1. Understanding the Architecture of Identity Manager 2 (formerly DirXML) Dave Horne Engineering Manager dhorne@novell.com Steve Weitzeil Identity Solutions Director sweitzeil@novell.com sweitzeil@novell.com

2. © March 9, 2004 Novell Inc. 2 one Net: Information without boundaries…where the right people are connected with the right information at the right time to make the right decisions. The one Net vision Novell exteNd ™ Novell Nsure ™ Novell Nterprise ™ Novell Ngage SM : : : :

3. © March 9, 2004 Novell Inc. 3 The one Net vision Novell Nsure solutions take identity management to a whole new level. Novell Nsure gives you the power to control access so you can confidently deliver the right resources to the right people — securely, efficiently, and best of all, affordably. Novell Nsure ™ Novell exteNd ™ Novell Nsure ™ Novell Nterprise ™ Novell Ngage SM : : : :

4. © March 9, 2004 Novell Inc. 4 What is Novell Nsure Identity Manager Novell Nsure Identity Manager is a key component of Novell Nsure secure identity management solutions, which enable enterprises to efficiently and securely deliver the right resources to the right people - anytime, anywhere. Novell Nsure Identity Manager 2.0 was formerly known as Novell DirXML ®. Identity Manager is a integrated identity management solution offering combined identity management, provisioning, self- service, password management and auditing capabilities. General Availability - January 2004.

5. © March 9, 2004 Novell Inc. 5 Features Identity Manager offers you the following capabilities: User provisioning Password management User self-service Point-and-click customization with Policy Builder Role-based Entitlements Auditing and reporting Corporate address book

6. © March 9, 2004 Novell Inc. 6 What are the analysts saying? Burton Group analyst Gerry Gebel, said, "Novell has provided additional capabilities to its existing DirXML product and has positioned itself as a leader in metadirectory-based provisioning solutions. Novell Nsure Identity Manager 2 offers a logical migration path for existing eDirectory™ and DirXML customers, and its features and capabilities will also benefit non-Novell customers."

7. 7 What are the analysts saying? Cont.

8. © March 9, 2004 Novell Inc. 8 Islands of isolated data HR ERP PBX Directo ry Mai l Opera ting Syste m Datab ase

9. © March 9, 2004 Novell Inc. 9 Sharing data through an identity vault Identity Manager HR ERP PBX Directo ry Mai l Opera ting Syste m Datab ase

10. © March 9, 2004 Novell Inc. 10 Authoritative Data Source Organizations must be given the ability to control the flow of data between applications. Data integrity and security must be maintained! Identity Manager provides a robust solution to customers through the combination of policies, filters and secure connections for controlling and securing data. With Identity Manager customers can define what applications own what data and to what application that data can be shared.

11. © March 9, 2004 Novell Inc. 11 User Provisioning & Authoritative Data Sources Address Dept Birthdat e CN Workforce ID Assoc. Departmen t E-mail Date of birth Subscriber only Publisher only E-mail EmpId Dept DOB HR 003456 Bobby 003456 2/15/1965 Sales AD D 2/15/65 bdoe@ab.com Sales bdoe@ab.co m E- mail bdoe@ab.co m AD D 15.2.1965 003456 Sales Bobby Doe Name Identity Manager

12. © March 9, 2004 Novell Inc. 12 User Provisioning Continued… Address Dept Birthdat e CN Workforce ID Assoc. Departmen t E-mail Date of birth 2/15/65 bdoe@ab.com Sales bdoe@ab.co m E- mail bdoe@ab.co m HR 003456 Bobby 003456 2/15/1965 Sales E-mail EmpId Dept DOB HR 15.2.1965 003456 Sales Bobby Doe Name Marketi ng De pt Marketing De pt Marketi ng Subscriber only Publisher only Identity Manager

13. © March 9, 2004 Novell Inc. 13 Associations Associations are used to link an object from a connected system to an object in Identity Manager. The connected system provides a Unique Object Identification scheme which is stored on the object within the Identity Vault in Identity Manager. This is referred to as an association. Identity Manager becomes the hub and process that links the object to one or many connected systems. Associations eliminate the need for a unique id across multiple systems. Users can be associated/mapped regardless of their naming or hierarchical placement.

14. © March 9, 2004 Novell Inc. 14 Architectural Overview DirXML Engine Identity Manager Server Identity Vault DirXML Driver App Shim Policies Subscriber ChannelPublisher Channel Policies Identity Manager Web Server Admin UI Password Manage- ment Self Service

15. © March 9, 2004 Novell Inc. 15 DirXML Engine DirXML Driver App Shim Policies Subscriber Channel Publisher Channel Policie s Architectural Overview Single Server Instance Identity Manager Server Identity Vault Application

16. © March 9, 2004 Novell Inc. 16 Architectural Overview Remote Access Identity Manager ServerApplication Server DirXML Engine DirXML Driver App Shim Identity Vault Policies Subscriber Channel Publisher Channel Policie s Application

17. © March 9, 2004 Novell Inc. 17 Architectural Overview Multi Server Remote Identity Manager ServerApplication Server DirXML Engine DirXML Driver App Shim Identity Vault Policies Subscriber Channel Publisher Channel Policie s Application

18. © March 9, 2004 Novell Inc. 18 Architectural Overview Multi Server Remote Identity Manager ServerApplication Server DirXML Engine DirXML Driver App Shim Identity Vault Application DirXML Remote Service DirXML Driver Remote Shim Policies Subscriber Channel Publisher Channel Policie s

19. © March 9, 2004 Novell Inc. 19 Identity Vault eDirectory Hosts the meta data Where policy definitions are stored for a particular driver Maintains relationships between users and their respective applications Where password policies are defined Where events are generated and propagated to subscribing applications Identity Vault

20. © March 9, 2004 Novell Inc. 20 DirXML Engine Interface to the identity vault Supports the loading of multiple DirXML driver shims Guaranteed delivery of events within the identity vault Event loop-back detection Join engine Handles data transformations Processes based on filtering Policy and XSLT processor DirXML Engine

21. © March 9, 2004 Novell Inc. 21 DirXML Driver Shim XML Interface Issues and receives XML documents Document Object Model Application’s native interface Does not require application to change Can be accessed by the engine either locally or remotely DirXML Driver App Shim

22. © March 9, 2004 Novell Inc. 22 Remote Loader Remote Loader Service Does not have to be running on the same machine as Identity Manager Allows for remote communication between the DirXML Engine and Driver Shim Engine and Driver Shim may run on different platforms Remote Loader Console Tool for configuring and maintaining the Remote Loader Service DirXML Remote Service DirXML Driver Remote Shim

23. © March 9, 2004 Novell Inc. 23 Publication and Subscription Channels Identity Manager is a publish and subscribe technology Publication and Subscription Channels are viewed from the application perspective: The application publishes data to the identity vault The application subscribes to data from the identity vault Policies Subscriber Channel Publisher Channel

24. © March 9, 2004 Novell Inc. 24 Identity Manager Policies The term policy is replacing the term rule that was formerly used in DirXML 1.x. The following terms are used in conjunction with policies in Novell Nsure Identity Manager 2: A policy set is a collection of policies with one control point i.e. placement policy A policy consists of an ordered set of rules A rule consists of: a set of conditions to be tested and an ordered set of actions to be performed when the conditions are met

25. © March 9, 2004 Novell Inc. 25 DirXML Script Primary method used to implement policies in Identity Manager Replaces the Matching, Create, and Placement Rules found within DirXML 1.x Prior non-XSLT rules are converted to DirXML Script at the time the driver is imported May be used to define any policy Reduces dependence on XSLT style sheets

26. © March 9, 2004 Novell Inc. 26 Policy Builder Policy Builder is a graphical interface for administering DirXML Script (accessed through an iManager task) DirXML Script syntax was designed for use primarily with Policy Builder rather than a traditional XML editor Policy Builder enforces valid DirXML scripting, reducing policy/syntax errors Policies are created from the items you choose in drop-down menus -- presenting only valid options for each circumstance

27. © March 9, 2004 Novell Inc. 27 Policy Builder Example - Policy

28. 28 Policy Builder Example - Rule

29. © March 9, 2004 Novell Inc. 29 Policy Sets Transformation Policies Input Output Event Command Schema Mapping Matching Creation Placement

30. © March 9, 2004 Novell Inc. 30 Policy Order The order in which the engine applies policies is pre-defined. An understanding of the order is critical in ensuring that business logic is implemented appropriately. The policy order can be viewed by opening the driver overview in iManager.

31. © March 9, 2004 Novell Inc. 31 Transformation Policies Used to transform data or events as the information is shared between within Identity Manager and the application: [Data] Output Transformation – Subscriber Channel [Data] Input Transformation – Publisher Channel Event Transformation – Both Channels Command Transformation – Both Channels

32. © March 9, 2004 Novell Inc. 32 Schema Mapping Policies The Schema Mapping Policy defines the attribute mapping between Identity Manager and the application The DirXML driver reads the schema of the connected system Attributes must exist in the driver filter in order to be mapped The Schema Mapping Policy is linked to the driver object

33. © March 9, 2004 Novell Inc. 33 Matching Policies Matching policies define the minimum criteria that two objects must meet to be considered the same Used to determine if an object in Identity Manager is the same as an object in the application and associate or link those objects with one another A combination of attributes can be used to define a matching policy

34. © March 9, 2004 Novell Inc. 34 Creation Policies The creation policy is responsible for defining the minimum set of attributes that must be present to create an object The creation policy can be different for the publication and subscription channels Sometimes other business type policies exist as part of the creation policies such as group assignment, naming policy, ACL assignments, etc.

35. © March 9, 2004 Novell Inc. 35 Placement Policies Placement policies determine where new objects are created in the identity vault of Identity Manager and/or the connected application If a driver is set up to be bi-directional a Placement policy is required on both the publication and subscription channels

36. © March 9, 2004 Novell Inc. 36 Filter The filter is used to define and control the object classes and attributes to be synchronized between an application and the identity vault of Identity Manager. In DirXML 1.x the filter was represented in a binary format and was stored separately for each channel. It was only capable of representing an on/off state for each class and attribute.

37. © March 9, 2004 Novell Inc. 37 Updates to Filter in 2.0 Changed from a binary format to XML Filter is linked to the driver object Eliminates the need for a filter on both the publication and subscription channels Notify capability Driver is notified of attribute but does not synchronize the attribute to the target system Allows driver to utilize an attribute in policies up to the command transformation policy where the attribute is then filtered out Additional controls for: Automatic home directory creation Tracking of template members Attribute merge Optimize Modify

38. © March 9, 2004 Novell Inc. 38 Filter – Attribute Example

39. © March 9, 2004 Novell Inc. 39 Filter – Class Example

40. © March 9, 2004 Novell Inc. 40 Novell Nsure Identity Manager 2 - New Features Simplified Installation Password Management eGuide White Pages and Self-Service Reporting, Logging and Notification Role Based Entitlements Miscellaneous New Features

41. © March 9, 2004 Novell Inc. 41 Simplified Installation Identity Manager is a distributed product with pieces installed on various systems throughout your network. DirXML Server DirXML Engine, DirXML Service Drivers, Driver Shims, NMAS Components, Nsure Audit Agent, DirXML Connected Systems Server DirXML Remote Loader, Remote Loader Configuration Tool, DirXML Driver Shims Web-Based Administration Server DirXML and Password Mgmnt. Plug-ins eGuide Driver Configuration Files End user password self-service DirXML Utilities

42. © March 9, 2004 Novell Inc. 42 Password Management Using Identity Manager’s Password Management Users can have a common password securely distributed to all of the supported systems in the enterprise This common password will conform to enterprise policies for a “well-formed” password Users have a way to recover from forgotten passwords without having to call the help desk Password Management involves the following tasks Password Policy: Establishing password policies for your enterprise Password Self-service: Enabling password self-service so users can recover from forgotten passwords Password Distribution: Specify which connected systems will receive the common password Password Publication to Identity Manager: Identify ways the common password can be set.

43. © March 9, 2004 Novell Inc. 43 Password Management Password Policies Administrators specify the properties of a well-formed password… i.e. the password policy. Examples of password properties include: Minimum number of characters Maximum number of characters Required number of lower case characters Required number of upper case characters Required number of numerals May not be a password that was used previously by this user May not be a word found in the password exclusion list & etc. Conformance to the set of properties is checked before setting the password in the Identity Vault of Identity Manager.

44. © March 9, 2004 Novell Inc. 44 Password Management Password Self-Service Administrators configure self-service policies for each user through an iManager task Challenge/Response mode – Administrator may turn it on or off – Administrator chooses challenge questions and related settings Possible Actions: (the first two require Challenge/Response) – Allow the user to change their password – Email the password to the user – Email the hint to the user – Display the hint on the page Users configure their own password hint and responses to the challenge questions using Password Self-service The hint is not allowed to contain the password

45. 45 Password Management Password Distribution Identity Manager Server with associated Identity Vault Identity Manager Web Server Connected Systems eDirectory Legacy NDS Active Directory/Exchange 2000 Windows NT Domains SAP User Management Network Information Service (NIS) Linux Solaris other UNIX GroupWise Lotus Notes SunOne Relational databases Oracle DB2 Sybase 1-Self-service gadget is used to enter a new password. 3-Password is set on user object in the Identity Vault 4-Password is distributed to associated user objects on connected systems that support subscription to the password attribute 2-Password is checked for conformance to policies

46. 46 Password Management Password Publication to Identity Manager User sets password on a participating system Conforms to the policy? Password is captured, and sent securely to the Identity Manager Server. Password is distributed to associated user objects on connected systems that support subscription to the password attribute Password is set on the user object in the Identity Vault. Yes Reset password on participating system to last “good” password Participating Systems Active Directory NT Domains NIS (Unix) eDirectory Failure notice sent via email No

47. 47 eGuide White Pages and Self Service eGuide is used to administer the corporate address book and user self service –Look up information on objects in eDirectory or other LDAP repository –Anonymous mode, or authenticated –Allows user to modify designated attributes of their user object. Modified attributes may be distributed to connected systems. –Quick setup wizard facilitates eGuide configuration –Organizational chart view with navigation –Supports photos, & etc. Identity Manager Server with identity vault Identity Manager Web Server Connected Systems

48. © March 9, 2004 Novell Inc. 48 Reporting, Logging and Notification Identity Manager includes Nsure Audit 1.0.x Lite… the next generation of Reporting and Notification Service (RNS) You can continue to use RNS with Identity Manager until you are ready to upgrade to Nsure Audit Reporting: Filters may be defined to report on specific events Integrates with Crystal Reports Export data to Microsoft Excel, or text file Logging: You can configure which DirXML events are logged: – Engine events – Start/stop driver, engine errors, engine warnings – Status events – Success, error, retry, warning, … – Operation events – Search, Add, Modify, Remove, & etc. – Transformation events – Initial doc, placement, create, & etc. Events stored in flat file, Syslog, MySQL, Oracle, etc. Notification: Setup conditions Specify notification channel (SMTP, flat file, & etc.)

49. © March 9, 2004 Novell Inc. 49 Role Based Entitlements Provides entitlements to users based on their membership in a role. Membership determined dynamically or statically – Dynamic membership based on combinations of user attributes – Static membership based on a list of user ids Entitlements include: – Having an account on a connected system – Inclusion in a NOS group – Inclusion in an email distribution list Entitlements are determined when: – A user is added to the Identity Vault either directly or through an authoritative source – Attributes related to membership in the role are changed Allows automatic discovery of: – NOS groups – Email distribution lists

50. © March 9, 2004 Novell Inc. 50 Miscellaneous New Features Global Configuration Values Resync Enhanced Tracing

51. © March 9, 2004 Novell Inc. 51 Miscellaneous New Features Global Configuration Values (GCV) Provide a method for adding parameters to a driver Can be defined at a driver or driver set level Driver inherits driver set GCV’s if none are defined at the driver level Used with password synchronization, heart beat, Role Based Entitlements, etc. Some default GCV’s are delivered with driver configurations Created, customized and maintained in one location

52. © March 9, 2004 Novell Inc. 52 Miscellaneous New Features Resynch Identity Manager introduces two new driver resynchronization functions: Suppression automatic resync when re-enabling a disabled driver Specification of a starting time for the search window for a manual resync

53. © March 9, 2004 Novell Inc. 53 Miscellaneous New Features Enhanced Tracing Per-driver tracing level can individually be set trace to separate file if desired short nicknames if no driver level trace set, driver set trace level used Each message is prefixed with an identifier (or create your own) EV: Event Caching System Message ET: Non-driver Specific Engine Message ST: Driver-Specific Subscriber Thread Message PT: Driver-Specific Publisher Thread Message

54. © March 9, 2004 Novell Inc. 54 Recommended Deployment Establish an Identity Manager Server with its own tree This tree becomes the Identity Vault for your enterprise. Your NOS tree is distinct and independent of the Identity Vault Your NOS tree may be supported by an older version of eDirectory Authoritative source data feeds into the Identity Vault, and is distributed to other connected systems as specified in the business policies. Use eDirectory 8.7.3 for the Identity Manager Identity Vault 8.7.3 supports the password management features of Identity Manager. Previous versions do not fully support all of the features. Establish an Identity Manager Web Server for administration and User Self Service Can be the same machine that hosts the Identity Manager server, not required. All Identity Manager web-based components (iManager, eGuide, Password self- service) will run on the Web Server. Strongly encourage users to use the Password self-service gadget on this server to manage his or her own password. iManager is required to administer Novell Nsure Identity Manager 2.

55. © March 9, 2004 Novell Inc. 55 Upgrading Existing DirXML Implementations A Graceful upgrade process New version is backward compatible – Drivers can be mix of old/new – XSLT Configuration does not change Automatic conversion of XML rules and filters to new format Drivers updated separately from the engine – Continue administration of previous versions with existing iManager

56. © March 9, 2004 Novell Inc. 56 Upgrading existing DirXML customers Upgrade Consists of… Laying down new Code: – eDirectory (optional) – DirXML engine – iManager – iManager plugins – Drivers Converting into new format: – XML rules (now all policy gates can be done via XML, not just convert, placement, matching) – Filters (all one object, filter for notify vs. sync, merge authority)

57. Question and Answer

58. © March 9, 2004 Novell Inc. 58 Appendix The following slides represent additional technical notes of the product.

59. 59 Building Associations Subscriber One Write associatio n Apply matching rule: Query App Merge attributes Mark associatio n pending Apply placement rule Zero NO YES Create App Object Modify App object Multiple YES NO Desired eDirectory event occurs Apply create rule Query eDirecto ry Modify App Object Modify eDirectory object Does this object have an association? Number of matches Error Do we have all required attributes?

60. 60 One Write associatio n Apply matching rule: Query eDirectory Merge attributes Apply placement rule Zero NOYES Create eDirectory Object Modify eDirectory object Multiple YES NO Desired eDirectory event occurs Apply create rule Modify App Object Modify eDirectory object Does this object have an association? Number of matches Error Do we have all required attributes? Query eDirectory Query App Query App Building Associations Publisher

61. 61 Policy Processing Order Subscriber Convert Event to XML Event Transformation Schema Mapping Output Transformation Matching Rule Create Rule Placement Rule Subscriber Add Processor Subscriber Filter Event Cache NO YES The DirXML Engine Command Transformation Does an association exist?

62. © March 9, 2004 Novell Inc. 62 Policy Processing Order Publisher Convert Event to eDirectory Command Transformation Schema Mapping Input Transformation Matching Rule Create Rule Placement Rule Publisher Add Processor NO YES The DirXML Engine Event Transformation Does an association exist? Publisher Filter

63. 63 Platform Support for Identity Manager Novell Nsure Identity Manager 2 Server components and Web-based components are supported on the following platforms: PlatformsSupport packseDirectoryiManager Novell NetWare ® 6SP38.7.32.0.2 Novell NetWare 6.5 8.7.32.0.2 Microsoft Windows NT 4SP6a8.7.3 Microsoft Windows 2000SP48.7.32.0.2 Red Hat Enterprise Linux AS or ESRecommended Patches8.7.32.0.2 SuSE Linux Enterprise Server 8 Recommended Patches8.7.32.0.2 Sun Solaris 8 Recommended Patches8.7.32.0.2 Sun Solaris 9 Recommended Patches8.7.32.0.2

64. © March 9, 2004 Novell Inc. 64 Connected Systems Connected System DriversNWWinUnix DirXML Driver 3.0 for Active DirectoryNYN DirXML Driver 1.1 for Delimited TextYYY DirXML Driver 2.0 for eDirectoryYYY DirXML Driver 1.6 for Exchange 5.5NYN DirXML Driver 2.1 for GroupWiseYYN DirXML Driver 1.6 for JDBCYYY DirXML Driver 1.6 for LDAPYYY DirXML Driver 2.0 for Lotus NotesNYY DirXML Driver 2.0 for NISNNY DirXML Driver 3.6 for PeopleSoftNYN DirXML Driver 4.0 for PeopleSoftNYN DirXML Driver 1.0 for SAP HRNYY DirXML Driver 1.0 for SAP UserNYY DirXML Driver 1.0 for SIFYYN DirXML Driver 1.4 for Windows NT 4NYN Service DriversNWWinUnix Move Proxy Service DriverYYY Entitlements Service Driver YYY Manual Task Service DriverYYY

66. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.