novell access manager product overview · 2016-02-29 · user nam administrator ssl vpn access...

Novell® Access Manager Product Overview

Kiran Mova

2 © 2011 NetIQ Corporation. All rights reserved.

Agenda

Introduction

Architecture

IDP AGSSL VPNAdministration Console

How it works?

Web SSOFederation SSOProtect HTTP ResourcesProtect non-HTTP Resources


Introduction

Access Manager is a set of components that help to :Provide Web and Federated SSO

Protect HTTP/Non-HTTP enterprise servers

Provide SSO to Legacy Web Servers

Also allows customers to extend :

Authentication Mechanisms using Authentication SDK

Authentication against Custom User stores using LDAP Server Plugin

Policy Engine using Policy Extension API


Sample NAM Deployment

InnerWebAccess Gateway (innerweb.novell.com)

VersionOne (v1.innerweb.novell.com)

Employee Self Service (psselfservice.innerweb.novell.com)Identity Provider (login.innerweb.novell.com)

SSLVPN (sslvpn.innerweb.novell.com)


ArchitectureM

ission Critical and

Enterprise Data System

s. H

TTP and non-HTTP

User Directory(LDAP)

Web UI

Load Balancer(s)Identity Servers,

Access Gateways, SSLVPNs

VPN

Authentication Servers

(RA

DIU

S, etc.,)User

NAM

Administrator

SSL VPN(Authorized Access)

+

Identity Provider (Authenticate)

Access Gateway(Authorized Access)

+

J2EE Agent(Authorized Access)

++

AdministrationConsole

Federated Identity Providers

Audit, Alerts

Configuration, Policy

Web SSO Federated SSO Non-HTTP server Access

1..3

1+

1+

1+

1

SAML 2.0, SAML 1.x, Liberty, WS Fed


Admin Console – Key Features

Administration ConsoleConfigure ComponentsMonitor Health and Statistics of Individual ComponentsPolicy Administration Certificate ManagementDelegated AdministrationPersistent configuration store Granular Auditing (embedded NSure Audit Server)


Architecture – ACM

ission Critical and


s. H

TTP and non-HTTP

Web UI(HTTPS)

User

NAM

Administrator

SSL VPN




Authenticate

Load Balancer

Identity Provider

Audit (TCP)Configuration/

Commands(HTTPS)

Alerts(HTTPS)

Configuration, Policy

(LDAPS)

+


(RADIUS, etc.,)

Access Gateway

+

Audit Cache JCC

Config,Policy,

CertificateStore

Nsure AuditServer

eDirectory

Device Manager(iManager/Tomcat)

LDAPS

Clustering(eDirectory Replica)

Cert Configure(LDAPS)


Identity Provider – Key Features

+

Identity Provider (IdP)Authentication (includes x509, RADIUS..)Federated Authentication (SAML/ADFS)Associate Roles and Attributes with authenticated user Capable of authenticating against multiple User ID stores like eDirectory, Active Directory Sun One etc., Extensible Authentication and Policy framework SP (Service Provider) AgentShared Component Redirects all authentication requests to IdPMaintains a cache of user data fetched from IdPEvaluates Policies by requesting additional data from IdP.


Architecture - IDP

Configuration (HTTPS)

Mission C

ritical andEnterprise D

ata Systems.

HTTP and non-H

TTP

Web UI


(RADIUS, etc.,)

User

NAM

Administrator

SSL VPN

+

Identity Provider

Access Gateway

+



JCCRMI

Audit (TCP)Alerts(HTTPS)

Configuration, Policy (LDAPS)

SAML 2.0, SAML 1.x, Liberty, WS Fed(HTTPS)

Clustering(JGROUPS)

User Data (LDAP[S] ) User Directory(LDAP)

Custom Connections

Liberty and Attribute Service(HTTPS)

Authenticate

Authentication & Attribute Services

(Tomcat)

Audit Agent

Load Balancer

2+


Access Gateway – Key Features

Access Gateway (AG)Authentication (via Identity Server)AuthorizationSingle sign-on to Legacy Web Servers (form-fill, identity

injection)Identity injection (personalization)Secure exchange (SSLizer)Multi HomingLoad BalancingURL Normalization/ Rewriting CachingPolicy Extensions API


Architecture - AGM

ission Critical and


s. H

TTP and non-HTTP

Web UI

User

NAM

Administrator

SSL VPN

Access Gateway





Authenticate

Load Balancer

2+

Identity Provider

JCCRMI


Audit (TCP)


Alerts(HTTPS)

Configuration, Policy (LDAPS)

ActiveMQ

Session Cache

Audit Agent

Gateway Manager

Messages

AJP

HTTP

Clustering(JGROUPS)

ApacheInstance

+

HTTP(S)

SPAgent

+ Authentication Servers

(RADIUS, etc.,)Policy Extension API

HTTP(S)

Config


SSLVPN – Key Features

SSL VPNProvide Secure access to Non-HTTP ApplicationsEnterprise mode (full access) or KIOSK mode (application access)Client Integrity Check and Policy Based AccessDesktop Clean-up / Secure Folder


Architecture – SSLVPN (Server)M

ission Critical and


s. H

TTP and non-HTTP

Web UI

User

NAM

Administrator

SSL VPN





Authenticate

Load Balancer

2+

Identity Provider Audit (TCP)


Alerts(HTTPS)

Configuration(LDAPS)

TCP


(RADIUS, etc.,)

HTTP(S)

Access Gateway

+

Audit Agent JCC


HTTP

Conn Mgr

Socks Server

HTTP(S)

STunnel

Open VPN Server

SSL

SSL

SPAgent

+


Architecture – SSLVPN Client (KIOSK)

User

NAM

SSL VPN

TCP

Audit Agent JCC

Conn Mgr

Socks ServerSTunnel

Open VPN Server

SSL

SPAgent

+

Mission C


ata Systems.

HTTP and non-H

TTP

Stunnel

Socks Client

Application

SSL VPN Client

Policy Engine


Architecture – SSLVPN Client (Enterprise)

User

NAM

SSL VPN

TCP/UDP

Audit Agent JCC

Conn Mgr

Socks ServerSTunnel

Open VPN Server

SSL overTCP/UDP

SPAgent

+

Mission C


ata Systems.

HTTP and non-H

TTP

Open VPN Client

TUN Driver

Application

SSL VPN Client


Recent/Current Initiatives...

Access Management On Demand

Federation Hub

Simplification

Creating products out of individual components


Simplification

How it works?


Web SSO

User

+

Service Provider(Web Server)

Identity Provider User Id Store

1 SP Agent Redirects to IdP for authentication

2 Post Credentials 3 Validate Credentials

4 IdP Redirects to SP Agent with Auth Token5 Verify Token

If authenticated goto (4)If not, seek credentials

Create User Session, form a token to send to SP Agent

Respond with Assertion, including user attributes/roles

Provide Access


Federated SSO

User Identity Provider User Id Store Federated Identity Provider

(SAML/Liberty/WSFed)1 Request for Authentication

2 Send AuthRequest to Federated IdP

5 IdP Receives the authentication6 Verify Token

7 Create user session and store persistent federation mapping

If authenticated goto (8)If not, redirect to “Trusted” Federated Identity Provider

If not authenticated seek credentials

Map to Local user or Auto-provision the user.

Configuration Store

6 Provide AuthResponse with authentication details

8 Respond with Auth Token


Protect HTTP Resources

User

+

Access Gateway Identity Provider User Id Store Web Server(s)

1 Access v1.innerweb.novell.com

2 SP Agent Redirects to IdP for authentication

3 Post Credentials4 Validate Credentials

5 IdP Redirects to SP Agent with Auth Token6 Verify Token

7 Authorization Policy

8 Redirect to Access Resource

9 Form fill, Identity Injection, Load Balance

10 URL Rewriting, Cache

If authenticated goto (7)If not, redirect to SP Agent

If authenticated goto (5)If not, seek credentials

Create User Session, form a token to send to SP Agent

Respond with Assertion, including user attributes/roles


Access to Non-HTTP Resources

User

+

SSL VPN Enterprise Server(s)

1 Login to SSL VPN (using IdP or AG)

2 Accept and Install Client

3 Access Enterprise Server

4 Authorize Access, Forward

If authorized user, push the SSL VPN Client

InstallClient Integrity CheckEstablish VPN TunnelClient Policy Update

SSL VPN Client

VPN Tunnel

Virtual/HookingAdapter, takes request, routes through tunnel.

5 Logout Desktop Clean up


www.novell.com/accessmanager

+1 713.548.1700 (Worldwide)888.323.6768 (Toll-free)[email protected]

Worldwide Headquarters1233 West Loop South Suite 810 Houston, TX 77027 USA

http://community.netiq.com


mailto:[email protected]

http://www.netiq.com/

http://community.netiq.com/

http://www.facebook.com/netiq

http://www.twitter.com/netiq

http://www.linkedin.com/groups?gid=2745833

http://community.netiq.com/

This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.

ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States.

novell access manager product overview · 2016-02-29 · user nam administrator ssl vpn access...

Documents