Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

EAM Services

Overview

When an EAM Controller is installed, several services dedicated to specific features are installed at the same time. The set of functions provided by EAM are gathered in the following services:

  • Administration.
  • Audit collection.
  • Access point registration.
  • User enrollment.
  • Reporting.
  • Web Service.
  • Cloud E-SSO.

Each EAM Controller may offer the set of services or only a part of these services.

Managing EAM Services

EAM Controllers are not specialized at installation time: all the above listed services are available on all EAM Controllers.

EAM Console allows you to dedicate an EAM Controller to a subset of services. Once specialized, each controller continues to run all the services but only a part of them is used by the workstations.

You can change the EAM Controller configuration at any time from EAM Console (as explained in Section Managing EAM controller services), without having to install anything on the controller.

Connection of the workstations to EAM Controllers

All the controllers and their services are registered in the directory.

The first time a workstation needs to connect to an EAM Controller, it obtains the list of existing controllers from the directory and builds in a cache the list of the available services classified by sites. Then the workstation tries to connect to an EAM Controller located in the same site that explicitly provides the required service. If no such controller is available, then the workstation tries to connect to an EAM Controller located in the same site that provides all services. If no such controller is available, the workstation tries to connect to a controller located in another site.

The list of the controllers is rebuilt each time the cache expires. So when you change the services configuration from EAM Console, it needs time before all the workstation use the new services. For this reason and for backward compatibility with the previous versions of EAM (called Enterprise SSO), the EAM Controllers provide all the services.

Example

To ensure high availability and good performances, it is interesting to install EAM on several servers and to dedicate each of them to specific services. The following figure shows an example of service distribution: one controller is dedicated to the audit and another one to the administration.

Domain Controller Selection

Windows Reminders

In Active Directory (AD), the concept of Sites is a physical group of computers represented by one or more IP subnets.

On Windows server systems, a Domain Controller (DC) is a server that manages all security-related aspects between user and domain interactions (authentication, permissions and so on) within the Windows server domain.

Each domain controller has a copy of the Active Directory (synchronized by a multi-master replication) and is associated with a site. Within the same site, replication is fast (with an appropriate data transmission), but it can take a long time between different sites, depending on the data type and the configuration of the replication.

Modifying the Controller

EAM introduces a way to select a specific domain controller to work on. There are two situations where the current domain controller can be changed:

A Multi-Domain Architecture

A Multi-Domain Architecture

Active Directory Case

In a multi-domain forest, the Active Directory database is partitioned: each domain maintains only the list of the objects belonging to the domain.

So, for example, a user created in Domain A would be listed only in Domain A's domain controllers.With this architecture, the storage of the EAM data can be done in two ways:

  • EAM data is stored in the Active Directory directories and is thus distributed in the forest: see the following figure showing a multi-domain architecture with EAM data stored in AD.

When the EAM data is stored in an AD multi-domain forest, the propagation of the data in the other directories of the forest is made by AD, but you have to declare the EAM administrators in others domains if they have to manage data stored in these others domains. You have also to declare representatives of users and access points if they have to connect on the workstations of the others domains.

  • EAM data is stored at only one place in an ADAM directory and the administration console makes it possible to see at the same time the data in AD and in ADAM: see the following figure showing a multi-domain architecture with EAM data stored in ADAM.

When the EAM data is stored in ADAM, the EAM administration is greatly simplified and identical to the mono domain administration.

Architecture Components

The above illustration shows an EAM software architecture that allows administrators to manage users that reside in different LDAP domains.

 NOTE: The software architecture depends on the way the EAM module is installed. For more details on the possible architectures depending on the LDAP directories infrastructures, see One Identity EAM Installation Guide.

The architecture consists of the following modules:

  • The corporate LDAP directory, which was the user database of the company before the implementation of the EAM architecture. During the installation of the software suite, the schema of this directory is extended with EAM specific classes and attributes.
  • The EAM Controllers (primary controller, secondary controllers, associated controllers), which provide administration and audit communications between client stations and the LDAP directory.
  • A centralized audit base (called the Master audit database), which contains all the log entries of every individual EAM Controller. This concerns both user action log entries and administration action log entries. In that case, the local SQL Server databases of individual servers are only used to store the audit events temporarily, before sending them to the Master base. This audit base can be hosted on other databases than SQL Server. For mored details on the supported databases, see One Identity EAM Release Notes.
  • The EAM client workstations, which communicate directly with the corporate LDAP directory and the EAM Controllers (for administration and audit data). They are the user's access points to applications
  • The applications of the EAM module, which are based on the EAM Security Services:
    • EAM Console: centralized administration and audit consultation tool. This administration console can be installed on any client workstations and allows you to manage users that reside in different LDAP domains.
    • Enterprise SSO and SSO Studio: Single Sign On tools (SSO).
    • Authentication Manager: tool for user authentication by password, smart card, RFID, biometrics or mobile phone, and workstation security protection.

Interface general design

Interface general design

In this section:

Home Window

Directory Panel Overview

Related Documents