Technical White PaperIDENTITY AND SECURITY

www.novell.com

Novell® Access Manager™ 3.1Access Control, Policy Management and Compliance Assurance

Novell Logo1 The registered trademark, ®,

appears to the right and on thesame baseline as the Logo.

Minimum Size RequirementsThe Novell Logo should NOT beprinted smaller than 3 picas(0.5 inches or 12.5 mm) in width.

Clear-space Requirements2 Allow a clean visual separation

of the Logo from all other elements.The height of the "N" is themeasurement for the minimumclear-space requirements aroundthe Logo. This space is flat andunpatterned, free of other designelements and clear from the edgeof the page.

3 picas(0.5 in)

(12.5 mm)

21 3

3

p. 1

Novell Access Manager 3.1

Table of Contents: 2 . . . . . Complete Access Management

2 . . . . . Novell Access Manager Components

4. . . . . . Deployment and Usage Scenarios

9 . . . . . Frequently Asked Questions

p. 2

Novell® Access Manager™ is the next-generation access management and federated identity solution from Novell. Organizations use Access Manager to control internal and external users’ access to network content, applications and services. Fundamental to the technologies

in Access Manager is the emphasis on using industry-leading standards, including Liberty Alliance, Web Services Federation (WS-Federation), Web Services Security (WS-Security), and Security Assertion Markup Language (SAML).

Complete Access Management

Figure 1. Novell Access Manager components

Novell Access Manager ComponentsThe seamless integration of Novell Access Manager components ensures access control at all levels. Figure 1 illustrates these components:

Novell Access Manager components are depicted in the center. Multiple user ID stores can be aggregated by a single Identity Server, which supports different LDAP stores, including:

Novell eDirectory™ Microsoft* Active Directory* Sun* ONE* Directory Server

The following sections provide additional detail about Novell Access Manager com-ponents and functionality.

p. 3

Novell Access Manager 3.1 www.novell.com

Novell Access Manager Policy Management

Policy management and enforcement are fundamental strengths of Novell Access Manager. In fact, all Access Manager compo-nents are guided by administrator-definable policies that are enforced and logged for regulatory compliance reporting. Policies can be simplified by using roles, and external processes can participate via the Policy API.

Identity Server

Identity Server provides authentication services for all Novell Access Manager components. It also features provider and consumer services for SAML (versions 1.1 and 2.0), WS-Federation, Liberty Alliance and Infor-mation Cards. As with all Access Manager components, Identity Server provides authentication services according to Access Manager policy declarations.

Identity Server authenticates users and provides role information to facilitate autho-rization decisions. It also includes the full Liberty Alliance Web Service Framework, which can be used to distribute identity information and simplify policy management.

Organizations can leverage the standard Liberty Alliance Employee and Person profiles or define custom attributes, all of which can be used in policy decision and enforcement processes.

Identity Server also facilitates federated provisioning, which automatically creates user accounts on a federation request. With-out this feature, users would need to register (create a user account) with a service provider before they could federate their identities.

Access Gateway

Access Gateway is the component that integrates with Access Manager’s centralized identity and policy management to provide

authentication, authorization, Web single sign-on and personalization for any standard Web server.

With Access Gateway, organizations can transform identity provider authentication and services into standard Web headers, form-fill responses and basic authentication responses. In other words, Access Gateway enables an organization’s existing Web applications to support new identity standards without modification.

For example, the policy-enabled Identity Injection feature of Access Gateway can leverage the Liberty Alliance Web Services Framework to extract identity information, and then inject it into Web headers or query strings.

Java Application Server Agents

There are three Java* application server agents: IBM* WebSphere*, BEA* WebLogic*, and JBoss*. These agents utilize Java Authentication and Authorization Service (JAAS), Java Authorization Contract for Containers (JACC), and internal Web-server APIs for authentication, and also provide policy-controlled access to Java Servlets and Enterprise JavaBeans* (EJBs). In some cases, organizations achieve tighter and more robust integration by using platform-specific APIs.

Service Provider Agent (SP Agent)

SP Agent is a shared component that pro-vides a common implementation of identity and federation standards and protocols. This agent redirects all authentication requests to Identity Server, which in turn returns a SAML assertion to the component. The presence of SAML assertions in each Access Manager component protects confidential information. Specifically, it removes the need to transfer user credentials between components to handle session management.

Access Gateway enables an organization’s existing Web applications to support new identity standards without modification.

p. 4

The Novell Access Manager administration interface provides a central place to configure and manage all product components and policies.

SP Agent allows components to use an identity provider for authentication and service. It also allows an identity provider to chain to other identity providers. This pro-cess is known as IDP proxying, and it helps organizations create groups of interlinked identity providers.

Secure Sockets Layer Virtual Private Network (SSL VPN)

The SSL VPN provides secure access to non-HTTP-based applications. After a user successfully authenticates through the SSL VPN, an Active X plug-in or Java applet is delivered to the client. The role-based access control feature in Novell Access Manager determines authorization decisions for all back-end applications. SSL VPN also performs client-integrity validation and role-based client selection. Automatic desktop cleanup and a secure folder maintain the

confidentiality of information accessed outside corporate firewalls.

Policy Engine

The Novell Access Manager Policy Engine provides all policy-statement resolution for all product components. To simplify policy management, it also supports the definition of policies in terms of user roles.

Management Interface

The Novell Access Manager administration interface provides a central place to configure and manage all product components and policies. Organizations can also use this interface to group multiple Access Gateways, and then deploy configuration changes to them simultaneously. Delegated admini-stration is available for individual devices, agents and policy control.

Deployment and Usage ScenariosThis section outlines various deployment and usage scenarios for Novell Access Manager.

Managing Novell Access Manager

The administrators who oversee Novell Access Manager devices, groups and policies have typically been assigned the Device Administrator and/or Policy Administrator roles in the directory.

Figure 2. Novell Access Manager Management Console

p. 5

Novell Access Manager 3.1 www.novell.com

Policies can be seg mented into one or more groups, and Policy Administrators can be assigned to a select set of those policy groups.

Figure 3. Novell Access Manager Dashboard

Figure 3 depicts the Dashboard view provided by the Novell Access Manager administration interface. In this view, administrators can see the status of all devices and policies as well as any warning or alert conditions.

Each of the boxes in the figure indicates the total number of devices in the category and the aggregate alert status of all devices in the category. For example, the Identity Servers box shows that there are three Identity Servers in a state of full functionality. Its status is represented by the green circle in the third alert-status position of the Identity Servers control box.

The Policies control box is different from the other boxes because of its lack of an alert-status indicator. This control box allows an authorized administrator (one with access control over the policy management section of the administration interface), to create,

edit and manage the policies assigned to specific components. The Policy Administration section provides an additional layer of admin-istrator access control. Policies can be seg-mented into one or more groups, and Policy Administrators can be assigned to a select set of those policy groups. This allows a separ-ation of duty among Policy Administrators and also provides a way to address many regulatory compliance issues.

Novell Access Manger Policy Administration

The inclusion of a system-wide policy administration feature provides a compelling reason to deploy Novell Access Manager.

Policies are based on Policy Enforcement Points (PEP), several of which are defined for each Novell Access Manager component. To create a policy, an administrator starts

p. 6

Novell Access Manager delivers access to legacy Web services by processing the policies that govern these systems and by using components such as J2EE agents and Access Gateways.

by declaring which PEP will be controlled via the policy. This initial declaration provides several advantages:

Policy configuration options will display only those values and features available for selection at the PEP.

Assignment of a policy to a device can be audited so that only appropriate devices with a compatible PEP can be selected for policy deployment.

Certain policy values can be required for some policies and remain optional for others. However, the field containing the value is the same in all cases, which provides a single point of policy-engine maintenance.

Policy administration also allows for the assignment of policies to multiple Access Manager components. This remains in effect as long as the components support the PEP upon which the policy is authored to operate. The administrator has tools to review what policies are being used and what devices are using them.

To facilitate regulatory compliance reporting, policies are segmented into groups, which are then the subject of access control among the policy administrators. This provides a configurable separation of duty among the staff who maintain policies. Thus, an administrator with the background necessary to author and maintain Access Gateway or Agent policies could be prevented from authoring or maintaining Identity Server policy.

Novell Access Manager logs all policy- related activities and provides valuable regulatory compliance reporting. The creation, modification, deactivation and final deletion of policies—as well as policy assignments and usage— are all logged. This log can be queried to determine what policy was governing access at any point in time during the policy’s existence.

Novell Access Manager Federated Provisioning

Some legacy systems require organizations to store all identity information in a specific directory and format. All users of the legacy system must have an account in the directory before they can use the legacy services. Novell Access Manager can automatically provision these types of accounts without requiring users to manually add themselves to the legacy system’s directory.

In Novell Access Manager, Federated Provisioning is performed by the Identity Server when it acts as a Service Provider. When enabled to auto-provision user accounts, the Identity Server first reviews each authentication request to verify that the legacy directory contains the user account. If it already contains the account, then the authentication is processed normally. If it does not contain the account, Novell Access Manager pulls information from Identity Server (via the SAML assertion or a Web service that vends the information) to create the user’s account.

Note that the account on the legacy system may use an alias user ID and a randomly generated password. This information is maintained by Identity Server and used each time the legacy system is accessed.

Legacy Web Services and Integration

Novell Access Manager delivers access to legacy Web services by processing the policies that govern these systems and by using components such as J2EE agents and Access Gateways. These components perform tasks like form-fill, basic authenti-cation and header injection to provide users with seamless access to legacy Web systems.

p. 7

Novell Access Manager 3.1 www.novell.com

In some cases, organizations require their legacy Web services to use an alias user ID and password. Novell Access Manager allows any combination of attributes from the identity store(s) to be used as the user ID and password. Either the user or an automated process can maintain the attributes that contain associated user IDs and passwords.

This provides a user-friendly way to implement strong password policies.

This feature of Novell Access Manger, coupled with the Federated Provisioning feature, provides a powerful integration tool for legacy-based systems.

Legacy-system Access Management

Novell Access Manager controls access to legacy systems in a variety of ways:

Figure 4. Novell Access Manager overview

Identity Server provides policy-based identity management, including federated identities and/or roles.

Access Gateway features Web-based resource access control, using the identities managed by Identity Server. This includes the Novell Access Manager Policy component for specifying policy and role-based access to local resources.

The SSL VPN ensures secure identity and role-based access to resources behind the firewall.

Access Management and Standards-based Federation

Each deployment of Novell Access Manager includes one or more Identity Servers that orchestrate the user identity lifecycle, includ-ing federation with other federation partners. This means that a successful authentication at a single trusted partner can result in authentication assurances at other trusted federation partners. For example, a success-ful authentication to an Access Manager Identity Server might be used by a disparate system not associated with the Access Manager deployment. This could provide the user with access to resources at the disparate system without the user first authenticating to that system.

p. 8

At any time, an authorized admin istrator can use the Access Manager administration component to cancel, suspend or modify the federation agreement.

Novell Access Manager Identity Server fully complies with the SAML 1.1 and SAML 2.0, WS-Federation and Liberty Alliance specifi-cations. Moreover, federated identities from external systems are provided to all Access Manager components by the Access Manager Identity Server. Each federated identity is marshaled into the Access Manager trust perimeter according to local policies.

Once a federation agreement is configured with an external system, it remains in force according to time-to-live policies that are monitored and enforced by Novell Access Manager. At any time, an authorized admin-istrator can use the Access Manager admin-istration component to cancel, suspend or modify the federation agreement.

Any federated identity can be allowed, by policy, to provide full single sign-on to local legacy applications via Web single-sign on, form-fill, HTTP headers and other methods.

This provides a rich identity-management system that is fully manageable by both the enterprise and the user.

Access Management and Enterprise Federation—Simplified Access to Microsoft SharePoint

The federation capabilities in Novell Access Manager can also be used to simplify access to enterprise resources, such as Microsoft SharePoint*, especially when user identities exist across multiple LDAP stores and trusted partners need access via Identity Federation.

Through its built-in support for WS-Federation, Novell Access Manager integrates with Active Directory Federation Services to provide claims-based authentication to Microsoft SharePoint. This allows SharePoint administrators to map received claims to SharePoint groups, essentially removing the need to create individual identities in the SharePoint identity store.

Figure 5. Single Sign-on between internal and multiple federated or trusted systems

p. 9

Novell Access Manager 3.1 www.novell.com

Regulatory Compliance Logging

Novell Access Manager features essential compliance-assurance logging functionality. Each component creates log entries that can be stored locally or forwarded to Novell Sentinel™.

Multi-factor Resource Protection

Policy specification controls access to all resources safeguarded by Novell Access Manager. Thus, access to a particular resource may require that multiple policies be satisfied before access is granted. Each policy can evaluate a different identity factor independent of other policy specifications. This facility provides fine-grained, multi- factor resource protection at the policy- specification level.

Frequently Asked QuestionsWill my existing Novell iChain® deployment work with the new Access Gateway?

While legacy Novell iChain deployments will continue to function as they always have, they are not a part of the new Novell Access Manager administration console. If a con-nection fails-over via an L4 switch between iChain and Access Gateway, the user will be required to re-authenticate so that the proper policy specifications can be invoked.

Access Manager documentation does provide an iChain co-existence strategy that enables single sign-on between iChain and Access Manager, while services are gradually migrated from iChain to Access Manager.

Can I manage multiple Access Gateways as a group even though the IP addresses on each Access Gateway are different?

Yes, IP addresses are handled in a way that still allows for group management of Access Gateways. Administrators define Access Gateway Clusters to enable single-point administration of multiple devices.

Can Access Manager help me manage access to Microsoft SharePoint for different communities of users?

Yes, Access Manager provides built-in support for WS-Federation, which integrates with Microsoft Active Directory Federation Services to provide claims-based authentica-tion to Microsoft SharePoint. This eliminates the need to manage individual identities in the MS SharePoint identity store.

Novell Access Manager features essential compliance-assurance logging functionality.

Figure 6. Access Manager claims-based authentication to MS SharePoint

Do my users need to authenticate to the SSL VPN after authenticating to Access Manager-protected Web applications?

No, a user doesn’t need to authenticate to the SSL VPN server once authenticated to Access Manager. They will still need to authenticate to each application, unless an enterprise single sign-on solution—such as Novell SecureLogin—has has been deployed.

Can I integrate Access Manager with other federation-enabled services within my enterprise?

Yes, Novell Access Manager can integrate with any service—either as provider or consumer—that supports SAML, WS-Federation or Liberty Alliance.

Can I configure Identity Server to accept proxy authentications?

Yes, proxy authentication is supported by the Identity Server.

www.novell.com

Contact your local Novell Solutions Provider, or call Novell at:

1 800 714 3400 U.S./Canada1 801 861 1349 Worldwide1 801 861 8473 Facsimile

Novell, Inc.404 Wyman Street Waltham, MA 02451 USA

462-002033-002 | 06/09 | © 2009 Novell, Inc. All rights reserved. Novell, the Novell logo, the N logo and iChain are registered trademarks, and Access Manager, eDirectory and Sentinel are trademarks of Novell, Inc. in the United States and other countries.

*All third-party trademarks are the property of their respective owners.

Novell Logo1 The registered trademark, ®,

appears to the right and on thesame baseline as the Logo.

Minimum Size RequirementsThe Novell Logo should NOT beprinted smaller than 3 picas(0.5 inches or 12.5 mm) in width.

Clear-space Requirements2 Allow a clean visual separation

of the Logo from all other elements.The height of the "N" is themeasurement for the minimumclear-space requirements aroundthe Logo. This space is flat andunpatterned, free of other designelements and clear from the edgeof the page.

3 picas(0.5 in)

(12.5 mm)

21 3

3