IBM® Security
Access Manager for Enterprise Single Sign-On supports
the configuration of multiple Active Directory domains. You can add
a new Active Directory domain or edit the details of an existing Active
Directory.
Additionally, the IMS Server can
look up the directory for attributes of Windows workstations joined to the domain. IMS Server can
use these attributes to select a machine group policy template to
apply onto the computer.
Active Directory password synchronization
Active
Directory passwords log on users to their Wallets and to single sign-on
and log on users to their applications. When this policy is enabled,
the ISAM ESSO password is
synchronized with the Active Directory password. Users can always
log on to the AccessAgent with
their latest Active Directory credentials.
Password synchronization
is applicable only to Active Directory deployments.
Password
synchronization is required for any of the following scenarios:
- Automatic sign up
- Self-service reset of Active Directory password through AccessAgent or AccessAssistant
- GINA-less AccessAgent deployments
to workstations
- Virtual Desktop Infrastructure (VDI) deployments
- Web Workplace deployments involving integration with SSL VPN
Password synchronization is suggested for these scenarios.
- Private desktop deployments
- Citrix/Terminal Server deployments involving thin clients
- Deployments without the Citrix SDK integration
IBM Security
Access Manager for Enterprise Single Sign-On keeps
its password in sync with Active Directory whenever either of the
password is changed or reset. Users must remember their Active Directory
password only, and can always use their latest Active Directory password
to logon to
AccessAgent or
AccessAssistant or
Web Workplace.
- When the user changes the ISAM ESSO password through AccessAgent change
password feature
- AccessAgent changes
the Active Directory password in the Active Directory and then changes
the ISAM ESSO password.
- If the Active Directory password change request fails, AccessAgent does
not change the ISAM ESSO password and
does reject the request with an error message.
- When the user resets the ISAM ESSO password through AccessAgent reset
password feature
- AccessAgent changes
the Active Directory password in the Active Directory and then changes
the ISAM ESSO password.
- If the Active Directory password change request fails, AccessAgent,
does not reset the ISAM ESSO password and
does reject the request with an error message.
- The reset password feature runs an Active Directory change password
operation in the Active Directory with the old password stored in
the user Wallet.
- When the user resets the ISAM ESSO password through AccessAssistant or Web Workplace
- AccessAssistant or Web Workplace relies
on either the WebSphere® Application
Server virtual member manager or the Tivoli® Identity
Manager Active Directory Adapter to perform an administrative reset
of the Active Directory password. The ISAM ESSO password is
then updated to the same value.
- If AccessAssistant or Web Workplace cannot
to reset the user Active Directory password, the reset password request
fails and the ISAM ESSO password remains
unchanged.
- If the user changes Active Directory password through Microsoft GINA
- AccessAgent captures
the new password and attempts to update the ISAM ESSO password immediately.
- If AccessAgent cannot
to immediately update the ISAM ESSO password,
the password becomes momentarily out-of-sync, and is resynced on the
next online logon.
- If the Administrator resets the Active Directory password of the
user
- AccessAgent resynchronize
the ISAM ESSO password upon
the next logon of the user to AccessAgent, AccessAssistant or Web Workplace with
the new Active Directory password.
- During this logon, IMS Server verifies
the new Active Directory password against the Active Directory, then
changes the ISAM ESSO password accordingly.
- If the IBM Security
Access Manager for Enterprise Single Sign-On and
Identity Manager integration is in place
- Resetting the ISAM ESSO password through
Identity Manager resets the ISAM ESSO password,
resets the Active Directory password, and updates the Active Directory
password in the user Wallet. This feature can be enabled only if the
"system-defined secret" feature is also enabled.
Using
the Tivoli Identity Manager
Active Directory (AD) adapter
The Tivoli Identity Manager AD adapter is required
if all of the following conditions exist:
- the Active Directory password synchronization is enabled
- the Active Directory domain controller does not support LDAPs
- AccessAssistant and Web Workplace self-service
password reset is used
If any of the conditions are not met, there is no need
for a Tivoli Identity Manager
AD adapter.