Charles Hoffman
TAM Enterprise Single Sign-on
August 3 - 4, 2006
®
TivoliNow!
IBM Software Group | Tivoli software
2
Password Management Problems
Time & MoneyUser frustration and complaints due to password and security complexity Employees locked out interrupting work and revenue producing activityHigh password-related user support costs
SecurityWeakened security due to poor password selection and management Difficulty in securing critical applicationsDifficulty of integrating advanced authentication for applications
RegulatoryNeed to prevent public access to private data (HIPAA, GLBA) and track and report on all access (SOX)
IBM Software Group | Tivoli software
3
IBM Tivoli Access Manager Enterprise Single Sign-On
• Logon and password change support for almost any Windows, Web, Java and Host-based application
• Single secure strong authentication for initial authentication, re-authentication and forced authentication
• Automatic password generation and policy support
• Tightly integrates with Tivoli Identity Manager to provision and remove credentials
• Signs on to Tivoli Access Manager to enable fine-grained authorization and entitlements to web applications
Capabilities
• Simplify the end user experience by eliminating the need to remember and manage usernames and passwords
• Enhance security by eliminating poor end user password behavior
• Reduce help desk costs by lowering the number of password reset calls
• Extend audit and reporting capabilities to include user sign-on data
Business Value New!
“We were looking for the ability to provide single or reduced sign-on across the enterprise from our identity management project, we chose Passlogix and IBM for our implementation."
—Debbie Posey,Project Manager, Baker Hughes
IBM Software Group | Tivoli software
4
The Tivoli Enterprise Single Sign-on SuiteIBM Tivoli Access Manager for ESSO - our enterprise single sign-on solution and serves as the base for the components belowAdditional ESSO Components
Desktop Password Reset Adapter - component that allows users to reset their Windows password from a locked workstationAuthentication Adapter - component that allows flexible authentication for the base ESSO product using tokens, smart cards, biometrics and passwordsProvisioning Adapter - module that allows provisioning systems to directly distribute user credentials (usernames and passwords) to TAM for ESSOKiosk Adapter - component that terminates inactive sessions and applications in Kiosks and shared workstations; essential for hospitals and similar environments
IBM Software Group | Tivoli software
5
Tivoli Access Mgr for Enterprise Single Sign-on
IBM Software Group | Tivoli software
6
Tivoli Access Mgr for Enterprise Single Sign-on
Simplify the end user experience by eliminating the need to remember and manage usernames and passwords
Logon and password change support for almost all Windows, Web, Java and Host-based applications
Enhance security by eliminating poor end user password behavior
Reduce help desk costs by lowering the number of password reset calls
Deployed without requiring modification to target systems, platforms or applications
Advance identity management, compliance and authentication initiatives
IBM Software Group | Tivoli software
7
IBM Tivoli Access Manager for ESSO Architecture
User
User’s Desktop
ESSO Console
Directory, Domain, Database
Application Sign-OnUser Auth
Biometrics
Token/ Smart card
PKI
Password
Windows
Custom Apps
Healthcare Apps
Mainframes (OS390, AS400)
Java Apps
TAM for Enterprise Single Sign-on
IBM Software Group | Tivoli software
8
TAMeb and TAM-ESSO Working TogetherTAMeb (scope: internet, extranet, intranet)
SSO and strong authentication to back-end Web applications protected behind WebSEAL
TAM-ESSO (scope: intranet)SSO and strong authentication to desktop-based applications (including TAMeb) via desktop / kiosk
So, you get SSO from desktop to TAMeb to back-end Web apps
TAMeb and TAM-ESSO share the same directoryThe same user is defined one time to TAMeb and TAM-ESSO
Enterprise (Internal) Firewall
Web Servers
TAM Policy Server
LDAPLDAP
External User
Internet
Internet (External) Firewall
TAMebProxies
Load Balancer
ExtranetUser
LoadBalancer
TAMeb proxiesand/or
plug-ins
Internal Users
Trusted Network
TAM-ESSOenabled desktops
IBM Software Group | Tivoli software
9
TAM for ESSO: Adapters
IBM Software Group | Tivoli software
10
Desktop Password ResetCustomers that deploy ESSO either:
Rely on the Windows password as the primary form of authenticationKeep the Windows password as a backup when some form of strong authentication fails
What if user forgets his/her Windows password?… there are many scenarios that must be addressed
First login after long vacationChanged password on Friday, first time logon on MondaySmartcard lost on a trip or left at homeBiometric access from remote workstation without a biometric reader
The Windows Password remains is often first password a user may need to reset
IBM Software Group | Tivoli software
11
Desktop Password Reset Adapter
In-the-FlowIntegrated where the Windows Password is needed most and often forgotten
Increases likelihood of access and use
Web BrowserProviding access on kiosks or from other machines when needed
Can be integrated with other Web self serve mechanisms such as TAM
Resets the Windows/domain password only– Does NOT require access to a separate logged on computer
IBM Software Group | Tivoli software
12
Authentication Adapter
• Adds 3 capabilities to ESSO
– Can use strong authenticators for initial authentication, re-authentication and forced authentication
– “multi-authentication”: End-user can mix and match multiple authenticators on-the-fly
– “graded authentication”: Administrator can restrict access to particular applications based upon the authenticator used
IBM Software Group | Tivoli software
13
Provisioning Adapter
Goal: User never knows or touches a password
An administrator can inject a user’s credentials directly into TAM for ESSO
Application password reset is automatically sync’ed to TAM for ESSO
Whenever access to an application is terminated, credentials in TAM for ESSO automatically removed
When a user leaves the company, all credentials automatically deleted
IBM Software Group | Tivoli software
14
Provisioning Adapter
TAM for ESSO
Windows
Directory
SAP
Database
Mainframe
Custom
IBM Tivoli Identity Manager
Single Sign On
• Bi-directional, creation and management of identities
TIM & TAM E-SSO Working Together
• Creation/mgmt of ESSO account
• Population of ESSO datastorewith account credentials
• Password changes in TIM are picked up in ESSO datastore
IBM Software Group | Tivoli software
15
Kiosk Adapter
Track user identity by user login/logoutFast login and fast user switchingEnables TAM for ESSO to know which user’s credentials to use
TAM for ESSO automates password management
Kiosk Adapter auto-suspends and auto-terminates inactive sessions
Kiosk Adapter automatically closes open applicationsKeystroke sequence, closure request, process kill
IBM Software Group | Tivoli software
16
The Tivoli Enterprise Single Sign-on Suite
TAM for ESSODesktop PW
Reset Adapter
TAM for ESSOConsole
TAM for ESSOProvisioning
Adapter
TivoliIdentity
Manager
TAM for ESSOAuthentication
Adapter
TAM for ESSOCore
TAM for ESSOKiosk
Adapter
Directory/DB
13289576
SECURID
Password
PKI
Biometrics
Token/smart card
User AuthUser Auth User’s DesktopUser’s Desktop
TAMeb
Application Sign-OnApplication Sign-On
Windows
Web sites
Mainframes
SignOn
SignOff
= Powered by
User
IBM Software Group | Tivoli software
17
Tivoli Enterprise Single Sign-On Platform
Provides proven enterprise single sign-on functionality
Supports all strong authenticators
Integrated with market leading user provisioning systems
Runs on desktops and kiosks
Provides complete API sets to all integration points
IBM Software Group | Tivoli software
18
Sample of supported applications…Enterprise Applications
SAP GUI, SAP, MY SAP, Siebel Sales, Lotus Notes, Microsoft Outlook, Novell GroupWise, PeopleSoft, Lawson, Baan, JD Edwards, Oracle Financials, SAS, Salesforce, GoldMine
Windows and Client ApplicationsAct, Microsoft Office, Adobe Acrobat Reader, FrontRange, Goldmine, Interact!, PKZip, Microsoft SQL, Novell GroupWise, Oracle, Siebel Sales, and many more
Healthcare ApplicationsMcKesson, Meditech, Cerner, Siemens, IDX, Epik, GE and many other off-the-shelf and customized clinical applications
Extranet Access Management ApplicationsTivoli Access Manager, CA Netegrity SiteMinder, Entrust GetAccess, Oracle OblixNet Point, RSA ClearTrust
Host/Terminal EmulatorsAttachmate Extra!, G&R Glink, Hummingbird HostExplorer, IBM Personal Communications, IBM Host On-Demand, NetManage (WallData) Rumba, ScanPak(Eicon) Aviva, WRQ, Reflection, Zephyr Passport, and many more
IBM Software Group | Tivoli software
19
Deployed by Leading Customers Financial: Prudential Insurance, Midwest brokerage firm,
Fortune 100 bank
Government: USPS, FAA, NASA, DOD…
Healthcare: Baptist Health, Clarian Health, Blue Cross
Telecom/Tech: Southwestern Telco, Security Software firm, Czech Telecom …
Energy: Chevron, Hydro Quebec, Virginia-based power company
Other: Large toy manufacturer, Railway company, National Television station, Large Food Services company
Notable customer highlightsLargest ESSO deployment in the world – United States Postal Service which has >165,000 users accessing 7,000 applications
Disconnected Prudential insurance brokers accessing more than 40 applications from laptops
Chevron Texaco, which is deploying to more than 60,000 users with a smart card for user authentication
IBM Software Group | Tivoli software
20
Problem: Number one identified problem by USPS employees: too many passwordsVery large scale environment: over 165,000 usersThousands of known applications, many beyond central IT reachVery limited IT staff to implement and maintainCTO wanted a solution that could be fully deployed in less than a year
Solution:Evaluated 7 different SSO vendors -- selected Passlogix147,000 users deployed in less than 8 monthsOver 7,000 applications enabled Helpdesk password calls dropped from >1,000 per day to an average of 10 per daySaved over $4 million per year
“Passlogix was instrumental in helping the USPS solve its most critical end user problem –forgotten passwords – and solve it quickly.”
Bob OttoCTO
IBM Software Group | Tivoli software
21
Baptist Health
Problem:5,000 medical professionals, including 2,200 community physiciansNeed to provide access to all critical medical applications from inside and outside the hospitalReplace paper based medical records with fully computerized physician order entry systemOpportunities for improving patient safety and physician referral to the hospitalHIPAA authentication requirements
Solution:Implemented ESSO to sign on to all medical applications2,200 physicians rolled out … planning balance of personnel and another Baptist facility
“v-GO SSOdelivers a simple, fast experiencefor our medical staff ensuring adoption of our portal and improvingpatient safety and care.”
Roland GarciaCIO
IBM Software Group | Tivoli software
22
Tivoli Enterprise Single Sign-on HighlightsLogon and password change support for almost all Windows, Web, Java and Host-based applications
Single secure primary authentication based on Windows logon, smart card, biometric, smart card, proximity badge, PKI, etc.
Automatic password generation and password policy support
Supports all user work modes - connected, disconnected, multi-machine and kiosk
Leverages any enterprise directory or database as a central repository
Tightly integrates with Tivoli Identity Manager to provision and remove credentials
Supports Tivoli Access Manager to provide fine grained authorization and entitlements to web applications shared by internet/extranet users
Quick Value, Flexible, and Open
IBM Software Group | Tivoli software
23
Product Demonstration
IBM Software Group | Tivoli software
24
Question and Answer
Thank You
IBM Software Group | Tivoli software
25
Disclaimers and TrademarksNo part of this document may be reproduced or transmitted in any form without written permission from IBM Corporation.
Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. Any statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.
THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements (e.g. IBM Customer Agreement, Statement of Limited Warranty, International Program License Agreement, etc.) under which they are provided.
IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer's business and any actions the customer may need to take to comply with such laws.
The following terms are trademarks or registered trademarks of the IBM Corporation in either the United States, other countries or both: DB2, e-business logo, eServer, IBM, IBM eServer, IBM logo, Lotus, Tivoli, WebSphere, Rational, z/OS, zSeries, System z.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States and/or other countries.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States and other countries.
Other company, product, or service names may be trademarks or service marks of others.
ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.
IT Infrastructure Library® is a Registered Trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.