3.2 TAM Entreprise Single Sign On.ppt [Read-Only] · PDF fileIBM Software Group | Tivoli...

Charles Hoffman

TAM Enterprise Single Sign-on

August 3 - 4, 2006

®

TivoliNow!

IBM Software Group | Tivoli software

2

Password Management Problems

Time & MoneyUser frustration and complaints due to password and security complexity Employees locked out interrupting work and revenue producing activityHigh password-related user support costs

SecurityWeakened security due to poor password selection and management Difficulty in securing critical applicationsDifficulty of integrating advanced authentication for applications

RegulatoryNeed to prevent public access to private data (HIPAA, GLBA) and track and report on all access (SOX)


3

IBM Tivoli Access Manager Enterprise Single Sign-On

• Logon and password change support for almost any Windows, Web, Java and Host-based application

• Single secure strong authentication for initial authentication, re-authentication and forced authentication

• Automatic password generation and policy support

• Tightly integrates with Tivoli Identity Manager to provision and remove credentials

• Signs on to Tivoli Access Manager to enable fine-grained authorization and entitlements to web applications

Capabilities

• Simplify the end user experience by eliminating the need to remember and manage usernames and passwords

• Enhance security by eliminating poor end user password behavior

• Reduce help desk costs by lowering the number of password reset calls

• Extend audit and reporting capabilities to include user sign-on data

Business Value New!

“We were looking for the ability to provide single or reduced sign-on across the enterprise from our identity management project, we chose Passlogix and IBM for our implementation."

—Debbie Posey,Project Manager, Baker Hughes


4

The Tivoli Enterprise Single Sign-on SuiteIBM Tivoli Access Manager for ESSO - our enterprise single sign-on solution and serves as the base for the components belowAdditional ESSO Components

Desktop Password Reset Adapter - component that allows users to reset their Windows password from a locked workstationAuthentication Adapter - component that allows flexible authentication for the base ESSO product using tokens, smart cards, biometrics and passwordsProvisioning Adapter - module that allows provisioning systems to directly distribute user credentials (usernames and passwords) to TAM for ESSOKiosk Adapter - component that terminates inactive sessions and applications in Kiosks and shared workstations; essential for hospitals and similar environments


5

Tivoli Access Mgr for Enterprise Single Sign-on


6

Tivoli Access Mgr for Enterprise Single Sign-on

Simplify the end user experience by eliminating the need to remember and manage usernames and passwords

Logon and password change support for almost all Windows, Web, Java and Host-based applications

Enhance security by eliminating poor end user password behavior

Reduce help desk costs by lowering the number of password reset calls

Deployed without requiring modification to target systems, platforms or applications

Advance identity management, compliance and authentication initiatives


7

IBM Tivoli Access Manager for ESSO Architecture

User

User’s Desktop

ESSO Console

Directory, Domain, Database

Application Sign-OnUser Auth

Biometrics

Token/ Smart card

PKI

Password

Windows

Custom Apps

Healthcare Apps

Mainframes (OS390, AS400)

Java Apps

TAM for Enterprise Single Sign-on


8

TAMeb and TAM-ESSO Working TogetherTAMeb (scope: internet, extranet, intranet)

SSO and strong authentication to back-end Web applications protected behind WebSEAL

TAM-ESSO (scope: intranet)SSO and strong authentication to desktop-based applications (including TAMeb) via desktop / kiosk

So, you get SSO from desktop to TAMeb to back-end Web apps

TAMeb and TAM-ESSO share the same directoryThe same user is defined one time to TAMeb and TAM-ESSO

Enterprise (Internal) Firewall

Web Servers

TAM Policy Server

LDAPLDAP

External User

Internet

Internet (External) Firewall

TAMebProxies

Load Balancer

ExtranetUser

LoadBalancer

TAMeb proxiesand/or

plug-ins

Internal Users

Trusted Network

TAM-ESSOenabled desktops


9

TAM for ESSO: Adapters


10

Desktop Password ResetCustomers that deploy ESSO either:

Rely on the Windows password as the primary form of authenticationKeep the Windows password as a backup when some form of strong authentication fails

What if user forgets his/her Windows password?… there are many scenarios that must be addressed

First login after long vacationChanged password on Friday, first time logon on MondaySmartcard lost on a trip or left at homeBiometric access from remote workstation without a biometric reader

The Windows Password remains is often first password a user may need to reset


11

Desktop Password Reset Adapter

In-the-FlowIntegrated where the Windows Password is needed most and often forgotten

Increases likelihood of access and use

Web BrowserProviding access on kiosks or from other machines when needed

Can be integrated with other Web self serve mechanisms such as TAM

Resets the Windows/domain password only– Does NOT require access to a separate logged on computer


12

Authentication Adapter

• Adds 3 capabilities to ESSO

– Can use strong authenticators for initial authentication, re-authentication and forced authentication

– “multi-authentication”: End-user can mix and match multiple authenticators on-the-fly

– “graded authentication”: Administrator can restrict access to particular applications based upon the authenticator used


13

Provisioning Adapter

Goal: User never knows or touches a password

An administrator can inject a user’s credentials directly into TAM for ESSO

Application password reset is automatically sync’ed to TAM for ESSO

Whenever access to an application is terminated, credentials in TAM for ESSO automatically removed

When a user leaves the company, all credentials automatically deleted


14

Provisioning Adapter

TAM for ESSO

Windows

Directory

SAP

Database

Mainframe

Custom

IBM Tivoli Identity Manager

Single Sign On

• Bi-directional, creation and management of identities

TIM & TAM E-SSO Working Together

• Creation/mgmt of ESSO account

• Population of ESSO datastorewith account credentials

• Password changes in TIM are picked up in ESSO datastore


15

Kiosk Adapter

Track user identity by user login/logoutFast login and fast user switchingEnables TAM for ESSO to know which user’s credentials to use

TAM for ESSO automates password management

Kiosk Adapter auto-suspends and auto-terminates inactive sessions

Kiosk Adapter automatically closes open applicationsKeystroke sequence, closure request, process kill


16

The Tivoli Enterprise Single Sign-on Suite

TAM for ESSODesktop PW

Reset Adapter

TAM for ESSOConsole

TAM for ESSOProvisioning

Adapter

TivoliIdentity

Manager

TAM for ESSOAuthentication

Adapter

TAM for ESSOCore

TAM for ESSOKiosk

Adapter

Directory/DB

13289576

SECURID

Password

PKI

Biometrics

Token/smart card

User AuthUser Auth User’s DesktopUser’s Desktop

TAMeb

Application Sign-OnApplication Sign-On

Windows

Web sites

Mainframes

SignOn

SignOff

= Powered by

User


17

Tivoli Enterprise Single Sign-On Platform

Provides proven enterprise single sign-on functionality

Supports all strong authenticators

Integrated with market leading user provisioning systems

Runs on desktops and kiosks

Provides complete API sets to all integration points


18

Sample of supported applications…Enterprise Applications

SAP GUI, SAP, MY SAP, Siebel Sales, Lotus Notes, Microsoft Outlook, Novell GroupWise, PeopleSoft, Lawson, Baan, JD Edwards, Oracle Financials, SAS, Salesforce, GoldMine

Windows and Client ApplicationsAct, Microsoft Office, Adobe Acrobat Reader, FrontRange, Goldmine, Interact!, PKZip, Microsoft SQL, Novell GroupWise, Oracle, Siebel Sales, and many more

Healthcare ApplicationsMcKesson, Meditech, Cerner, Siemens, IDX, Epik, GE and many other off-the-shelf and customized clinical applications

Extranet Access Management ApplicationsTivoli Access Manager, CA Netegrity SiteMinder, Entrust GetAccess, Oracle OblixNet Point, RSA ClearTrust

Host/Terminal EmulatorsAttachmate Extra!, G&R Glink, Hummingbird HostExplorer, IBM Personal Communications, IBM Host On-Demand, NetManage (WallData) Rumba, ScanPak(Eicon) Aviva, WRQ, Reflection, Zephyr Passport, and many more


19

Deployed by Leading Customers Financial: Prudential Insurance, Midwest brokerage firm,

Fortune 100 bank

Government: USPS, FAA, NASA, DOD…

Healthcare: Baptist Health, Clarian Health, Blue Cross

Telecom/Tech: Southwestern Telco, Security Software firm, Czech Telecom …

Energy: Chevron, Hydro Quebec, Virginia-based power company

Other: Large toy manufacturer, Railway company, National Television station, Large Food Services company

Notable customer highlightsLargest ESSO deployment in the world – United States Postal Service which has >165,000 users accessing 7,000 applications

Disconnected Prudential insurance brokers accessing more than 40 applications from laptops

Chevron Texaco, which is deploying to more than 60,000 users with a smart card for user authentication


20

Problem: Number one identified problem by USPS employees: too many passwordsVery large scale environment: over 165,000 usersThousands of known applications, many beyond central IT reachVery limited IT staff to implement and maintainCTO wanted a solution that could be fully deployed in less than a year

Solution:Evaluated 7 different SSO vendors -- selected Passlogix147,000 users deployed in less than 8 monthsOver 7,000 applications enabled Helpdesk password calls dropped from >1,000 per day to an average of 10 per daySaved over $4 million per year

“Passlogix was instrumental in helping the USPS solve its most critical end user problem –forgotten passwords – and solve it quickly.”

Bob OttoCTO


21

Baptist Health

Problem:5,000 medical professionals, including 2,200 community physiciansNeed to provide access to all critical medical applications from inside and outside the hospitalReplace paper based medical records with fully computerized physician order entry systemOpportunities for improving patient safety and physician referral to the hospitalHIPAA authentication requirements

Solution:Implemented ESSO to sign on to all medical applications2,200 physicians rolled out … planning balance of personnel and another Baptist facility

“v-GO SSOdelivers a simple, fast experiencefor our medical staff ensuring adoption of our portal and improvingpatient safety and care.”

Roland GarciaCIO


22

Tivoli Enterprise Single Sign-on HighlightsLogon and password change support for almost all Windows, Web, Java and Host-based applications

Single secure primary authentication based on Windows logon, smart card, biometric, smart card, proximity badge, PKI, etc.

Automatic password generation and password policy support

Supports all user work modes - connected, disconnected, multi-machine and kiosk

Leverages any enterprise directory or database as a central repository

Tightly integrates with Tivoli Identity Manager to provision and remove credentials

Supports Tivoli Access Manager to provide fine grained authorization and entitlements to web applications shared by internet/extranet users

Quick Value, Flexible, and Open


23

Product Demonstration


24

Question and Answer

Thank You


25

Disclaimers and TrademarksNo part of this document may be reproduced or transmitted in any form without written permission from IBM Corporation.

Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. Any statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.

THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements (e.g. IBM Customer Agreement, Statement of Limited Warranty, International Program License Agreement, etc.) under which they are provided.

IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer's business and any actions the customer may need to take to comply with such laws.

The following terms are trademarks or registered trademarks of the IBM Corporation in either the United States, other countries or both: DB2, e-business logo, eServer, IBM, IBM eServer, IBM logo, Lotus, Tivoli, WebSphere, Rational, z/OS, zSeries, System z.

Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States and/or other countries.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Linux is a trademark of Linus Torvalds in the United States and other countries.

Other company, product, or service names may be trademarks or service marks of others.

ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.

IT Infrastructure Library® is a Registered Trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.

3.2 TAM Entreprise Single Sign On.ppt [Read-Only] · PDF fileIBM Software Group | Tivoli...

Documents

Transcript of 3.2 TAM Entreprise Single Sign On.ppt [Read-Only] · PDF fileIBM Software Group | Tivoli...