Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

NOTICE! We are upgrading our support telephone services, implementing Genesys, starting the week of May 19, 2025

Cloud Access Manager 8.1.2 - Security and Best Practice Guide

Table of Contents

Optimizing Cloud Access Manager for a production environment

Memory Disk space HTTP connections

STS hosts Preventing direct access to applications protected by Cloud Access Manager

Fallback Shared secret Proxy mapping and URL rewriting

Folder-to-root mapping Root-to-root mapping Choosing the best mapping strategy

Rewriting relative URLs using folder-to-root Relative URLs using root-to-root

Choosing the right SSL certificate

Single host certificate Wildcard certificate Subject Alternative Name (SAN) certificate

Single sign-on methods

Security Assertion Markup Language (SAML) federation and WS-Federation HTTP Basic and NTLM Proxied form-fill Unproxied form-fill

Using a reverse proxy or load balancer with Cloud Access Manager

Inter-service communication

Unproxied form-fill

For certain applications where credentials are captured using a login form, you can configure Dell™ One Identity Cloud Access Manager to automate sign on to the application without the need to proxy it. In this case Cloud Access Manager sends a login request directly to the application with your username and password inserted.

The advantages of this compared to proxied form-fill are:

•

Responsiveness of application, as latency is reduced without an intermediate proxy

•

Reduced IT costs, with a reduced load on the proxy

•

Reliability is increased, as complications caused by URL rewrite are avoided.

The potential disadvantages are:

•

No support for capturing credentials as you must enter your credentials into the Cloud Access Manager Password Wallet

•

No support for change password forms, the old password field will not be prefilled with your current password, and any new passwords will not be captured

•

Does not work with applications which send a pre-authentication cookie to the browser.

Using a reverse proxy or load balancer with Cloud Access Manager

If you use a reverse proxy server or load balancer in front of Dell One Identity Cloud Access Manager, you must ensure that all headers required by Cloud Access Manager are maintained at all times. Cloud Access Manager injects JavaScript into app pages to manage session idle timeout and at the same time sets no cache headers on the response. It is essential to maintain the no cache headers at all times for Cloud Access Manager to function as designed. Removing or changing the no cache headers may cause session management issues, for example, when a user uses the Back button on their browser.

Security

•

Information stored by Cloud Access Manager

•

Inter-service communication

•

User authentication

Information stored by Cloud Access Manager

To support Single Sign-On (SS0) to non-federated web applications Dell™ One Identity Cloud Access Manager saves your application passwords, encrypted in a table within the configuration database. The passwords are encrypted with AES-128-CBC, using a key derived from a combination of user ID and the shared secret which you specify during Cloud Access Manager installation.

For SSO to federate SAML and WS-Federation applications, Cloud Access Manager stores signing certificates in its configuration database along with their associated private keys. The private key associated with each signing certificate is encrypted with AES-128-CBC using a key derived from the shared secret.

To allow you to authenticate to Cloud Access Manager with your existing corporate credentials through Cloud Access Manager's built-in Security Token Service (STS), Cloud Access Manager must make an authenticated connection to an Active Directory® or Lightweight Directory Access Protocol (LDAP) compliant directory. The credentials used to establish this authenticated connection are also stored in the configuration database and they are encrypted using AES-128-CBC using a key derived from the shared secret.


	NOTE: All sensitive information in Cloud Access Manager's database is encrypted using keying material derived from the shared secret. The shared secret is stored on each Cloud Access Manager host in a local file, encrypted using Windows® Data Protection API. Please refer to Microsoft® documentation at http://msdn.microsoft.com/en-gb/library/ms995355.aspx for a detailed description of Windows DPAPI.

Inter-service communication

Dell™ One Identity Cloud Access Manager transmits information between its services over Secure HTTP (HTTPS). Each connection is authenticated using the shared secret chosen during Cloud Access Manager installation.

User authentication

Dell™ One Identity Cloud Access Manager allows you to access multiple systems without having to supply multiple sets of credentials. However the convenience of Single Sign-On (SS0) comes at the cost of security as an attacker that can hijack your Cloud Access Manager login account has the keys to the kingdom.

User authentication settings should therefore be reviewed thoroughly according to corporate security policy, with attention to:

•

Prevailing password complexity rules

•

Password expiry interval and password history rules

•

Suitability of authentication method.


	NOTE: Consider using two-factor authentication, or smart card authentication, either for access to the application portal or for access to individual applications.

Where you are using a federated identity provider from a third-party organization, we recommend you seek assurances from that organization that their user authentication settings are in agreement with your security policy.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center