You are previewing Enterprise Single Sign-On Design Guide Using IBM Security Access Manager for Enterprise Single Sign-On 8.2.
O'Reilly logo
Enterprise Single Sign-On Design Guide Using IBM Security Access Manager for Enterprise Single Sign-On 8.2

Book Description

Everyone feels the pain of too many passwords to remember. Everyone can relate to the security exposure of weak passwords, chosen for convenience. And, everyone can relate to passwords placed in proximity to the workstation for a quick reminder. Unfortunately, that note can allow more than the intended user into the system and network. The average user today often has four or more passwords. And, security policies that focus on password complexity and password-change frequency can cause even more difficulty for users.

This IBM® Redbooks® publication introduces IBM Security Access Manager for Enterprise Single Sign-On 8.2, which provides single sign-on to many applications, without a lengthy and complex implementation effort. Whether you are deploying strong authentication, implementing an enterprise-wide identity management initiative, or simply focusing on the sign-on challenges of a specific group of users, this solution can deliver the efficiencies and security that come with a well-crafted and comprehensive single sign-on solution.

This book is a valuable resource for security officers, administrators, and architects who want to understand and implement an identity management solution in a medium-scale environment.

This book is an update to the existing SG24-7350-01.

Table of Contents

  1. Front cover
  2. Notices
    1. Trademarks
  3. Preface
    1. The team that wrote this book
    2. Now you can become a published author, too!
    3. Comments welcome
    4. Stay connected to IBM Redbooks
  4. Part 1 Architecture and design
  5. Chapter 1. Business context
    1. 1.1 The single sign-on paradigm
    2. 1.2 Enterprise single sign-on today
      1. 1.2.1 Solving the password security paradox
      2. 1.2.2 Managing passwords in a security-rich fashion
      3. 1.2.3 Reducing help desk costs and improving employee productivity
      4. 1.2.4 Demonstrating compliance through auditing and reporting
      5. 1.2.5 Easy to deploy
      6. 1.2.6 High performance
      7. 1.2.7 Integrating with an enterprise identity management system
      8. 1.2.8 Bringing single sign-on to kiosk machines and virtual desktops
    3. 1.3 Considerations for deployment
  6. Chapter 2. Single sign-on architecture and component design
    1. 2.1 Overview
      1. 2.1.1 IBM Security Blueprint perspective
    2. 2.2 Logical component architecture
      1. 2.2.1 AccessAgent
      2. 2.2.2 AccessAgent in server mode
      3. 2.2.3 IMS Server
      4. 2.2.4 IMS database
      5. 2.2.5 AccessAdmin
      6. 2.2.6 AccessStudio
      7. 2.2.7 Provisioning API
    3. 2.3 Additional components
    4. 2.4 Physical component architecture
      1. 2.4.1 IMS Server
      2. 2.4.2 IMS database
      3. 2.4.3 Organization directories
      4. 2.4.4 AccessAgent
    5. 2.5 IBM Security Access Manager for Enterprise Single Sign-On integration
      1. 2.5.1 User provisioning products
      2. 2.5.2 Compliance products
      3. 2.5.3 Software provisioning products
      4. 2.5.4 Web single sign-on
      5. 2.5.5 User repositories
      6. 2.5.6 Database servers
      7. 2.5.7 Reporting tools
      8. 2.5.8 Monitoring products
      9. 2.5.9 Third-party readers
      10. 2.5.10 Epic Electronic Health Records
    6. 2.6 Conclusion
  7. Chapter 3. Solution design and management
    1. 3.1 Business requirements
      1. 3.1.1 Increasing security
      2. 3.1.2 Reducing costs and improving productivity
      3. 3.1.3 Addressing compliance
    2. 3.2 Functional requirements
      1. 3.2.1 Comparing the various session management models
      2. 3.2.2 Operational security requirements
      3. 3.2.3 High-availability design
      4. 3.2.4 Multiple factor authentication
    3. 3.3 Deployment strategies
      1. 3.3.1 Plan for IMS Server scalability
      2. 3.3.2 Deployment time estimation
      3. 3.3.3 Initial deployment scenario
      4. 3.3.4 Managing expectations
      5. 3.3.5 Enabling single sign-on for applications
    4. 3.4 Log collection and audit reporting
      1. 3.4.1 Audit log collection
      2. 3.4.2 Audit reporting
    5. 3.5 Conclusion
  8. Part 2 Customer environment
  9. Chapter 4. Overview of scenario, requirements, and approach
    1. 4.1 Company overview
      1. 4.1.1 Current IT infrastructure
      2. 4.1.2 Security and usability issues within the current infrastructure
    2. 4.2 Business vision
    3. 4.3 Business requirements
      1. 4.3.1 IBM Security Framework mapping to business requirements
    4. 4.4 Functional requirements
      1. 4.4.1 IBM Security Blueprint mapping to functional requirements
    5. 4.5 Design approach
    6. 4.6 Implementation approach
    7. 4.7 Conclusion
  10. Chapter 5. Base installation and configuration
    1. 5.1 Design considerations
      1. 5.1.1 System requirements
      2. 5.1.2 Deployment architecture
    2. 5.2 Installing and configuring base components
      1. 5.2.1 Creating administrative users
      2. 5.2.2 Deploying the IMS Server Virtual Appliance
      3. 5.2.3 Starting the Virtual Appliance
      4. 5.2.4 Configuring the database server
      5. 5.2.5 Initial IMS Server configuration
      6. 5.2.6 Provisioning an IMS administrator and verifying the installation
      7. 5.2.7 Configuring user and machine policy templates
      8. 5.2.8 Deploying AccessAgent
      9. 5.2.9 Interacting with AccessAgent
      10. 5.2.10 Installing AccessStudio
    3. 5.3 Configuring AccessProfile
      1. 5.3.1 IBM Lotus Notes application
      2. 5.3.2 SAP application
    4. 5.4 Managing the deployed environment
      1. 5.4.1 Managing policies
      2. 5.4.2 Managing users
      3. 5.4.3 Logging
    5. 5.5 Conclusion
  11. Chapter 6. Password self-services implementation
    1. 6.1 Business requirements
    2. 6.2 Password self-service architecture
    3. 6.3 Implementing password self-service
      1. 6.3.1 Setting up the self-service questions
      2. 6.3.2 Enabling the password self-service function
      3. 6.3.3 User enrollment interview
      4. 6.3.4 Executing a password reset
    4. 6.4 Conclusion
  12. Chapter 7. Strong authentication using RFID
    1. 7.1 Configuring machine and user policy templates
      1. 7.1.1 Basic configuration by using the Setup assistant
      2. 7.1.2 Configuring the personal workstation and RFID
      3. 7.1.3 Configuring shared workstations, shared desktops, and RFID
      4. 7.1.4 Configuring details for the user policy template
    2. 7.2 Using RFID
  13. Chapter 8. Roaming desktop implementation
    1. 8.1 Cardio healthcare requirements
    2. 8.2 Overview of the roaming desktop features
      1. 8.2.1 Component architecture overview
      2. 8.2.2 Logging on manually to the VMware virtual desktop
    3. 8.3 Cardio healthcare implementation
      1. 8.3.1 Usage scenarios
    4. 8.4 Conclusion
  14. Chapter 9. Implementing operational requirements
    1. 9.1 Fixes
      1. 9.1.1 Finding fix levels
      2. 9.1.2 Obtaining fixes
      3. 9.1.3 Receiving fix notifications
    2. 9.2 Audit log maintenance
    3. 9.3 Database maintenance
    4. 9.4 Cached Wallet maintenance
    5. 9.5 Backup and restore procedures
      1. 9.5.1 WebSphere Application Server profile
      2. 9.5.2 IMS database
      3. 9.5.3 IMS Server configuration
    6. 9.6 Tivoli Common Reporting
    7. 9.7 Conclusion
  15. Part 3 Appendixes
  16. Appendix A. Renewing the Secure Sockets Layer certificate used by the IBM HTTP Server
    1. Procedure to renew a certificate
  17. Appendix B. Advanced profiling
    1. Background
    2. Document complete event and the Observer
    3. Signatures
    4. Auto-learn AccessProfile
    5. Handling basic authentication
    6. Frames and the web browser document object
    7. Differences between Firefox and Internet Explorer AccessProfiles
    8. Common issues
    9. Use case
    10. Conclusion
  18. Appendix C. Configuring strong authentication
    1. Configuring authentication to use smart cards
    2. Configuring authentication to use radio frequency identification cards
    3. Strong authentication by using biometrics
    4. Configuring authentication for Mobile ActiveCode as a one-time password
    5. Conclusion
  19. Related publications
    1. IBM Redbooks
    2. Other publications
    3. Online resources
    4. How to get Redbooks
    5. Help from IBM
  20. Back cover