november 20, 2008
DESCRIPTION
Using Identity Virtualization and Integration to Enable Web Access Management A CA SiteMinder and Virtual Directory Case Study. November 20, 2008. Agenda. About CA Business Vision Issues and Business Drivers Project and Components Details Performance, Scalability, and High Availability - PowerPoint PPT PresentationTRANSCRIPT
Using Identity Virtualization and Integration to Enable Web Access Management A CA SiteMinder and Virtual Directory Case Study
November 20, 2008
Agenda
> About CA> Business Vision
Issues and Business Drivers Project and Components Details Performance, Scalability, and High Availability Key Factors Results Architecture Solution Components
> Identity Virtualization and Integration The Problem What is Needed The Technical Details
– Inventory each source– Build an identity hub– Publish views
> Conclusion> Recommendations
2
3
CA: At-a-Glance
Global Organization: Headquarters: Islandia, NY 150+ offices; 15k+ employees; 50%
mobile
Technology 27k+ PCs; 40k+ network devices 1300+ production servers
Linux, UNIX, Windows 4 IBM Mainframes, 20+ LPARs, 15k
MIPs 1500+ voice/data circuits 150+ phone systems 300+ routers, 465+ switches 400 TB array storage Using bespoke & packaged applications Using Outsourcing and SAAS solutions
Company Overview: 29 years successfully delivering
software & services to optimize IT performance
30k+ customers; 1k+ where CA works with and/or supports SAP landscape
5th largest independent software vendor
4.4bn LTM billings; 3.4bn LTM revenue
16bn market capitalization 700m annual R&D investment Global Business Transformation
Underway
Business Goals
> Efficiently roll-in newly acquired companies
> Quickly provide additional services to expanded customer base
> Expedite customer integration reducing confusion and increasing satisfaction
> Repeatable framework allowing predictable timeframes and costs
4
Issues and Business Drivers
Issues: CA Acquired several companies and needed to provide a
seamless and integrated experience to our customers.
Internal users use integrated directory
External users stored in external directory or one of several DBS
Multiple support systems, varying platforms, no single architecture
Business Drivers CA’s Support organization invested in a project to unify
the CA Customer support experience.
Opportunity to establish a Web Auth solution that could be extended to other applications at CA.
5
Project and Components
2005 Project Completed Seamless and integrated customer experience
– Customers no longer need to log in multiple times using different IDs and passwords
– Employees can access CA Support without additional logon
– We now centrally track and administer entitlements
– Can change infrastructure without impacting users
Systems Integrated Existing CA (SupportConnect)
Netegrity (Onyx)
Niku (Vantive)
Concord/Prisma (Remedy)
6
Details
Leverage existing investments:
> Active Directory
> CA Directory, formerly eTrust Directory (LDAP)
> Platforms Windows 2000/2003 Solaris Aix SuSE Red Hat Enterprise
> User Directories SQL Oracle Sybase
Performance, Scalability and High Availability Requirements
> High usage and throughput - 100 million user project
> A scalable, highly available enterprise environment
Cluster to cluster fail over
Policy Server to Policy Server failover
Agent-to-Policy Server failover
Traffic Load Balancing
Performance, Scalability and High Availability
Architecture:
9
RadiantOneVirtual Directory
Server 1 Server 2
SiteMinder Policy Server
Site
Min
der
CA Web Agents
Primary
SiteMinder Block
RedundantSiteMinder Policy Store
Logins per second 100
Authorizations per second
Up to 400
Transactions per second
Up to 600
Agents per Policy Server (optimal)
Up to 30
Policy Server CPU utilization (average)
Up to 50%
Authentication latency, seconds (average)
0.20
Authorization latency, seconds (average)
0.10
Note: These values are based on the SiteMinder Hundred Million User (HMU) project in which a series of tests were conducted to demonstrate the performance and scalability of SiteMinder in large scale deployments
Key Factors
> Did this… …without having to make changes to existing systems
…by abstracting what already existed
..across multiple platforms and architectures
> Saved hundreds of thousands of hours of work
> Streamlined applications
> Mitigated risk associated with changing legacy apps
> Improved time to delivery
> Established a platform for growth
10
Solution Components
> Radiant Logic RadiantOne Virtual Directory Correlates and caches authentication and user information
from all other user directories
> CA SiteMinder Access control and single sign-on across technical support
applications
> Legacy Technical Support systems
> SAP Portal Unified front-end presentation layer
> Future opportunity to federate application directories
ssohelp.com
Architecture:
RadiantOne Virtual User Directory
SupportConnect
Onyx
Remedy
Vantive
User Directories used by applications
iPhr
ase
Site
Min
der
SupportConnect
iPhr
ase
Site
Min
der
Vantive
RadiantOneVirtual User Directory
Primary Primary
Primary Primary
Failover Failover Failover
Islandia, NY San Mateo, CA Framingham,MA Watertown, MA
RedundantSiteMinder
Policy Store
Policy Servers Policy Servers
iPhr
ase
Site
Min
der
Remedy
iPhr
ase
Site
Min
der
Onyx
13
Identity Virtualization
> “Virtualization is occurring at all layers across the IT "stack" — hardware, operating systems, applications, services, processes, presentation layer — even identities. At its core, virtualization is simply a layer of abstraction between a layer of consumers and an underlying layer of providers. However, this simple notion causes powerful shifts in the way that security must be managed and will accelerate the move to externalized identity services”
Neil MacDonald – Gartner Fellow – “Everything You Know About Identity Management Is Wrong”
15
Identity Integration
[email protected] 1470233 Williamt
The Problem:No common identifier across technical support sites
Site 1 Site 2 Site 3
No Single Sign-On
ID: [email protected] / Pwd: 1234
Application 1
1. Authenticate to App 1
2. User granted access
Application 2
Application 3
3. User clicks link for App 3ID: [email protected]
??Unable to achieve SSO since App 3 expects ID “williamt”
What is Needed
Application 1
Application 2
Application 3Correlated view of a user across all applications
William Taub
1470233
williamt
Name +
Company ID
Email +
Company Name
Technical Requirements
> Create a mash-up of technical support sites across four systems and 300,000 identities
> Define correlated identity for all users
> Make it easy and enticing for customers to help themselves
> Replace legacy security infrastructure
> Establish platform for future expansion
Identity Integration
> Foundation for successful single sign-on (SSO)
> Unified view of users across systems
> Requires ability to construct correlated identifier (CID)
> Security framework leveraging correlated identity store
> Leverage identity transformation to create reusable user metadata
Step 1: Correlated User
[email protected] 1470233 williamt
Correlated identity mapped to each application
CID: [email protected]
Step 2: Centralized Security
[email protected] 1470233 williamt
Single sign-on across technical support sites
CID: [email protected]
1. User authenticates
2. Credentials validated against correlated identity store
3. Application-specific identity passed to acquired application
Step 3: Unified Portal
[email protected] 1470233 toddclay
One view of technical support across systems
CID: [email protected]
Inventory and Translate Each Source into a Common Model and Virtual Namespace
25
Create an Identity Hub
Only store in the hub the core identity required
by the correlation process and the global ID
referencing uniquely the matching identities
Retrieve the rest of the attributes on the fly by
keeping reference pointers of the underlying
identities
Benefits of this approach:
Less information to synchronize
Central repository does not grow up
exponentially as more data sources are
integrated
Selective approach about which attributes
to store to help with data ownership issues
and sizing considerations
Conclusion
> Technical support systems available through common login and single sign-on
> Unified entitlements and system access for customers owning multiple products
> Ability to access content regardless of system, improving self-service
> Reduced costs and increased security
ssohelp.com
Recommendations
> Start with an “identity centric” core designed to scale
> Leverage and abstract existing systems
> Externalize user correlation logic to maximize configuration versus development
> Incrementally layer services to systematically build out capabilities
ssohelp.com