IBM Tivoli Access Manager User Manual

White paper

December 2008

IBM Tivoli Access Manager
for Enterprise Single Sign-On:
An overview

Page 2

IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview

Contents

2 Executive summary
2 The enterprise access

challenge

3 Seamless access to

applications

4 Key features
5 Comprehensive coverage

of enterprise end points

6 User-centric access

tracking

6 Centralized push

deployment with no
change to the existing
infrastructure

7 Web-based administration

and integration with
provisioning solutions

7 Choice of authentication

factors

9 Customizable end-point

IAM framework

10 Combined physicial-logical

access

11 Enterprise single sign-on

and access automation

11 Complete session

management

12 Integrated self-help with

loss management

13 Single sign-on across a

variety of user groups

13 A unified strategy

from IBM

14 For more information
15 About Tivoli software

from IBM

Executive summary

With an increasing number of enterprise applications and access points,
organizations face the challenge of providing convenient access while
ensuring strong security. Enterprises need software to help ensure that the
right users have access to the right information in a timely manner.
IBM Tivoli® Access Manager for Enterprise Single Sign-On is an identity and
access management solution that provides:

●

Visibility into user activities.

●

Control over business processes and risks.

●

Automation of logins, access and security workflows.

This white paper describes Tivoli Access Manager for Enterprise Single
Sign-On, including its key features and benefits.

The enterprise access challenge

As the number of enterprise applications and access points increase,
organizations must manage the trade-off of providing convenient access while
at the same time ensuring strong security. Organizations are looking for a
balance between easy access to information and strong, compliant security.

A secure system raises identity assurance through strong authentication and
provides integrated tracking of user access. It is not sufficient to know that
users are who they say they are, but also which applications the users are
attempting to access. Enterprises need identity and access management (IAM)
software to help ensure that the right users have access to the right
information in a timely manner.

Page 3

IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview

Figure 1: Tivoli Access Manager for Enterprise Single Sign-On combines single sign-on, strong authentication, session management, access workflow
automation, and audit tracking, with no change to the existing infrastructure.

Tivoli Access Manager for
Enterprise Single Sign-On delivers
a simple and flexible identity and
access management solution,
combining enterprise single sign­on with strong authentication.

Seamless access to applications

Tivoli Access Manager for Enterprise Single Sign-On delivers a simple,
flexible and complete identity and access management solution at the
enterprise end points. It combines enterprise single sign-on with strong
authentication, and audit and compliance services, while integrating
seamlessly with provisioning and directory services, with no change to your
existing infrastructure. Figure 1 provides an overview of the system
architecture.

Bob

Bob

********

********

Page 4

IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview

The central components of Tivoli Access Manager for Enterprise Single
Sign-On are:

●

Identity Wallet

●

Authentication Factors

●

AccessAgent and Plug-ins

●

IMS™ Server

AccessAgent implements single sign-on and end-point automation with
extensible Plug-ins, while the IMS Server provides server-managed controls.
Each user has an Identity Wallet, which enables roaming and consolidation of
user identities.

Key features

Tivoli Access Manager for Enterprise Single Sign-On provides the
convenience of securely signing on once and immediately getting access to the
information you need. Tivoli Access Manager for Enterprise Single Sign-On
also provides the following key features.

Visibility into user activities

●

Comprehensive coverage of enterprise end points helps ensure a consistent
user experience and end-to-end tracking.

●

User-centric access tracking provides a meta-log for compliance reporting.

Control over business processes and risks

●

Centralized push deployment with no change to the existing infrastructure
provides easy deployment and helps reduce risk.

●

Web-based administration and integration with provisioning solutions
provides centralized identity and access management.

●

Choice of authentication factors helps reduce the risk of identity fraud.

●

Customizable end-point identity and access automation enables end-point
control without changing the existing IT infrastructure.

Page 5

IBM Tivoli Access Manager for Enterprise Single Sign-On: An overview

Tivoli Access Manager for
Enterprise Single Sign-On provides
comprehensive coverage of
enterprise end points such as
personal and shared workstations,
virtualized remote access
terminals, Web portals, and
extranets.

Automation of access and security workflows

●

Leverage a single badge for both physical and logical access.

●

Enterprise single sign-on and access automation help improve user
convenience and productivity.

●

Complete session management helps ensure that user workflows are
supported by the right session capabilities.

●

Integrated self-help with loss management enables user self-service.

Comprehensive coverage of enterprise end points

Tivoli Access Manager for Enterprise Single Sign-On provides comprehensive
coverage of enterprise end points such as personal and shared workstations,
virtualized remote access terminals (Citrix and Microsoft® Windows®
Terminal Services), Web portals, and extranets. Users can access the corporate
network across all end points more securely and easily. IT managers can
centrally manage and synchronize security policies across end points and
track access events for compliance reporting.

In addition to support for applications running on Windows platforms,
Tivoli Access Manager for Enterprise Single Sign-On supports access to
applications on Citrix MetaFrame servers. AccessAgent provides single sign-on
and sign-off for applications through Citrix ICA Client or Citrix Web Interface.
It can also enable two-factor authentication to applications on Citrix
MetaFrame servers or Windows Terminal Services.

Support for single sign-on to applications on portals and extranets is
provided through Web Workplace. Users need just one password and no
desktop software to remotely log in to applications. Access to Web Workplace