Chapter 1   Introducing iPlanet Directory Server Access Management Edition


iPlanet Directory Server Access Management Edition (DSAME) is an enterprise infrastructure solution. It's the key to all your business relationships, all your services, all your data, and who has access to what. DSAME enables you to get your customers, your employees, your partners and suppliers into one online directory. It also provides a means for establishing policies and permissions regarding who has access to which information in your enterprise. DSAME is designed to meet the challenges of rapidly expanding extranets or hosting services. This chapter provides an introduction to the DSAME solution.

Topics in this chapter include:

• iPlanet Products Form the DSAME Solution

• Key Features and Benefits

iPlanet Products Form the DSAME Solution

---

DSAME is an enterprise infrastructure solution composed of iPlanet servers, services, and agents. It extends the basic functionality of iPlanet Directory Server. DSAME consolidates user data, services data, and access policies so that all of these can all be managed efficiently under one console. You can use DSAME to define and enforce role-based policies that control access to web resources in your enterprise. These DSAME roles and policies also provide the means for delegating user account management—to administrators as well as non-administrators. The DSAME pluggable architecture makes it relatively easy to add new services and to customize their configuration for users and policies.

When you purchase DSAME, you receive a full complement of iPlanet servers and services which together form the DSAME solution. The product CD includes the following:

• iPlanet Directory Server 5.1

• DSAME Management Service

• DSAME Policy Service

• DSAME schema

• Cross-Domain Single Sign-On component (CDSSO)

Web agents that work with DSAME are available as separate components. For more information about DSAME web agents, see "URL Policy Agent".

Directory Server

iPlanet Directory Server is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). In a DSAME deployment, Directory Server is the central repository for user data, services data, and access policies. This allows a variety of servers and applications to share a consistent set of data

Policy Service

The Policy service is made up of four smaller, specialized services: Authentication, Single Sign-On, Logging, and Session. Together, these services provide the means for enforcing access rules. Access rules combine to form the policies which allow or deny a user to log in to an application.

Authentication

The Authentication service verifies the identities of users trying to access applications. Authentication is implemented through a number of pluggable modules that validate a user's credentials at login.

Single Sign-On

The Single Sign-On (SSO) service uses tokens for storing and transporting user information between applications. This makes it possible for users to log in to the enterprise once, and access multiple web-based applications without having to re-authenticate for each application. The service provides Java APIs for validating SSO tokens and agents for enforcing access rules and policies that are set on specific pages stored on the server.

Logging

The Logging service writes log information to log files or to a log database. The log data is used by Authentication modules and by the DSAME administration console.

Session

The Session service maintains user session information and validity periods. The session information is used to validate Single Sign-On tokens.

Figure 1-1    DSAME Architecture.

Management Service

The Management service is made up of three smaller services: Policy Management, Identity Management, and Service Management. These three services are consolidated in the DSAME administration console, providing a single point for enterprise management. When you use Management service to make changes, the changes are automatically made in Directory Server.

Policy Management

The Policy Management service provides a means for creating, modifying, and deleting access rules and policies for organizations and sub-organizations.

Identity Management

The Identity Management service is also referred to as User Management service. It provides the means for creating and managing users, roles, groups, people containers, organizations, organization units, and sub-organizations.

Service Management

The Service Management service provides the means for registering and de-registering services, and for managing service attributes assigned to objects in the directory.

Cross-Domain Single Sign-On

The Cross Domain Single Sign-On feature makes it possible for users to authenticate once in a DNS domain in your enterprise, and then access DSAME services running on other domains. This service is implemented through the use of a controller plus any number of Cross-Domain Single Sign-On (CDSSO) components that you install on the participating domains.

Cross-Domain Controller

The Cross-Domain Controller (CDC) component is automatically installed when you install DSAME Services. The controller is responsible for appropriately directing authentication requests. If a request contains no Single Sign-On (SSO) information, the controller directs the request to the Authentication service. If a request contains SSO information the request is directed to the appropriate CDSSO component with the SSO information appended to the query string.

Cross-Domain Single Sign-On Component

The Cross-Domain Single Sign-On (CDSSO) component is primarily responsible for handling cookie-setting for the domain in which cross-domain single sign-on is deployed. The CDSSO component is installed separately on all participating DNS domains.

Web Server

iPlanet Web Server, although not included in the product CD as a stand-alone product, is an integral part of the DSAME solution. It is automatically installed and configured when you install the Policy and Management services. Working behind the scenes, this dedicated instance of Web Server provides the engine for policy enforcement, identity management, and service management. It also serves the graphical user interface.

Key Features and Benefits

---

As a business grows, its networking needs change. Efficiency, extensibility, rapid deployment of services, and maintained security become key factors in keeping its enterprise running smoothly and with minimum down-time. DSAME offers the following features to meet the challenges of growing enterprises.

Administration Console

A graphical interface that consolidates Identity, Service, and Policy management. Allows users—administrators as well as non-administrators—to create and manage users accounts, service attributes, and access rules in Directory Server using one interface and without having to know LDAP.

Policy Management

A means for creating and enforcing access rules. Grants or denies users' access to resources based on their credentials and based on the rules and policies you create.

Service Management

A means for registering services and service attributes. Allows you to assign service attributes to organizations, groups, or individual users from the same console that you use to perform user management.

Identity Management

A framework that supports several pre-defined administrator roles. Provides a means for creating, modifying, or deleting organizations, groups, and users. Automatically creates appropriate administrator entries, roles, and access control instructions (ACIs) each time you create a new organization or managed group.

Authentication

A framework and a number of modules for verifying user identities. Provides security by requiring users to present credentials in order to log in to applications in the enterprise. The plug-in architecture makes it possible for iPlanet customers to write and use their own modules with DSAME. The following Authentication modules come with DSAME:

• LDAP

• RADIUS

• Membership

• Anonymous

• Certificate-based

• Unix

• SafeWord

---

Note	Unix authentication module is found only in Solaris version.

---

Web-based Single Sign-On

A mechanism that uses tokens to store and transport user information between applications. Enables a user to access multiple web-based applications during a single session without having to re-authenticate for each application.

URL Policy Agent

A mechanism that enforces access rules and policies that protect web resources. Provides security by requiring additional identification from users who attempt to access protected files or pages in a web server.

Secure Socket Layer (SSL)

A transport protocol that encrypts and secures communications over a network. Ensures that communications over the network can not be viewed by unauthorized individuals.

Directory Replication Support

DSAME works with multi-master replication of Directory Server to provide a highly available directory service for both read and write operations.

Roles and Class of Service Support

DSAME works with Directory Server to provide a flexible mechanism for grouping and sharing attributes among entries. Allows you to dynamically change a large number of user, group, or organization entries by making a single change to a role or attribute.

Load-Balancer Support

DSAME works with load-balancers such as iPlanet Directory Access Router, to provide high availability and firewall-like security.