Solution Overview

For customers using on-premise Active Directory and have single sign-on, password reset, and other self service requirements, OnCloud has capabilities to provide seamless integration. In this technote, we’ll discuss how OnCloud leverages the IBM Security suite to provide multiple solutions to this common use case. First, let’s outline the basics.  We’ll take a hypothetical customer who has an on-premise Active Directory that contains their user repository.  This Active Directory server is the domain controller for their Windows workstations and intranet applications, and is the central point of authority for accounts within the company.

The desire is to have a centralized portal, in the cloud, which will offer their employees access to third-party SaaS applications from any location.  The requirements are two-fold:

      1. The account used on the cloud portal must be the same as the account stored in Active Directory – Passwords must be synchronized
      2. The portal must provide Single Sign-On capabilities so that users only need to login once

To achieve this, the OnCloud Portal has implemented the newest version of IBM Security Access Manager (ISAM), which provides seamless integration with Active Directory through a capability called Federated Directories. What makes this solution unique is that, unlike competing solutions, it does not require an adapter to be installed on the customer’s local network. Let’s take a closer look at how IBM Security Access Manager and the OnCloud Portal work together, and integrate with an on-premise Active Directory server.


Scenario 1: OnCloud, VPN, and Active Directory

Minimal DeploymentEvery customer in OnCloud gets a private instance of the ISAM virtual appliance.  During the initial setup a secure and persistent VPN will be established between the customer’s network and the customer’s private enclave within OnCloud’s network.  This will enable ISAM to securely bind to the on-premise Active Directory using purpose-made credentials.

When a user logs in to the OnCloud Portal, ISAM will first check the supplied username and password against it’s Federated Repositories; in this case Active Directory.  Assuming the user is valid, ISAM then retrieves any attributes that are vital to the session and builds a credential in memory.  This credential is stored in the credential cache and used for all authorization and access decisions for the duration of the session.

In this way, OnCloud is able to limit the number of queries to Active Directory, thus reducing access times as well as network traffic on the customer’s directories.  However, at no time is the user’s password ever copied from the Active Directory server or stored within OnCloud.

When a user elects to access one of the partnered SaaS providers, ISAM will pass the cached credential to another IBM Security component within OnCloud called Federated Identity Manager (FIM).  The FIM component is responsible for converting the cached credential into a SAML assertion, which will then be passed to the SaaS provider.  This will allow the SaaS provider to build another credential within their own system and grant the user another session seamlessly.

With that, Single Sign-On has been achieved from Active Directory, through OnCloud, to a third-party service provider. Now let’s extend the use case by adding an extra set of requirements.  In addition to the requirements described above, the customer also desires:

      1. Enforcement of compliance restrictions
      2. Enforcement of internal policies
      3. Automatic correction or notification of non-compliant accounts
      4. Account provisioning from the OnCloud Admin Portal

To accomplish this, OnCloud integrates another component from the IBM Security suite called IBM Security Identity Manager (ISIM).  Although this component does require an adapter to be installed within the Active Directory domain, it provides significant value by facilitating synchronization with the ISIM component.


Scenario 2: ISIM Included

ISIMIn this use case, the customer is able to utilize the OnCloud Portal to easily develop internal account policies.  With these policies in place, whenever a change is made to an account, ISIM will automatically verify the updated account to ensure that it is compliant.  When an account is detected that is non-compliant, several actions can be taken depending on the customer’s desire.

For example, an account can be automatically corrected.  Let’s say a user has an attribute indicating that they are in a customer service role, but permissions have been added to this account that allows them to view confidential accounting data.  If that were to occur, ISIM can automatically deny the change and correct the errant permissions.

There are also options for designating an approver for such a change.  This person will be notified when an account requires a change or becomes non-compliance.  For example, every account in the customer service role could have the customer service manager designated as the account approver.  Additionally, the accounting group permissions could have the accounting manager designated as an approver.  Therefore, to add an accounting permission to a customer service person’s account, both the customer service manager and accounting manager would need to grant approval.

The OnCloud Portal handles all of the notification, recordkeeping, and workflow organization necessary to facilitate these complex approval chains.  Once all of the necessary approvals have been issued, ISIM will automatically update the account and complete the workflow.

By incorporating the ISIM component, OnCloud is also able to offer administrative personnel the ability to provision new accounts to their integrated Active Directory using the OnCloud Portal.  Indeed, the OnCloud Portal gives administrators the flexibility to manage all aspects of the account lifecycle from the cloud.  These actions are synchronized to the on-premise Active Directory immediately via the adapter.


Solution Summary

To summarize, OnCloud Portal easily and efficiently offers Single Sign-On to 3rd party service providers from a centralized portal utilizing accounts stored in an on-premise Active Directory; without the need for an adapter within the domain. With the inclusion of the lightweight adapter, the full value of OnCloud portal can be realized by offering compliance and policy enforcement, and account lifecycle management from any location, to be synchronized with an on-premise Active Directory in real-time.