november 20, 2008
DESCRIPTION
Using Identity Virtualization and Integration to Enable Web Access Management A CA SiteMinder and Virtual Directory Case Study. November 20, 2008. Agenda. About CA Business Vision Issues and Business Drivers Project and Components Details Performance, Scalability, and High Availability - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/1.jpg)
Using Identity Virtualization and Integration to Enable Web Access Management A CA SiteMinder and Virtual Directory Case Study
November 20, 2008
![Page 2: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/2.jpg)
Agenda
> About CA> Business Vision
Issues and Business Drivers Project and Components Details Performance, Scalability, and High Availability Key Factors Results Architecture Solution Components
> Identity Virtualization and Integration The Problem What is Needed The Technical Details
– Inventory each source– Build an identity hub– Publish views
> Conclusion> Recommendations
2
![Page 3: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/3.jpg)
3
CA: At-a-Glance
Global Organization: Headquarters: Islandia, NY 150+ offices; 15k+ employees; 50%
mobile
Technology 27k+ PCs; 40k+ network devices 1300+ production servers
Linux, UNIX, Windows 4 IBM Mainframes, 20+ LPARs, 15k
MIPs 1500+ voice/data circuits 150+ phone systems 300+ routers, 465+ switches 400 TB array storage Using bespoke & packaged applications Using Outsourcing and SAAS solutions
Company Overview: 29 years successfully delivering
software & services to optimize IT performance
30k+ customers; 1k+ where CA works with and/or supports SAP landscape
5th largest independent software vendor
4.4bn LTM billings; 3.4bn LTM revenue
16bn market capitalization 700m annual R&D investment Global Business Transformation
Underway
![Page 4: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/4.jpg)
Business Goals
> Efficiently roll-in newly acquired companies
> Quickly provide additional services to expanded customer base
> Expedite customer integration reducing confusion and increasing satisfaction
> Repeatable framework allowing predictable timeframes and costs
4
![Page 5: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/5.jpg)
Issues and Business Drivers
Issues: CA Acquired several companies and needed to provide a
seamless and integrated experience to our customers.
Internal users use integrated directory
External users stored in external directory or one of several DBS
Multiple support systems, varying platforms, no single architecture
Business Drivers CA’s Support organization invested in a project to unify
the CA Customer support experience.
Opportunity to establish a Web Auth solution that could be extended to other applications at CA.
5
![Page 6: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/6.jpg)
Project and Components
2005 Project Completed Seamless and integrated customer experience
– Customers no longer need to log in multiple times using different IDs and passwords
– Employees can access CA Support without additional logon
– We now centrally track and administer entitlements
– Can change infrastructure without impacting users
Systems Integrated Existing CA (SupportConnect)
Netegrity (Onyx)
Niku (Vantive)
Concord/Prisma (Remedy)
6
![Page 7: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/7.jpg)
Details
Leverage existing investments:
> Active Directory
> CA Directory, formerly eTrust Directory (LDAP)
> Platforms Windows 2000/2003 Solaris Aix SuSE Red Hat Enterprise
> User Directories SQL Oracle Sybase
![Page 8: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/8.jpg)
Performance, Scalability and High Availability Requirements
> High usage and throughput - 100 million user project
> A scalable, highly available enterprise environment
Cluster to cluster fail over
Policy Server to Policy Server failover
Agent-to-Policy Server failover
Traffic Load Balancing
![Page 9: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/9.jpg)
Performance, Scalability and High Availability
Architecture:
9
RadiantOneVirtual Directory
Server 1 Server 2
SiteMinder Policy Server
Site
Min
der
CA Web Agents
Primary
SiteMinder Block
RedundantSiteMinder Policy Store
Logins per second 100
Authorizations per second
Up to 400
Transactions per second
Up to 600
Agents per Policy Server (optimal)
Up to 30
Policy Server CPU utilization (average)
Up to 50%
Authentication latency, seconds (average)
0.20
Authorization latency, seconds (average)
0.10
Note: These values are based on the SiteMinder Hundred Million User (HMU) project in which a series of tests were conducted to demonstrate the performance and scalability of SiteMinder in large scale deployments
![Page 10: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/10.jpg)
Key Factors
> Did this… …without having to make changes to existing systems
…by abstracting what already existed
..across multiple platforms and architectures
> Saved hundreds of thousands of hours of work
> Streamlined applications
> Mitigated risk associated with changing legacy apps
> Improved time to delivery
> Established a platform for growth
10
![Page 12: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/12.jpg)
Solution Components
> Radiant Logic RadiantOne Virtual Directory Correlates and caches authentication and user information
from all other user directories
> CA SiteMinder Access control and single sign-on across technical support
applications
> Legacy Technical Support systems
> SAP Portal Unified front-end presentation layer
> Future opportunity to federate application directories
ssohelp.com
![Page 13: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/13.jpg)
Architecture:
RadiantOne Virtual User Directory
SupportConnect
Onyx
Remedy
Vantive
User Directories used by applications
iPhr
ase
Site
Min
der
SupportConnect
iPhr
ase
Site
Min
der
Vantive
RadiantOneVirtual User Directory
Primary Primary
Primary Primary
Failover Failover Failover
Islandia, NY San Mateo, CA Framingham,MA Watertown, MA
RedundantSiteMinder
Policy Store
Policy Servers Policy Servers
iPhr
ase
Site
Min
der
Remedy
iPhr
ase
Site
Min
der
Onyx
13
![Page 15: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/15.jpg)
Identity Virtualization
> “Virtualization is occurring at all layers across the IT "stack" — hardware, operating systems, applications, services, processes, presentation layer — even identities. At its core, virtualization is simply a layer of abstraction between a layer of consumers and an underlying layer of providers. However, this simple notion causes powerful shifts in the way that security must be managed and will accelerate the move to externalized identity services”
Neil MacDonald – Gartner Fellow – “Everything You Know About Identity Management Is Wrong”
15
![Page 16: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/16.jpg)
Identity Integration
[email protected] 1470233 Williamt
The Problem:No common identifier across technical support sites
Site 1 Site 2 Site 3
![Page 17: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/17.jpg)
No Single Sign-On
ID: [email protected] / Pwd: 1234
Application 1
1. Authenticate to App 1
2. User granted access
Application 2
Application 3
3. User clicks link for App 3ID: [email protected]
??Unable to achieve SSO since App 3 expects ID “williamt”
![Page 18: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/18.jpg)
What is Needed
Application 1
Application 2
Application 3Correlated view of a user across all applications
William Taub
1470233
williamt
Name +
Company ID
Email +
Company Name
![Page 19: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/19.jpg)
Technical Requirements
> Create a mash-up of technical support sites across four systems and 300,000 identities
> Define correlated identity for all users
> Make it easy and enticing for customers to help themselves
> Replace legacy security infrastructure
> Establish platform for future expansion
![Page 20: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/20.jpg)
Identity Integration
> Foundation for successful single sign-on (SSO)
> Unified view of users across systems
> Requires ability to construct correlated identifier (CID)
> Security framework leveraging correlated identity store
> Leverage identity transformation to create reusable user metadata
![Page 21: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/21.jpg)
Step 1: Correlated User
[email protected] 1470233 williamt
Correlated identity mapped to each application
CID: [email protected]
![Page 22: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/22.jpg)
Step 2: Centralized Security
[email protected] 1470233 williamt
Single sign-on across technical support sites
CID: [email protected]
1. User authenticates
2. Credentials validated against correlated identity store
3. Application-specific identity passed to acquired application
![Page 23: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/23.jpg)
Step 3: Unified Portal
[email protected] 1470233 toddclay
One view of technical support across systems
CID: [email protected]
![Page 24: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/24.jpg)
Inventory and Translate Each Source into a Common Model and Virtual Namespace
![Page 25: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/25.jpg)
25
Create an Identity Hub
Only store in the hub the core identity required
by the correlation process and the global ID
referencing uniquely the matching identities
Retrieve the rest of the attributes on the fly by
keeping reference pointers of the underlying
identities
Benefits of this approach:
Less information to synchronize
Central repository does not grow up
exponentially as more data sources are
integrated
Selective approach about which attributes
to store to help with data ownership issues
and sizing considerations
![Page 27: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/27.jpg)
Conclusion
> Technical support systems available through common login and single sign-on
> Unified entitlements and system access for customers owning multiple products
> Ability to access content regardless of system, improving self-service
> Reduced costs and increased security
ssohelp.com
![Page 28: November 20, 2008](https://reader035.vdocument.in/reader035/viewer/2022062221/568143b1550346895db03b38/html5/thumbnails/28.jpg)
Recommendations
> Start with an “identity centric” core designed to scale
> Leverage and abstract existing systems
> Externalize user correlation logic to maximize configuration versus development
> Incrementally layer services to systematically build out capabilities
ssohelp.com