Chapter 1 — Introduction
Entegrity AssureAccess® provides policy-based access to data and applications. The access restriction is fully configurable using administrator-created policies that determine the precise circumstances under which access to resources is allowed and whether access attempts and other events should be documented.
AssureAccess includes a set of services and Application Program Interfaces (APIs) that allow administrators to implement, view, and control access to Web, J2EE, CORBA®, and custom (application-defined) resources.
Scalability
AssureAccess readily scales to expanding demand without performance degradation. The primary processes of access management, authentication, administration, and audit can be placed on separate servers to minimize user wait time. Authentication and Audit servers can be replicated and clustered to support increasing traffic. Fail-over of servers is configurable and automatic.
Single Sign-On
Users gain secure access to resources based on a single authentication. Single sign-on is provided in both single-domain and cross-domain environments.
Java-based
AssureAccess is written in Java and is fully J2EE-compliant. It supports any LDAP-enabled directory server compliant with LDAP Version 3 and explicitly supports iPlanet Directory Server, Active Directory, OpenLDAP, Oracle Internet Directory (OID), and OctetString.
Application-centric
AssureAccess secures objects at the application server level. Security is not hard-coded into applications and changes to business rules on the server do not require re-coding security policies.
Policy-based
AssureAccess features fully dynamic policies that allow customized business rules to govern authentication, authorization, audit, and administration. A hierarchical framework is employed for maintaining relationships between and among policies.
AssureAccess supports Microsoft Windows® 2000, Windows NT Server, Sun Solaris™, and Red Hat™ Linux® operating systems. For more information, see Chapter 1 of the AssureAccess Installation Guide.
Policy-based authorization control ensures that only authorized access to resources is allowed. Authorization policies provide a great deal of flexibility in setting access requirements.
For example, an Authorization policy can:
AssureAccess allows you to employ one or more of the following authentication methods:
LDAP
AssureAccess can access user and group data from any LDAP V3 directory and has been tested against iPlanet Directory Server 4.1 and 5.0, OctetString, OpenLDAP 2.0.23, Oracle Internet Directory, Siemens DirX 6.0 Meta Directory, and Microsoft Active Directory.
JDBC-Compliant Databases
AssureAccess can retrieve user authentication and authorization information from any JDBC-accessible database.
Forms-Based Login
Adapters can serve forms-based login pages customized by authentication provider and other configurations. AssureAccess provides templates that can be modified for local environments.
PKI
AssureAccess supports PKI client-side certificates for authenticating users in Web, J2EE, and CORBA environments.
Windows
AssureAccess integrates with the standard login features of Windows to provide username and password login within a Windows domain. After a user is authenticated, AssureAccess provides standard user and group attributes for Windows.
Custom
Developers can use the AssureAccess API to implement custom authentication methods or integrate with those not natively supported by AssureAccess.
DCE
The DCE User Repository Connector (URC) is a separately orderable software component that allows AssureAccess to retrieve user authentication and authorization information from the DCE Security Security Server.
Policy-based auditing controls log state and operational information about any authentication and authorization action performed on behalf of a user. The location and number of audit logs is configurable.
AssureAccess includes the following administration-related features:
Policy-based Delegated Administration
A hierarchical domain structure within the LDAP directory is used to manage policies, authentication providers, and configurations. Administration policies are used to delegate administrative rights to domains. Administrators see only the domains they are allowed to administer.
Central Policy Store
AssureAccess policies are stored in a central LDAP directory. Authorized administrators can view policies for the entire system (within the constraints of the administrative domains) and easily update policies (even for running servers).
Graphical Management Console
Administrators can remotely access the LDAP policy store using the Management Console. The Management Console uses the Management Console Server for secured connection to LDAP and other services. Because the Mangement Console is a Java Swing-based client, it is portable, running on any platform that has the appropriate version of the Java runtime installed.
Central Configurations
Server bindings and other central configuration information required by local AssureAccess components provides a single consistent security infrastructure across all applications and environments.
Replication
All AssureAccess servers can be replicated for back up or failover.
AssureAccess supports development environments with the following features:
Full-featured APIs
The AssureAccess Application Program Interface (API) is the collective name for the APIs that provide full programmatic access to all the features of the AssureAccess product.
Developers Guide
AssureAccess comes with the Developers Guide to the AssureAccess API that illustrates how to use the AssureAccess APIs.
Forms-based Logon and User Self-Registration
Using a Web scripting language and a standard HTML form, you can use the AssureAccess API to authenticate users or allow them to self-register.
Support for Web, J2EE, and CORBA applications
AssureAccess provides packaged support for Web, J2EE, and CORBA applications. Developers can create custom adapters using the AssureAccess API.
COM Adapter
AssureAccess provides a Component Object Model (COM) adapter that allows ASP developers access to AssureAccess functionality from scripts.
AssureAccess supports single sign-on (SSO) such that each user authenticates with an AssureAccess-secured application server only once. The user is not challenged again during the same user session. Single sign-on is supported in either single-DNS domain or cross-domain (CDSSO) environments.
Single DNS Domain SSO
Once a user authenticates, the user is not challenged again when requesting access to resources in the same DNS domain.
Cross-Domain SSO
Users receive access to secured resources in different DNS domains based on a single authentication. This is accomplished by communicating proof of the user's authentication using an implementation of the Browser/Artifact Profile of SAML.
SAML-Based CDSSO is supported on web-based applications running on J2EE application servers and Apache 2.0.x web servers. See the AssureAccess Administration and Configuration Guide for more information.
AssureAccess includes the Universal Java Plug-in for rapid implementation of security on fully-deployed J2EE applications running on WebLogicTM Server 6.0, 6.1 and Websphere 4.0.
Using TangosolTM technology, AssureAccess security calls are inserted directly into application resources without requiring modifying and re-compilation of the code. Once the security calls are inserted, policies can be directly assigned to EJB methods, servlets, and JSPs. The process can be managed entirely through the Management Console.
Implements the Authentication, Authorization, Audit, and Role Mapper security service provider interfaces (SSPIs) on BEA WebLogic Server 7.0. This allows you to "plug in" AssureAccess as the WLS security provider for applications hosted on the server.
AssureAccess supports other important features:
AssureAccess Servlet Filter
The Servlet filter provides `bolt-on' access control of web-based resources in the servlet container of J2EE application servers.
JSP Tag Library
Allows developers to integrate AssureAccess authentication, authorization, and user attribute tests into JSP applications using a simple tag syntax.
Web Personalization
Based on authentication and authorization policies, you can present Web pages with content tailored to the user. For example, you might exclude certain sections of a common page if the user does not have authorization to see those sections.
Virtual Web Servers
AssureAccess supports virtual servers on Microsoft Internet Information System (IIS) and iPlanet 6.0.
J2EE Application Servers
AssureAccess provides secure authentication, access, and audit on BEA WebLogic™ Server and other J2EE application servers.
Policy Push
Policy Push allows administrators to immediately update the policy caches on local machines without a shutdown/restart of adapters.
Authentication Strength
Within AssureAccess, authentication providers can be assigned an authentication strength level. Access to resources can then be set to require the user to be authenticated with a authentication provider that meets or exceeds a specified authentication strength.
Forced User Logout
Forced User Logout allows an administrator to forcibly log out specific users via the Management Console. When the administrator performs Forced User Logout, the system purges all Attribute Certificates for specified users from all Adapters' local caches and from the global cache.
Custom HTTP Headers
Custom request headers can be used to transfer user attributes over HTTP. The local Web adapter configuration is set to obtain specific information and add it to the incoming HTTP request as a custom header.
Logout URI
The Logout URI provides a logout function on secured servers and allows administrators to implement a user-initiated logout function.
Copyright © 2000-2003 Entegrity Solutions Corporation