Novell Access Manager 3 White paper

Technical White Paper SECURITY AND IDENTITY www.novell.com Novell Access Manager 3 ® Access Control, Policy Management and Compliance Assurance Novell Access Manager 3 Table of Contents: 2 . . . . . Complete Access Management 2 . . . . . Novell Access Manager Components 4 . . . . . Deployment and Usage Scenarios 11 . . . . . Frequently Asked Questions p. 1 Complete Access Management Novell Access Manager is the next-generation access management and federated identity solution from Novell. Organizations use Access Manager to control internal and external users’ access to network content, applications and services. Its key components—those that provide identity management and federation—are founded on industry-leading standards, including Liberty Alliance, Web Services Security ® (WS-Security), and Security Assertion Markup Language (SAML). Novell Access Manager Components The seamless integration of Novell Access Manager components ensures access control at all levels. Figure 1 illustrates these components: Figure 1. Novell Access Manager Components Novell Access Manager components are depicted in the centerMultiple User ID Stores can be aggregated by a single Identity Server and may be any combination of the following directory services: Novell eDirectory™ Sun* ONE* Directory Server Microsoft* Active Directory* The following sections provide additional detail about Novell Access Manager Components and functionality. Novell Access Manager Policy Management Policy management and enforcement are fundamental strengths of Novell Access Manager. In fact, all Access Manager components are guided by user-definable p. 2 Novell Access Manager 3 www.novell.com policies that are routinely enforced and logged for regulatory compliance reporting. Identity Server Identity Server provides authentication services for all Novell Access Manager components. It also features provider and consumer services for Liberty Alliance and SAML (versions 1.1 and 2.0) requests. As with all Access Manager components, Identity Server provides authentication services according to Access Manager policy declarations. Identity Server authenticates users and provides role information to facilitate authorization decisions. It also includes the full Liberty Alliance Web Service Framework, which can be used to distribute identity information. Organizations can leverage the standard Liberty Alliance Employee and Person profiles available in Identity Server or define custom attributes and use them in policy enforcement. Identity Server also facilitates federated provisioning, which automatically creates user accounts on a federation request. Without this feature, users would need to register (create a user account) with a service provider before they could federate their identities. For example, the policy-enabled Identity Injection feature of Access Gateway (formerly known as Object Level Access Control), can leverage the Liberty Alliance Web Services Framework to extract identity information and then inject it into Web headers or query strings. Java Application Server Agents There are three Java* application server agents: IBM WebSphere*, BEA WebLogic*, and JBoss*. These agents utilize Java Authentication and Authorization Service (JAAS), Java Authorization Contract for Containers (JACC), and internal Web-server APIs for authentication and also provide policy-controlled access to Java Servlets and Enterprise JavaBeans* (EJBs). In some cases, organizations achieve tighter and more robust integration by using platformspecific APIs. SP Agent SP Agent is a shared component that provides a common implementation of identity and federation standards and protocols. This agent redirects all authentication requests to Identity Server, which in turn, returns a SAML assertion to the component. The presence of SAML assertions in each Access Manager component protects confidential information. Specifically, it removes the need to transfer user credentials between components to handle session management. SP Agent allows components to use an identity provider for authentication and service. It also allows an identity provider to chain to other identity providers. This process is known as IDP proxying, and it helps organizations create groups of interlinked identity providers, known in Liberty Alliance terms as “Circles of Trust.” Access Gateway Access Gateway is the HTTP-proxy component of Novell Access Manager. In addition to providing award-winning Novell security and proxy services (i.e., authorization, single signon and data encryption), it is also integrated with the new identity and policy services of Novell Access Manager. With Access Gateway, organizations can transform identity provider authentication and services into standard Web headers, form-fill responses and basic authentication responses. In other words, Access Gateway enables an organization’s existing Web applications to support new identity standards without any modification. p. 3 Secure Sockets Layer Virtual Private Network (SSL VPN) The SSL VPN provides secure access to non-HTTP-based applications. It is a Linuxbased service that is accelerated by— and shares session information with— Access Gateway. After a user successfully authenticates through the SSL VPN, an Active X plug-in or Java applet is delivered to the client. Novell Access Manager role-based access control determine authorization decisions for all back-end applications. SSL VPN also performs client-integrity validation. all product components. For convenience, it also supports the definition of policies in terms of user roles. Management Interface The Novell Access Manager administration interface provides a central place to configure and manage all product components and policies. Organizations can also use this interface to group multiple Access Gateways and then deploy configuration changes to them simultaneously. Delegated administration is available for individual devices, agents and policy control. Policy Engine The Novell Access Manager Policy Engine provides all policy-statement resolution for Deployment and Usage Scenarios This section outlines various deployment and usage scenarios for Novell Access Manager. Figure 2. Novell Access Manager Management Console p. 4 Novell Access Manager 3 www.novell.com Managing Novell Access Manager The administrators who oversee Novell Access Manager devices, groups and policies have typically been assigned the Device Administrator and/or Policy Administrator roles in the directory. Figure 2 depicts the highest-level view provided by the Novell Access Manager administration interface. At the highest level, all administrators can view the status of all devices and policies, and any warning or alert conditions are visible. Note that although the overall Site Status is green, the figure shows the SSL VPN in a yellow “warning” state and at least one of the J2EE* agents in a red “critical” state. This is because the alerts on the SSL VPN and J2EE agents have been marked as “cleared” but not “resolved.” The “cleared” status is assigned by an administrator, while “resolved” is a result of the device being disabled or brought back into full operation (green status). Organizations can use Novell Access Manager administration features for the following components and processes: Identity Servers Access Gateways (for products running on both Linux* and NetWare ) SSL VPN Java agents Device management Policy management ® Finally, there is a critical alert outstanding on one or more of the agents, as shown by the red, dashed circle in the J2EE Agents control box. An administrator simply clicks on a control box to view the outstanding issues for that control box’s category of devices. Note that while any administrator can see the issue, only administrators who have access control rights to the device or policy can perform updates or take corrective action. The Devices control box deserves a special note. All of the Linux-based components may be deployed on servers in a mix-and-match manner. For example, one physical server could host an Identity Server and several J2EE Agents. If the server were to experience a fault, then the affected components hosted on that server would display an appropriate alert status. To help administrators correct issues quickly, server-related alerts are displayed separately in the Devices control box. If the Devices control box shows an alert status (either yellow or red) for a server, all components hosted by that server might also issue alerts. By selecting the Devices control box, an authorized administrator can quickly isolate and correct server issues. Correction of issues at the server level will likely correct all component issues as well. The Policies control box is different from the other boxes because of its lack of an alertstatus indicator. This control box allows an authorized administrator (one with access control over the policy management section of the administration interface), to create, edit and manage the policies assigned to specific components. The Policy Administration section provides an additional layer of administrator access control. Policies can be segmented into one or more groups, and Policy Administrators assigned to a select set of those policy groups. This allows a separation of duty among Policy Administrators and also provides a way to address many regulatory compliance issues. Each of the boxes in the figure indicates the total number of devices in the category and the aggregate alert status of all devices in the category. For example, the Identity Server (there is only one in this example) is in a state of full functionality. Its status is represented by the green circle in the third alert-status position of the Identity Servers control box. Likewise, there is an outstanding issue with one or more of the SSL VPNs, as shown by the yellow diamond in the second alertstatus position of the SSL VPNs control box. p. 5 All access rights for Device Administrators and Policy Administrators are assigned by one or more Novell Access Manager Administration Administrators. These are individuals who are authorized to assign only access control rights. Optionally, these administrators can be given global administration rights which, in effect, creates a set of super-administrators. One additional feature is noteworthy. At the top of the figure, a drop-down list box indicates that “All Access Sites” has been selected. “All Access Sites” shows every device and policy configured in Novell Access Manager. Other “sites” may be configured by administrators to provide convenient grouping of a subset of devices. These “sites” are logical only and may share services that are included in other “sites.” For example, the site, “East Coast” may (and probably would) include services and devices in another site entitled, “New Jersey.” In summary, Novell Access Manager enables administrators to comply with separation-ofduty requirements, which in turn helps the enterprise more readily prove regulatory compliance. And although all administrators can view an alert status, only those with specific access control rights can update the affected device. Policy configuration options will display only those values and features available for selection at the PEP . Assignment of a policy to a device can be audited so that only appropriate devices with a compatible PEP can be selected for policy deployment. Certain policy values can be required for some policies and remain optional for others. However, the field containing the value is the same in all cases, which provides a single point of policy-engine maintenance. Policy administration also allows for the assignment of policies to multiple Access Manager components. This remains in effect as long as the components support the PEP upon which the policy is authored to operate. The administrator has tools to review what policies are being used, what devices are using them, and the probable impact on Access Manager deployment if a change were made. To facilitate regulatory compliance reporting, policies are segmented into groups, which are then the subject of access control among the policy administrators. This provides a configurable separation of duty among the staff who maintain policies. Thus, an administrator with the background necessary to author and maintain Access Gateway or Agent policies could be prevented from authoring or maintaining Identity Server policy. Novell Access Manager logs all policy-related activities and provides valuable regulatory compliance reporting. The creation, modification, deactivation and final deletion of policies—as well as policy assignments and usage—are all logged in a Novell Audit log. This log can be queried to determine what policy was governing access at any point in time during the policies’ existence. Because the Novell Audit log features digitally signed log entries and log-entry chaining, organizations can have confidence in the accuracy of their compliance data. Novell Access Manger Policy Administration The inclusion of a system-wide policy administration feature provides a compelling reason to deploy Novell Access Manager. This policy administration feature is integrated into the management interface in such a way that it enables a separation of duties among policy administrators. Policies are based on Policy Enforcement Points (PEP), several of which are defined for each Novell Access Manager component. To create a policy, an administrator starts by declaring which PE will be controlled via the policy. This initial declaration provides several advantages: p. 6 Novell Access Manager 3 www.novell.com Novell Access Manager Federated Provisioning Some legacy systems require organizations to store all identity information in a specific directory and format. All users of the legacy system must have an account in the directory before they can use the legacy services. Novell Access Manager can automatically provision these types of accounts without requiring users to manually add themselves to the legacy system’s directory. In Novell Access Manager, Federated Provisioning is performed by either SP Agent or Identity Server. When either of these components is configured to auto-provision user accounts, it first reviews each authentication request to verify that the legacy directory contains the user account. If it already contains the account, then the authentication is processed normally. If it does not contain the account, Novell Access Manager pulls information from Identity Server (via the SAML assertion or a Web service that vends the information) to create the user’s account. Note that the account on the legacy system may use an alias user ID and a randomly generated password. This information is maintained by Identity Server and used each time the legacy system is accessed. Legacy Web Services and Integration Novell Access Manager delivers access to legacy Web services by processing the policies that govern these systems and by using components such as J2EE agents and Access Gateways. These components perform tasks like form-fill, basic authentication and header injection to provide users with seamless access to legacy Web systems. In some cases, organizations require their legacy Web services to use an alias user ID and password. Novell Access Manager allows any combination of attributes from the identity store(s) to be used as the user ID and password. Either the user or an automated process can maintain the attributes that contain associated user IDs and passwords. This provides a user-friendly way to implement strong password policies. This feature of Novell Access Manger, coupled with the Federated Provisioning feature, provides a powerful integration tool for legacy-based systems. Legacy-system Access Management Novell Access Manager controls access to legacy systems in a variety of ways: Figure 3. Novell Access Manager overview p. 7 Identity Server provides policy-based identity management, including federated identities and/or roles. Access Gateway features Web-based resource access control, using the identities managed by Identity Server. This includes the Novell Access Manager Policy component for specifying policyand role-based access to local resources. The Novell Access Manager Policy component offers J2EE agent resource access control for supported application servers. The SSL VPN ensures secure identityand role-based access to resources behind the firewall. Access Management and Standards-based Federation Through its implementation of Liberty Alliance Identity Federation specifications, Novell Access Manager ensures the secure federation of user identities. Its approach to federation respects privacy laws and regulations even when user identities cross international borders. Figure 4. Single Sign-on between internal and multiple Federated or trusted systems p. 8 Novell Access Manager 3 www.novell.com Each deployment of Novell Access Manager includes one or more Identity Servers that orchestrate the user-identity lifecycle, including federation with other Liberty Alliance-compliant identity providers. This means that a successful authentication at a single Liberty Alliancecompliant identity provider (even if it is not a Novell Access Manager Identity Server) will result in authentication assurances at other Liberty Alliance-compliant identity providers. For example, a successful authentication to an Access Manager Identity Server might be used by a disparate system not associated with the Access Manager deployment. This could provide the user with access to resources at the disparate system without the user first authenticating to that system. Because the Liberty Alliance specifications are implemented by both parties, the user’s authentication can be federated in a secure way that honors all policy requirements for privacy and enterprise regulations. Novell Access Manager Identity Server fully complies with the Liberty Alliance specification and supports both SAML 1.1 and SAML 2.0. Moreover, federated identities from external systems are provided to all Access Manager components as if authentication had occurred at the Access Manager Identity Server. Each federated identity is marshaled into the Access Manager trust perimeter according to local policy and Liberty Alliance federation policy. Once a federation agreement is configured with external systems, it remains in force according to time-to-live policies that are monitored and enforced by Novell Access Manager. At any time, an authorized administrator can use the Access Manager administration component to cancel, suspend or modify the federation agreement. Any federated identity can be allowed, by policy, to provide full single sign-on to local legacy applications via Web single-sign on, form-fill, HTTP headers and other methods. This provides a rich identity-management system that is fully manageable by both the enterprise and user. Access Management and Enterprise Federation Novell Access Manager offers a faster “short cut” method for achieving identity federation within the enterprise. While external identity federation requires an interactive dialogue with the user to determine federation policy, the Access Manager enterprise mode of operation enforces user-based federation policy enterprisewide. This mode of operation allows the enterprise to set the default federation policy inherited by users as their identities are added to the identity store(s).1 Each policy setting can be marked as “required,” which does not allow user modification, or “optional,” which allows user modification. Once set, these policy statements are enforced automatically— without any user interaction—and they will remain in force until changed by either the enterprise or user. p. 9 Figure 5. Enterprise Federation example If a user’s identity is federated to a nonenterprise mode Identity Server or Liberty Alliance identity provider, then full Liberty Alliance federation policy specifications are enforced. The Novell Access Manager enterprise mode of operation is only valid within a specific Access Manager deployment. Multifactor Resource Protection Policy specification controls access to all resources safeguarded by Novell Access Manager. Thus, access to a particular resource may require that multiple policies be satisfied before access is granted. Each policy can evaluate a different identity factor independent of other policy specifications. This facility provides fine-grained multi-factor resource protection at the policy-specification level. Regulatory Compliance Logging Novell Access Manager features essential compliance-assurance logging functionality. Each component creates log entries for the Novell Audit logging tool to show how policy statements directly affect access control decisions. p. 10 Novell Access Manager 3 www.novell.com Frequently Asked Questions Will my existing Novell iChain deployment work with the new Access Gateway? ® If I’m an ISP, can I allow my customers to write and maintain their own policies? Yes, each Policy Administrator can be limited to a specific collection of policy statements and restricted from other collections. While legacy Novell iChain deployments will continue to function as they always have, they are not a part of the new Novell Access Manager administration console. If a connection fails-over via an L4 switch between iChain and Access Gateway, the user will be required to re-authenticate so that the proper policy specifications can be invoked. Can I configure Identity Server to accept proxy authentications? Yes, proxy authentication is supported by Identity Server. Can I group manage proxy services on multiple Access Gateways even though the IP addresses on each Access Gateway are different? Yes, IP addresses are handled in a way that still allows for group management of Access Gateways. Can I deploy my own Liberty Alliancecompliant service provider? Yes, Identity Server fully supports the Liberty Alliance protocols and can interact with other identity provider installations. How can my staff administer a worldwide deployment of Novell Access Manger in a “follow the sun” fashion? By assigning access rights to specific groups or “sites,” administration staff can overlap their administration duties despite geographic location. p. 11 SUSE Linux Enterprise Server 9 from Novell features the most advanced Linux technology available and can support the services, applications and databases that drive your business. www.novell.com Contact your local Novell Solutions Provider, or call Novell at: 1 888 321 4272 U.S./Canada 1 801 861 4272 Worldwide 1 801 861 8473 Facsimile Novell, Inc. 404 Wyman Street Waltham, MA 02451 USA 462-002033-001 | 10/06 | © 2006 Novell, Inc. All rights reserved. Novell, the Novell logo, the N logo, NetWare and iChain are registered trademarks, and eDirectory is a trademark of Novell, Inc. in the United States and other countries. *Linux is a registered trademark of Linus Torvalds. All other third-party trademarks are the property of their respective owners.