IBM Verify

 View Only
Expand all | Collapse all

Seamless experience of the Cloud Apps Integration with IBM ISAM

  • 1.  Seamless experience of the Cloud Apps Integration with IBM ISAM

    Posted Tue June 16, 2020 03:40 AM
    Edited by Vandana Verma Sehgal Tue June 16, 2020 05:07 AM

    Integration between IBM Security Manager Integration (ISAM) now IBM Security Verify Access with IBM Cloud Identity (CI) now IBM Security Verify Workforce for IAM

    Introduction

    One of the biggest problems for the organizations moving to the cloud or adopting digitalization is how to manage the identities. Organizations have Active directory, users, groups and entitlements set-up on-premise and during the new phase taking the load of migrating all this seems to be a big challenge especially when the older enterprise applications are running on many different infrastructures.

    Some of the questions that organizations have while integrating Cloud applications and how shall we solve the problem.

    • Is there a way I can move all my users to the cloud applications without changing anything in the current AD?
    • How employees can access SaaS Applications using the same authentication that they use for access to on-premise applications.
    • How to replicate users, groups and entitlements seamlessly for the cloud-based applications?

    In this paper, we would like to highlight some of the benefits of integrating the on-premise IAM solution i.e. ISAM with Cloud Identity which is a cloud based IAM solution.

    Context Setting

    IBM Security Access Manager helps you simplify your users' access while more securely adopting web, mobile, IoT and cloud technologies. It can be deployed on-premises, in a virtual or hardware appliance or containerized with Docker. ISAM helps strike a balance between usability and security through the use of risk-based access, single sign-on, integrated access management control, identity federation and mobile multi-factor authentication.

    IBM Cloud Identity helps secure user productivity with cloud-delivered Single Sign-On (SSO), multifactor authentication, and lifecycle management. It comes with thousands of pre-built connectors to help you quickly provide access to popular SaaS apps and pre-built templates to help integrate in-house apps.


    IBM has come up with the integration for On-premise - IBM Security Access Manager and Cloud based IAM Solution IBM Cloud Identity.

     

    The integration can be leveraged by any organization

    • Who wishes to use the cloud based or custom applications.
    • Already have ISAM on-prem implemented in their current environment

     

    The two products ISAM and Cloud Identity can now co-exist and can speak to each other. The integration takes the identity management to reach the next level for providing the infused Hybrid identity for On-premise and cloud IAM Solution. The integration can be leveraged with IBM Security Access Manager V9.0.3.1 & above. ISAM version 9.0.3.1 and above  will have the "Connect to Cloud Identity" mega menu. 

    Use Case

    • Jessica Jones is a member of sales department and has access to the order management application
    • Jacob Jackson is ISAM administrator and he also has access to order management application and have access to the administrator group.
    • Scott Smith is a Cloud Identity Connect (CIC) administrator; he expects that his administrator privileges will be there when he logs into the Cloud Identity connect.
    • Organization is planning to onboard a new order management application which is on cloud and supports the newer technologies.
    • Jacob reaches out to Scott's team to check if there is any integration available between ISAM and Cloud Identity.
    • Scott mentions that there is a connector available between ISAM which they currently have for identity and access management with Cloud Identity which supports the newer technology like OIDC or SAML 2.0
    • Scott reaches out to Jacob sharing the same information.
    • Jacob (ISAM administrator) wishes to have the seamless access to the application for all the users.
    • Jacob has two main requirements
      • ISAM (Active directory) group membership which can be leveraged by Cloud Identity to authorize the users
      • All entitlement information to be maintained in the ISAM
      • Corporate users have seamless access to both older enterprise applications and newer SaaS applications
      • All the applications are protected with a single set of authentication factors and policies.
    • Scott explains Jacob that by using ISAM with Reverse Proxy or WebSEAL, seamless integration is possible with the IBM Cloud Identity Connect. Also, any changes made within the Active Directory or ISAM will automatically be reflected on the CIC. All enterprise users' access to cloud application
    • Jacob utilizes the integration capability between ISAM and CIC and all the users are seamlessly lifted and shifted to the CIC with the access to all the enterprise application with the relevant entitlements.
    • Jacob can leverage the single click access to establish a connection from on-premises ISAM to IBM's Cloud Identity platform

     

    Architecture

    The architecture includes three major components viz. IBM ISAM, IBM Cloud Identity and Reverse Proxy (WebSEAL). IBM ISAM is used for the identity management of the organizational users and for providing the entitlement and group details associated with the respective users. Cloud Identity is used as a Service provider for the users to access all the applications and providing the seamless Single Sign On (SSO) and Reverse Proxy/webSEAL act as a communication channel between these two components.

     

     

     

    Access Manager has strong integrations with Cloud Identity to support hybrid Access Management patterns.

    Implementation Steps

     

    The below diagram represents the flow of the execution of the use-case. The steps involved are explained below.

     

     

    For the Administrators

    1. All the enterprise accounts, users and entitlements are managed by ISAM which manages the corporate directories.
    2. In ISAM, configure the Federation runtime environment for the Reverse Proxy/ WebSEAL.
    3. Once the reverse proxy is setup, enable the IBM Cloud Identity Connect from the management pane.
    4. The integration asserts identity information from corporate directories to Cloud Identity.
    5. Complete authentication as an admin user in the Cloud Identity tenant (abc.ice.ibmcloud.com).
    6. Access Manager then contacts the Cloud Identity tenant and sets up an API Access (OAuth) Client for then creating new Authentication and Authentication Policies.
    7. We can configure the Mapping rules attributes for the current users to be mapped and login to the CIC.
    8. Following attributes should be configured in ISAM for the mapping rules
      1. saas_userid (<SAM userID>@<tenantid>.ice.ibmcloud.ibm.com)
      2. email (extracted from ISAM user description)
      3. mobile_number (extracted from ISAM user description)
      4. given_name (CN from ISAM user)
      5. family_name = (SN from ISAM user)
      6. displayName = (<given_name> <family_name>)
    1. Mapping Rules configured in the ISAM maps the identities to the Cloud Identity tenant
    2. Now we can use the ISAM Connect to initiate SSO from the Access Manager system
    3. Once the users from the different groups in ISAM login to CIC their access and entitlement will be recognised automatically
    4. Cloud Identity administrator can access the configuration and make further changes based on the organisation.
    5. As an advanced move, we can enable Cloud Identity Adaptive Access (ISAM + CI + CAA) for the hybrid integration which can perform the context-based risk analysis based for the access management which is the need of the hour.

    For the Users

    1. Users just need to navigate to the tenant id https://<yourtenantid>.ice.ibmcloud.com and provide the credentials and they will be logged in to the internal applications and cloud based applications using CI.
    2. User can access all the applications from the one dashboard.
    3. All the access policies and entitlements for the applications will be invoked using Single Sign On. 

    Demo Video:-


    Conclusion

    With this integration in place, we could enable the Access Manager as an Identity Provider and Cloud Identity as a Service Provider. All the enterprise Users can authenticate to Access Manager for access to cloud applications. It can also be used to protect Enterprise Applications for a single point of control

    Resources

    Knowledge Centre URL for the Integration and configuration:

    https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.6/com.ibm.isam.doc/landing/configuring_ici_connect_landing.html

    https://www.ibm.com/support/knowledgecenter/en/SSCT62/com.ibm.iamservice.doc/concepts/c_isam_identity_provider.html



    ------------------------------
    Vandana Verma Sehgal Security Solutions Architect
    ------------------------------