1 / 28

November 20, 2008

Using Identity Virtualization and Integration to Enable Web Access Management A CA SiteMinder and Virtual Directory Case Study. November 20, 2008. Agenda. About CA Business Vision Issues and Business Drivers Project and Components Details Performance, Scalability, and High Availability

hieu
Download Presentation

November 20, 2008

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using Identity Virtualization and Integration to Enable Web Access ManagementA CA SiteMinder and Virtual Directory Case Study November 20, 2008

  2. Agenda • About CA • Business Vision • Issues and Business Drivers • Project and Components • Details • Performance, Scalability, and High Availability • Key Factors • Results • Architecture • Solution Components • Identity Virtualization and Integration • The Problem • What is Needed • The Technical Details • Inventory each source • Build an identity hub • Publish views • Conclusion • Recommendations

  3. CA: At-a-Glance • Company Overview: • 29 years successfully delivering software & services to optimize IT performance • 30k+ customers; 1k+ where CA works with and/or supports SAP landscape • 5th largest independent software vendor • 4.4bn LTM billings; 3.4bn LTM revenue • 16bn market capitalization • 700m annual R&D investment • Global Business Transformation Underway • Global Organization: • Headquarters: Islandia, NY • 150+ offices; 15k+ employees; 50% mobile • Technology • 27k+ PCs; 40k+ network devices • 1300+ production servers • Linux, UNIX, Windows • 4 IBM Mainframes, 20+ LPARs, 15k MIPs • 1500+ voice/data circuits • 150+ phone systems • 300+ routers, 465+ switches • 400 TB array storage • Using bespoke & packaged applications • Using Outsourcing and SAAS solutions

  4. Business Goals • Efficiently roll-in newly acquired companies • Quickly provide additional services to expanded customer base • Expedite customer integration reducing confusion and increasing satisfaction • Repeatable framework allowing predictable timeframes and costs

  5. Issues and Business Drivers Issues: • CA Acquired several companies and needed to provide a seamless and integrated experience to our customers. • Internal users use integrated directory • External users stored in external directory or one of several DBS • Multiple support systems, varying platforms, no single architecture Business Drivers • CA’s Support organization invested in a project to unify the CA Customer support experience. • Opportunity to establish a Web Auth solution that could be extended to other applications at CA.

  6. Project and Components 2005 Project Completed • Seamless and integrated customer experience • Customers no longer need to log in multiple times using different IDs and passwords • Employees can access CA Support without additional logon • We now centrally track and administer entitlements • Can change infrastructure without impacting users Systems Integrated • Existing CA (SupportConnect) • Netegrity (Onyx) • Niku (Vantive) • Concord/Prisma (Remedy)

  7. Details Leverage existing investments: • Active Directory • CA Directory, formerly eTrust Directory (LDAP) • Platforms • Windows 2000/2003 • Solaris • Aix • SuSE • Red Hat Enterprise • User Directories • SQL • Oracle • Sybase

  8. Performance, Scalability and High Availability Requirements • High usage and throughput - 100 million user project • A scalable, highly available enterprise environment Cluster to cluster fail over Policy Server to Policy Server failover Agent-to-Policy Server failover Traffic Load Balancing

  9. Performance, Scalability and High Availability Architecture: Note: These values are based on the SiteMinder Hundred Million User (HMU) project in which a series of tests were conducted to demonstrate the performance and scalability of SiteMinder in large scale deployments

  10. Key Factors • Did this… • …without having to make changes to existing systems • …by abstracting what already existed • ..across multiple platforms and architectures • Saved hundreds of thousands of hours of work • Streamlined applications • Mitigated risk associated with changing legacy apps • Improved time to delivery • Established a platform for growth

  11. Results

  12. Solution Components • Radiant Logic RadiantOne Virtual Directory • Correlates and caches authentication and user information from all other user directories • CA SiteMinder • Access control and single sign-on across technical support applications • Legacy Technical Support systems • SAP Portal • Unified front-end presentation layer • Future opportunity to federate application directories ssohelp.com

  13. Architecture:

  14. Identity Virtualization and Integration Core

  15. Identity Virtualization • “Virtualization is occurring at all layers across the IT "stack" — hardware, operating systems, applications, services, processes, presentation layer — even identities. At its core, virtualization is simply a layer of abstraction between a layer of consumers and an underlying layer of providers. However, this simple notion causes powerful shifts in the way that security must be managed and will accelerate the move to externalized identity services” • Neil MacDonald – Gartner Fellow – “Everything You Know About Identity Management Is Wrong”

  16. Identity Integration The Problem: No common identifier across technical support sites btaub@co.com Williamt 1470233 Site 1 Site 2 Site 3

  17. No Single Sign-On ID: btaub@co.com / Pwd: 1234 1. Authenticate to App 1 Application 1 2. User granted access 3. User clicks link for App 3 Application 2 ID: btaub@co.com ? Unable to achieve SSO since App 3 expects ID “williamt” Application 3

  18. What is Needed btaub@co.com Application 1 William Taub Email Application 2 Name + Company ID 1470233 Email + Company Name williamt Application 3 Correlated view of a user across all applications

  19. Technical Requirements • Create a mash-up of technical support sites across four systems and 300,000 identities • Define correlated identity for all users • Make it easy and enticing for customers to help themselves • Replace legacy security infrastructure • Establish platform for future expansion

  20. Identity Integration • Foundation for successful single sign-on (SSO) • Unified view of users across systems • Requires ability to construct correlated identifier (CID) • Security framework leveraging correlated identity store • Leverage identity transformation to create reusable user metadata

  21. Step 1: Correlated User btaub@co.com Correlated identity mapped to each application CID: btaub@co.com williamt 1470233

  22. Step 2: Centralized Security btaub@co.com Single sign-on across technical support sites 1. User authenticates CID: btaub@co.com 2. Credentials validated against correlated identity store 3. Application-specific identity passed to acquired application williamt 1470233

  23. Step 3: Unified Portal btaub@co.com One view of technical support across systems CID: btaub@co.com 1470233 toddclay

  24. Inventory and Translate Each Source into a Common Model and Virtual Namespace

  25. Create an Identity Hub • Only store in the hub the core identity required by the correlation process and the global ID referencing uniquely the matching identities • Retrieve the rest of the attributes on the fly by keeping reference pointers of the underlying identities • Benefits of this approach: • Less information to synchronize • Central repository does not grow up exponentially as more data sources are integrated • Selective approach about which attributes to store to help with data ownership issues and sizing considerations

  26. Use RadiantOne VDS to Publish Virtual Views

  27. Conclusion • Technical support systems available through common login and single sign-on • Unified entitlements and system access for customers owning multiple products • Ability to access content regardless of system, improving self-service • Reduced costs and increased security ssohelp.com

  28. Recommendations • Start with an “identity centric” core designed to scale • Leverage and abstract existing systems • Externalize user correlation logic to maximize configuration versus development • Incrementally layer services to systematically build out capabilities ssohelp.com

More Related