IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2.2

Basic concepts

There are three basic concepts you must understand before you use AccessStudio.

Figure 1. Relationship of entities associated with an AccessProfile

The diagram illustrates the relationship between all entities that are associated with an AccessProfile.

AccessProfile #1 and #2 represent two different versions of the same application. These applications communicate with an application authentication server. Each AccessProfile representing each application in turn is associated with an application object and an authentication service. The authentication service has a reference to the actual authentication service of the application.

The basic concepts are:

AccessProfile
Authentication service
Application

AccessProfile

An AccessProfile contains instructions on handling automation for an application. An application can be an executable file (.EXE) or a web page. An AccessProfile includes:

Information to identify the application.
Instructions for automatic operations, such as automatic logon or logoff for the application.
Authentication service, which is the reference to the entity that validates the logon information for the application.
Application Object, which is the reference to the entity that represents the group that is associated with AccessProfile.

AccessProfiles are one of the following kinds:

Standard AccessProfiles
Use AccessStudio AccessProfile Generator to create standard AccessProfiles through a series of wizard windows. Use standard AccessProfiles for automating most applications.
Advanced AccessProfiles
For more complex applications, create advanced AccessProfiles. To understand concepts that are used in advanced AccessProfiles, see Advanced concepts. Since Advanced AccessProfiles consists of custom code, custom actions and triggers, IBM® does not support Advanced AccessProfiles.

Authentication service

Most applications validate logon information by using a verification entity that is known as an authentication service. All AccessProfiles are associated with an authentication service.

For example, you associate multiple AccessProfiles with a single authentication service. If you associate a group of applications with the same authentication service, AccessStudio applies any change that is made on the logon information in one application, to all applications that are associated with the same authentication service.

The Messaging Software, Email Software, and Chat Software are different applications that are represented by different AccessProfiles. However, the same user name and password are used to access all three applications. The Company authentication service validates all logon information. Only one authentication service is created to represent all applications that are validated by the company authentication service.

When you log on to Messaging Software, you do not have to log on again when you access Chat Software or email Software. Your logon information for Messaging Software is captured for all other Company applications, since they are all associated with the same authentication service.

The same concept applies for any changes that are made to your logon information. For example, if you change your password by using Email Software, the new password is captured for all other Company applications.

Application

An application object in AccessStudio is a logical representation of a set of executable files (.EXE) or Web pages. An application object can apply tighter control policies for a group of AccessProfiles.

In AccessStudio, you create one AccessProfile for an .EXE file or web page, and the software processes each .EXE file or web page as an application.

An application object handles the grouping of .EXE files and web pages as belonging to the same entity. Associate each AccessProfile with an application object.

Example: Company

The Company authentication service is used by websites mail.example.com, chat.example.com, and by Messaging Software version 5 and version 6. Each .EXE file or web page requires its own AccessProfile. You can create up to four application objects, depending on the preferred extent of control over the automatic logon policy of the four AccessProfiles.

To have different automatic sign-on mechanisms for mail.example.com and chat.example.com from the two Messaging Software, you can group them under two different application objects. If you also require the same automatic-sign on mechanism for all four, you can group them all under one application object.

Note: You can associate an AccessProfile with only one application object, while one application object can be associated with several AccessProfiles.

Feedback