|
Tackle the Data, not the Application
How does Identiprise achieve its Span, Speed, and Scale?
Simply put, SecuredUser uses an "in-line" topology in which the SecuredUser elements sit between the user, the application, and the directory stores. Identiprise performs all of its work by transparently intercepting and transforming the data stream between these entities. Consequently, once deployed, neither the user nor the applications know that SecuredUser is acting as an intermediary and governor of identity and access events between them.
Thanks to this unique architectural approach, Identiprise achieves a level of deployment transparency that makes it the most effective solution for inserting identity, access, and audit management infrastructure within a complex IT environment.
Architectural Components
SecuredUser consists of a number of elements, generally grouped into two types: server and agent.
Server Elements
The SecuredUser Policy Server is the heart of the solution. It can be deployed in a variety of topologies, to ensure optimum enterprise scalability and support for a broad range of IT platforms . The
Policy Server drives a common architectural construct for all of SecuredUser's identity life cycle management services.
 |
|
|
|
The Policy Server is a robust, highly scalable authentication and authorization engine. It is used to:
- Define and manage permissions and policies for individuals, groups, and applications.
- Implement rule- and role-based memberships, dynamic entitlements, security policies such as password composition, and policy objects that define account, password, and session characteristics.
- Configure identity-centric strong authentication. In contrast to typical solutions that make strong authentication a global setting per application, SecuredUser can define, on a per-user basis, the strong authentication method to be used for any or all applications which that user accesses.
|
|
The Virtual Directory is a fully compliant LDAP server, supporting full replication, chaining, and multi-mastering. In a SecuredUser implementation, it acts as a directory aggregation mechanism, enabling SecuredUser to be deployed over a wide range of directory and database repositories, without requiring schema changes to or consolidation of existing directory and ODBC-based database repositories. |
|
Protocol Support Modules (PSMs) are used in cases where the native capabilities of the target application are not sufficient for such things as fine grained access control, specific logging requirements, or other security functions (e.g. support for tokens). PSMs may be used to introduce such functionality, without requiring any code changes to the existing application.
PSMs are dynamically loaded, finite state machines that describe a protocol's syntax and semantics. With this knowledge of the application protocol, SecuredUser is able to attach new security or logging operations to the individual protocol, at run-time and in real time.
|
|
The Certificate Server provides the ability to generate public key certificates and to manage the authentication process across applications whether they have been certificate enabled or not.
|
|
SecuredUser simplifies user application registration by combining dynamic user registration with authentication management. The sophisticated registration engine is configured to authenticate the user and to validate access to applications. This, coupled with the ability to provide for password reset functions, removes the requirement for administrator involvement. |
|
SecuredUser comes with a customizable Web interface that allows you to pass administration rights to the managers already responsible for granting access to applications in your organization including, partner organizations such as suppliers. |
|
The Identiprise Web Service contains three Web Services designed to let you extend SecuredUser to applications governed by your trusted partners. You can do this by developing Web Services based on SOAP and the Security Assertion Markup Language (SAML). |
|
SecuredUser provides an account provisioning/de-provisioning facility complemented by a workflow engine. The SecuredUser workflow provides for approval and acceptance of requests for application access rights. The administrative controls will also seamlessly interface to third party provisioning tools. |
|
 |
|
Agents
SecuredUser offers a number of agents that enable the automation of application sign-on and credential expiration/refresh, as well as tight integration with existing authentication technologies.
|
|
|
|
The SecuredUser SmartClient is an agent that is installed on the user's Windows 2000 or XP desktop. Its function is to provide highly secure connection interception, and automate application sign-on and password reset. It is used when users need access to client-server and legacy applications, or a combination of client-server, legacy, and Web-based applications.
Additionally, the SmartClient can enforce strong authentication, such as RSA SecurID or fingerprint biometrics, on a per-application basis, independent of the application's ability to process such authentication. |
|
The SecuredUser Smart Plug-in is an agent installed on a Web server or proxy. Its primary function is to automate application sign-on and password reset for Web-based applications.
|
|
SecuredUser includes Microsoft Windows GINA and Unix PAM login services which, when installed on the user's desktop, enable integration of SecuredUser to the operating system sign-on.
|
|
|
|
|
