Identity Management Applications

Enterprise systems often include a separate, third-party mechanism for user authentication that can be applied to all applications. In this configuration, an external user repository is in place for storing user information, as well as information about whether a given user has access to a given application. This type of authentication mechanism is known as an identity management application. Examples include CA Siteminder, IBM Tivoli, Oracle Oblix, and RSA Security, among others.

Identity management software generally has a policy server that defines whether or not a user has access to a target application. The policy server saves this information as part of an external user repository. Identity management software typically has a plug-in that sits in front of a Web server or application server, and monitors all traffic. Requests to any application sitting on the Web server or application server are monitored by this plug-in. To access an applications, users must first authenticate themselves with the identity management software and its plug-in and then get authorization from the policy server, which determines that a given user can access the target application.

For example, before a user can access MicroStrategy Web, the policy server must be told that this user can have access to MicroStrategy Web. Subsequently, when the user makes a request to MicroStrategy Web, the request is intercepted by the identity management application's plug-in which sits in front of the Web server or application server. The plug-in checks to see whether the user is an authentic user; if not, the plug-in provides a dialog box for the user to provide log-in credentials to the identity management application. The identity management application verifies these credentials, and the policy server is checked to see whether the user is authorized to use (has access to) the target MicroStrategy application. If so, the identity management application's plug-in forwards the user's original request to MicroStrategy Web along with additional information about the user. In order for the user to be able to access MicroStrategy Web without logging in again, a custom External Security Module must be created to use the information provided (and verify it, if necessary) to handle the user's request.

To create a single sign-on environment with an identity management system, you must create a custom External Security Module (ESM) to perform the necessary work. You also need to use a custom ESM if you want to perform other actions during authentication, such as user mapping, usage monitoring, or applying additional authorization criteria.

For complete details on your identity management software, see the vendor's documentation, including setting up the plug-in on the Web server or application server, and defining any policies within the policy server.