For an enterprise, a key decision factor in selecting a good Cloud Identity Management service, is the ability of the service to connect to on-premise & cloud endpoints. Enterprises normally have User data stored in their endpoints. User data would range from the groups (segregation of users into a classification needed for the endpoint) the user belongs to, to the roles(a classification that allows the user to perform a particular function in that endpoint when the user is part of that classification) of the user and access privileges(permission levels to access resources) for that particular endpoint.
The same user in an enterprise, can have different types of access, can perform different roles and can be part of different groups in different endpoints. We normally witness the fact that, once the number of endpoints grows in an enterprise this User data & the related objects like groups and roles become unmanageable and untraceable. Enterprise want to have this problem fixed.
Any enterprise would love to know what types of access each user has in each of the endpoints at a given point in time. It would be key for them to have this information in one central place. Having this data in a single location, would help enterprise managers to look out for improper access, redundant roles in each of the endpoints on a periodic basis.
EzIAMTM (a Cloud Identity Management Service from SecureKloud Inc.) offers something called a provisioning directory, where relevant data (User, groups, roles) from the endpoints can be stored and accessed by the enterprise administrator. (Please refer to my previous blog – EzIAM FAQ – to know about the origins and capabilities of EzIAMTM). This data can then be imported to an Identity Access Governance Service, that would then analyze the roles, groups & access permissions during periodic certification campaigns conducted by the business managers. That can be a topic for a future blog. Now, let us dwelve into the various facets of endpoint connectivity options available within EzIAMTM.
EndPoints:
Endpoints are Directories, databases, LDAPs, applications, OS user stores etc. Almost any endpoint in an enterprise would have a data store where the users of that particular endpoint would be stored. Sometimes the endpoint themselves could be applications, in which case there would be an application database where the user information would be stored. Almost any system that contains user information could act as an endpoint for EzIAMTM. The endpoints could reside either on-premise or in a cloud.
Typically, an endpoint is a specific installation of a platform or application, such as Active Directory or Microsoft Exchange, which communicates with Identity Management to synchronize information (primarily attributes of a user stored in the endpoint). An endpoint can be:
■ An operating system (such as Windows)
■ A security product that protects an operating system (such as CA Top Secret and CA ACF2)
■ An authentication server that creates, supplies, and manages user credentials (such as CA Arcot)
■ A business application (such as SAP, Oracle Applications, and PeopleSoft)
■ A cloud application (such as Salesforce and Google Apps)
Connectors:
A connector is the software that enables communication between EzIAMTM and an endpoint system. A connector server (an EzIAMTM Server Component) uses a connector to manage an endpoint. One can generate a dynamic connector using Connector Xpress (an EzIAM Tool), or one can develop a custom static connector in Java. For each endpoint that you want to manage, you must have a connector. Connectors are responsible for representing each of the managed objects in the endpoint in a consistent manner. Connectors translate add, modify, delete, rename, and search LDAP operations on those objects into corresponding actions against the endpoint system. A connector acts as a gateway to a native endpoint type system technology. For example, to manage computers running Active Directory Services (ADS) install the ADS connector on a connector server.
Three Types of Connectors:
EzIAMTM has a rich set of On-premise connectivity options. There are 3 primary ways of connecting to endpoints;
C++ Connectors (managed by C++ Connector Server (CCS))
Java Connectors (managed by CA IAM Connector Server (CA IAM CS)).
Provisioning Server Plugins
The endpoints (in the diagram, courtesy: CA) the Connectors connect to range primarily from PeopleSoft, SalesForce (IAM CS) to AD, DB2 (C++ Connector), RACF(Prov. Server Plugin). These are just examples of connectors. A list of out-of-the-box connectors is given in “Connecting to endpoints” sub-section below.
One cannot use both CA IAM CS and CCS to manage the same endpoint type.
What Connectors Can Do:
EzIAMTM has a number of out-of-the-box Connectors that help to connect to popular endpoints. Each connector lets Identity Management within EzIAMTM, perform the following operations on managed objects on the endpoint:
■ Add
■ Modify—Changes the value of attributes, including modifying associations between them (for example, changing which accounts belong to a group).
■ Delete
■ Rename
■ Search—Queries the values of the attributes that are stored for an endpoint system or the managed objects that it contains.
For most endpoint types, all of these operations can be performed on accounts. These operations can also be performed on other managed objects if the endpoint permits it.
Connecting to Endpoints:
Popular out-of-the-box Connectors in EzIAMTM:
CA Access Control Connector
CA ACF2 v2 Connector
CA Arcot Connector
CA DLP Connector
CA SSO Connector for Advanced Policy Server
CA Top Secret Connector
IBM DB2 UDB for z/OS Connector
Google Apps Connector
IBM DB2 UDB Connector
IBM RACF v2 Connector
Kerberos Connector
Lotus Domino Connector
Microsoft Active Directory Services Connector
Microsoft Exchange Connector
Microsoft Office 365 Connector
Microsoft SQL Server Connector
Microsoft Windows Connector
Oracle Applications Connector
Oracle Connector
IBM i5/OS (OS/400) Connector
PeopleSoft Connector
RSA ACE (SecurID) Connector
RSA Authentication Manager SecurID 7 Connector
Salesforce.com Connector
SAP R/3 Connector
SAP UME Connector
Siebel Connector
UNIX ETC and NIS Connector
Ways to Create a New Connector:
One can connect to an endpoint that is not supported out-of-the-box in EzIAMTM, also. To do this, an enterprise needs to create its own connector in one of these ways:
■ Use Connector Xpress to create the connector.
■ Use the CA IAM CS SDK to create the connector.
■ Ask SecureKloud to create a connector.
Set Up Identity Management Provisioning with Active Directory:
One can use Active Directory Server (ADS) to synchronize attribute data to supported endpoints. This could be done by configuring CA IAM CS to propagate local changes in Active Directory to a cloud-based identity store using a connector. For example, assume that you have a GoogleApps installation in the cloud. You could create an ADS group named “GoogleApps” and then configure the CA IAM CS to monitor that group. CA IAM CS synchronizes any changes to the GoogleApps environment in the cloud. If you add a user to the ADS GoogleApps group, CA IAM CS uses the GoogleApps connector to trigger a “Create User” action in the GoogleApps environment proper.
To set up directory synchronization:
1. Install CA IAM CS in your environment.
2. Acquire the endpoints that you want to synchronize with. You must acquire endpoints in order to create templates in step 4.
3. Create one or more directory monitors. Monitors capture changes that you make in your local Active Directory, and report them for the synchronization.
4. Create one or more synchronization templates. Templates control settings for the directory synchronization.
Custom Connectors:
Custom Connectors are connectors that can be programmed (mostly from pre-available template structures) that enables an enterprise to connect to custom endpoints (i.e endpoints that are not supported out-of-the-box in EzIAMTM).
Custom Connector Implementation Guidelines:
It would help the developers to consider the following guidelines when designing and implementing a connector:
■ Drive as much of the connector implementation logic as possible using metadata.
■ Write code that takes advantage of the service provided by the CA IAM CS framework, like pluggable validators and converters, and connection pooling support classes.
■ Write custom connector code to address any additional specific coding requirements.
In summary, connection to endpoints is a critical aspect of modern Cloud Identity Management systems. The crucial Connector properties to look for from your Cloud Identity Management system would be,
- the efficiency of the connectors that would dictate the speed of data transfer between the endpoint and the Corporate user store
- the synchronization of attributes between the endpoint and the store (strong synchronization vs weak synchronization)
- the customization aspects of the connector (connector pool size, reverse synchronization from the endpoint to the Corporate Store etc.)
- the Validators and Convertors of datatypes (from endpoint to Directory) that the connectors offer
- the range of endpoints that the connectors could connect to ranging from AD, LDAP, DBs, Web Services (SOAP and REST-based) to custom endpoints with custom schema & metadata
EzIAMTM is an ideal candidate in this regard as it has a rich set of on-premise and cloud connectivity options. It has all the ideal connector properties that an enterprise would need to connect to their favourite endpoints.
