S] ) User Directory(LDAP)
Custom Connections
Liberty and Attribute Service(HTTPS)
Authenticate
Authentication & Attribute Services
(Tomcat)
Audit Agent
Load Balancer
2+
10 © 2011 NetIQ Corporation. All rights reserved.
Access Gateway – Key Features
Access Gateway (AG)Authentication (via Identity Server)AuthorizationSingle sign-on to Legacy Web Servers (form-fill, identity
injection)Identity injection (personalization)Secure exchange (SSLizer)Multi HomingLoad BalancingURL Normalization/ Rewriting CachingPolicy Extensions API
11 © 2011 NetIQ Corporation. All rights reserved.
Architecture - AGM
ission Critical and
Enterprise Data System
s. H
TTP and non-HTTP
Web UI
User
NAM
Administrator
SSL VPN
Access Gateway
AdministrationConsole
Federated Identity Providers
SAML 2.0, SAML 1.x, Liberty, WS Fed(HTTPS)
User Directory(LDAP)
Authenticate
Load Balancer
2+
Identity Provider
JCCRMI
Liberty and Attribute Service(HTTPS)
Audit (TCP)
Configuration (HTTPS)
Alerts(HTTPS)
Configuration, Policy (LDAPS)
ActiveMQ
Session Cache
Audit Agent
Gateway Manager
Messages
AJP
HTTP
Clustering(JGROUPS)
ApacheInstance
+
HTTP(S)
SPAgent
+ Authentication Servers
(RADIUS, etc.,)Policy Extension API
HTTP(S)
Config
12 © 2011 NetIQ Corporation. All rights reserved.
SSLVPN – Key Features
SSL VPNProvide Secure access to Non-HTTP ApplicationsEnterprise mode (full access) or KIOSK mode (application access)Client Integrity Check and Policy Based AccessDesktop Clean-up / Secure Folder
13 © 2011 NetIQ Corporation. All rights reserved.
Architecture – SSLVPN (Server)M
ission Critical and
Enterprise Data System
s. H
TTP and non-HTTP
Web UI
User
NAM
Administrator
SSL VPN
AdministrationConsole
Federated Identity Providers
SAML 2.0, SAML 1.x, Liberty, WS Fed(HTTPS)
User Directory(LDAP)
Authenticate
Load Balancer
2+
Identity Provider Audit (TCP)
Configuration (HTTPS)
Alerts(HTTPS)
Configuration(LDAPS)
TCP
Authentication Servers
(RADIUS, etc.,)
HTTP(S)
Access Gateway
+
Audit Agent JCC
Liberty and Attribute Service(HTTPS)
HTTP
Conn Mgr
Socks Server
HTTP(S)
STunnel
Open VPN Server
SSL
SSL
SPAgent
+
14 © 2011 NetIQ Corporation. All rights reserved.
Architecture – SSLVPN Client (KIOSK)
User
NAM
SSL VPN
TCP
Audit Agent JCC
Conn Mgr
Socks ServerSTunnel
Open VPN Server
SSL
SPAgent
+
Mission C
ritical andEnterprise D
ata Systems.
HTTP and non-H
TTP
Stunnel
Socks Client
Application
SSL VPN Client
Policy Engine
15 © 2011 NetIQ Corporation. All rights reserved.
Architecture – SSLVPN Client (Enterprise)
User
NAM
SSL VPN
TCP/UDP
Audit Agent JCC
Conn Mgr
Socks ServerSTunnel
Open VPN Server
SSL overTCP/UDP
SPAgent
+
Mission C
ritical andEnterprise D
ata Systems.
HTTP and non-H
TTP
Open VPN Client
TUN Driver
Application
SSL VPN Client
16 © 2011 NetIQ Corporation. All rights reserved.
Recent/Current Initiatives...
Access Management On Demand
Federation Hub
Simplification
Creating products out of individual components
17 © 2011 NetIQ Corporation. All rights reserved.
Simplification
How it works?
19 © 2011 NetIQ Corporation. All rights reserved.
Web SSO
User
+
Service Provider(Web Server)
Identity Provider User Id Store
1 SP Agent Redirects to IdP for authentication
2 Post Credentials 3 Validate Credentials
4 IdP Redirects to SP Agent with Auth Token5 Verify Token
If authenticated goto (4)If not, seek credentials
Create User Session, form a token to send to SP Agent
Respond with Assertion, including user attributes/roles
Provide Access
20 © 2011 NetIQ Corporation. All rights reserved.
Federated SSO
User Identity Provider User Id Store Federated Identity Provider
(SAML/Liberty/WSFed)1 Request for Authentication
2 Send AuthRequest to Federated IdP
5 IdP Receives the authentication6 Verify Token
7 Create user session and store persistent federation mapping
If authenticated goto (8)If not, redirect to “Trusted” Federated Identity Provider
If not authenticated seek credentials
Map to Local user or Auto-provision the user.
Configuration Store
6 Provide AuthResponse with authentication details
8 Respond with Auth Token
21 © 2011 NetIQ Corporation. All rights reserved.
Protect HTTP Resources
User
+
Access Gateway Identity Provider User Id Store Web Server(s)
1 Access v1.innerweb.novell.com
2 SP Agent Redirects to IdP for authentication
3 Post Credentials4 Validate Credentials
5 IdP Redirects to SP Agent with Auth Token6 Verify Token
7 Authorization Policy
8 Redirect to Access Resource
9 Form fill, Identity Injection, Load Balance
10 URL Rewriting, Cache
If authenticated goto (7)If not, redirect to SP Agent
If authenticated goto (5)If not, seek credentials
Create User Session, form a token to send to SP Agent
Respond with Assertion, including user attributes/roles
22 © 2011 NetIQ Corporation. All rights reserved.
Access to Non-HTTP Resources
User
+
SSL VPN Enterprise Server(s)
1 Login to SSL VPN (using IdP or AG)
2 Accept and Install Client
3 Access Enterprise Server
4 Authorize Access, Forward
If authorized user, push the SSL VPN Client
InstallClient Integrity CheckEstablish VPN TunnelClient Policy Update
SSL VPN Client
VPN Tunnel
Virtual/HookingAdapter, takes request, routes through tunnel.
5 Logout Desktop Clean up
23 © 2011 NetIQ Corporation. All rights reserved.
www.novell.com/accessmanager
+1 713.548.1700 (Worldwide)888.323.6768 (Toll-free)[email protected]
Worldwide Headquarters1233 West Loop South Suite 810 Houston, TX 77027 USA
http://community.netiq.com
24 © 2011 NetIQ Corporation. All rights reserved.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States.