Beruflich Dokumente
Kultur Dokumente
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
There is a standard integration provided between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-on by provisioning credentials through the IBM Tivoli Access Manager for Enterprise Single Sign-on Provisioning Adapter. A number of Tivoli Access Manager for Enterprise Single Sign-on product manuals cover the installation and configuration of the various components. However, there is no overview of all of the components in the integration and how they interact. This IBM Redpaper looks at the integration from end-to-end and details the components and their interaction.
ibm.com/redbooks
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
Identity Manager
PROVISION
SY NC H
For end-to-end provisioning, user accounts are created in Tivoli Identity Manager and provisioned to the various targets (such as operating systems, databases and applications). For applications that are defined in Tivoli Access Manager for Enterprise Single Sign-on, Tivoli Identity Manager provisions the same account credentials (user ID and password) to the Tivoli Access Manager for Enterprise Single Sign-on Repository through the TAM E-SSO: Provisioning Adapter. The Tivoli Access Manager for Enterprise Single Sign-on Agents receive the updated credentials when they synchronize with the Tivoli Access Manager for Enterprise Single Sign-on Repository. Tivoli Identity Manager manages the synchronization of passwords between the target systems and the credentials held by Tivoli Access Manager for Enterprise Single Sign-on. The applications defined in the Tivoli Access Manager for Enterprise Single Sign-on Repository (and managed through the Tivoli Access Manager for Enterprise Single Sign-on Console) are duplicated in Tivoli Identity Manager. The following sections describe the Tivoli Access Manager for Enterprise Single Sign-on-only models and the Tivoli Access Manager for Enterprise Single Sign-on and Tivoli Identity Manager integration details.
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
PROVISION
H NC SY
MANAGE SYNCH
Tivoli Access Manager for Enterprise Single Sign-on and the Tivoli Provisioning Manager
This section describes the Tivoli Access Manager for Enterprise Single Sign-on deployment models where Tivoli Identity Manager is not used.
Tivoli Access Manager for Enterprise Single Sign-on stand-alone deployment model
In the single-user deployment model, stand-alone Tivoli Access Manager for Enterprise Single Sign-on agents are deployed to users' desktops. All application definitions are created locally on the desktop. Software and application definitions could be distributed using a software distribution tool, but the definitions would need to be first created on a Tivoli Access Manager for Enterprise Single Sign-on agent. The agent contains the Tivoli Access Manager for Enterprise Single Sign-on core. This is the code that detects that the user is performing a login and either passes credentials (if the application is defined) or allows the user to define the application. It can also include: The Tivoli Access Manager for Enterprise Single Sign-on Authentication Adapter to support other forms of user authentication, such as certificates or biometrics. The Tivoli Access Manager for Enterprise Single Sign-on Kiosk Adapter to support multi-user workstations where automated logoff and other multi-user security functions are required. The agent saves its information in a set of encrypted files (not the registry). In Tivoli Access Manager for Enterprise Single Sign-on V6, these can be found in the c:\Documents and Settings\<username>\Application Data\passlogix\secrets with an .sso extension. Note that where the TAM E-SSO: Provisioning Adapter is being used (either by itself or with Tivoli Identity Manager) the Tivoli Access Manager for Enterprise Single Sign-on agent also includes the TAM E-SSO: Provisioning Adapter client to allow the synchronization of user credentials.
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
Tivoli Access Manager for Enterprise Single Sign-on networked deployment model
The networked deployment model is for customers where multiple agents are required and it makes sense to centrally manage the application profiles. In addition to the Tivoli Access Manager for Enterprise Single Sign-on Agents that are deployed to the users' desktops, there is a central repository and the Tivoli Access Manager for Enterprise Single Sign-on Administrative Console (as shown in Figure 2).
The console is used for managing many aspects of a Tivoli Access Manager for Enterprise Single Sign-on deployment, but from a provisioning perspective it is concerned with defining Applications (or application profiles) and mapping Applications to SSO users. The repository contains all of the application and user to application mapping. There are a variety of repositories supported (directories, databases and files) but most customers share the domain Active Directory. There are two key containers in the repository: The configuration container, OU=SSOConfig, holds all configuration information that is needed by the agent. This includes the application-supported list, mainframe/host application supported list, first-time use setup instructions, Password Policies, and Admin Overrides. All of these settings control agent behavior. The SSO user container holds the SSO user information, such as SSO credentials. This can be separate from the normal OS user container (as shown with the OU=People,OU=TAMES container in Figure 2). It can also be shared with the OS user container. Figure 3 shows the latter, with the SSO user information residing within each user object in the CN=Users container.
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
For details about how to use the console and repository schema, see the Tivoli Access Manager for Enterprise Single Sign-on Administrative Console Help Files, which you can download from: http://publib.boulder.ibm.com/tividd/td/IBMTivoliAccessManagerforEnterpriseSingleS ign-On6.0.html
Tivoli Access Manager for Enterprise Single Sign-on networked deployment with TAM E-SSO: Provisioning Adapter model
This model is the networked deployment model that we described in the previous section with centralized credential provisioning added. The additional components are: The TAM E-SSO: Provisioning Adapter Server, which is an ASP.NET application that runs on Microsoft Internet Information Services. The TAM E-SSO: Provisioning Adapter Client CLI, which allows other applications (such as Tivoli Identity Manager) to communicate with the Provisioning Adapter. The TAM E-SSO: Provisioning Adapter Client that allows the Tivoli Access Manager for Enterprise Single Sign-on Agent to synchronize the user credentials. We describe the components in the following sections.
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
Figure 4 TAM E-SSO: Provisioning Adapter Web modules in Internet Information Services Manager
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
You can use the administrative console, shown in Figure 5, to configure the TAM E-SSO: Provisioning Adapter.
Two key configuration items are: 1. The user base. You configure the TAM E-SSO: Provisioning Adapter with the repository type, server, root DN, and user path to define all the users that can be provisioned with SSO credentials. 2. The application list. You configure the TAM E-SSO: Provisioning Adapter with the repository container that includes the application list for which the users can have SSO credentials. This is the OU=SSOConfig container listed previously.
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
The main function of the console is to manage users and their credentials. Figure 6 shows the user management panel.
In Figure 6, there are three users defined with SSO credentials: Administrator, mstevens, and ttimson1. The Administrator has SSO credentials for the Basic Auth application. The other two users have credentials for both the Adobe Acrobat Reader application and the Basic Auth application. The Users page of the console is displaying (and managing) the user and credential entries held in the person container (such as OU=People) in the Tivoli Access Manager for Enterprise Single Sign-on branch (such as OU=TAMES) in the user repository. The SSO users and their credentials are stored in the Tivoli Access Manager for Enterprise Single Sign-on Repository, as with the basic networked model, but now they can be managed centrally through the console.
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
IIS
Config Data
Data
SSO Creds
Workstation
10
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
Central to the entire provisioning model is the Tivoli Access Manager for Enterprise Single Sign-on Repository that includes, among other things, the configuration data (such as the application profiles) and the SSO credentials for the SSO users. The Tivoli Access Manager for Enterprise Single Sign-on Console manages the configuration information. The TAM E-SSO: Provisioning Adapter console manages the SSO users and their SSO credentials. This is the UI aspect of the TAM E-SSO: Provisioning Adapter Server that is the ASP.NET application running on Microsoft Internet Information Services (IIS). It has two interfaces: the console interface (/vGO PM Console/) and the Web services interface (/vGO PM Service/) that is used by the TAM E-SSO: Provisioning Adapter CLI interface. The other component is the TAM E-SSO: Provisioning Adapter Client that resides on the user workstation with the Tivoli Access Manager for Enterprise Single Sign-on Agent and securely synchronizes the SSO credentials with the Tivoli Access Manager for Enterprise Single Sign-on Repository. The next section looks at how Tivoli Identity Manager fits into this architecture.
Tivoli Identity Manager and Tivoli Access Manager for Enterprise Single Sign-on provisioning
The previous section discussed how the TAM E-SSO: Provisioning Adapter components can perform provisioning of SSO credentials from a central point to the users' workstations. The missing piece to this puzzle is how to manage and synchronize the target system passwords with the SSO credentials for that target system. For example, if you configure an SAP system within Tivoli Access Manager for Enterprise Single Sign-on so that when a user connects to that SAP system, Tivoli Access Manager for Enterprise Single Sign-on supplies the login information to SAP on the user's behalf, what happens when a user needs to change their password for SAP? You can change the password through Tivoli Access Manager for Enterprise Single Sign-on, where Tivoli Access Manager for Enterprise Single Sign-on changes the password at SAP and holds the new one. What happens when an administrator needs to change the user's password? Then, it has to be changed in SAP and in Tivoli Access Manager for Enterprise Single Sign-on. It could be changed in SAP and given to the user so when the user logs in, the password can be changed in Tivoli Access Manager for Enterprise Single Sign-on. A better solution is to use a tool that synchronizes passwords. So an administrative action to change the SAP password also cascades that new password into Tivoli Access Manager for Enterprise Single Sign-on. This synchronization is where Tivoli Identity Manager comes into the picture. The TAM E-SSO: Provisioning Adapter cannot manage passwords outside Tivoli Access Manager for Enterprise Single Sign-on (such as the SAP target), nor does it have the strength of features (role-based provisioning or business process integration through workflow) that Tivoli Identity Manager does. So, it makes sense to deploy both Tivoli Access Manager for Enterprise Single Sign-on and Tivoli Identity Manager for enterprise identity management.
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
11
This is the networked deployment with IBM Tivoli Identity Manager provisioning model that we mentioned previously. Figure 8 illustrates how the products work together.
Identity Manager DB
Provisioning
Basically, Tivoli Identity Manager pushes credentials to Tivoli Access Manager for Enterprise Single Sign-on through the TAM E-SSO: Provisioning Adapter CLI. We discuss the details of this process in the next section.
Configuration in Tivoli Identity Manager for Tivoli Access Manager for Enterprise Single Sign-on provisioning
The challenge with the integration is to ensure that changes made to account IDs and passwords are synchronized to Tivoli Access Manager for Enterprise Single Sign-on where that account is defined in Tivoli Access Manager for Enterprise Single Sign-on. The integration involves changes to both the data held in Identity Manager and the plumbing to get this data to Tivoli Access Manager for Enterprise Single Sign-on. This section looks at the data objects that are involved in the integration and the operational changes to distribute Tivoli Access Manager for Enterprise Single Sign-on credentials.
12
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
Service
Organizational role A grouping of people objects based on some role definition (for example, programmer, clerk, or helpdesk). A person object can belong to zero or more roles, and a role can be attached to zero or more people. Provisioning policy This object defines the entitlement for people to have accounts on target systems. A provisioning policy defines that Role A can have an account on Service Z, possibly with some restrictions on attribute values. So if you have a person object defined in Tivoli Identity Manager, and you have a provisioning policy that entitles you to an account on a specific service (perhaps through an organizational role), then Tivoli Identity Manager can create an account for you on the target defined by the service (including provisioning the account down to that target system).
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
13
defined in Tivoli Access Manager for Enterprise Single Sign-on that is mapped to the Tivoli Identity Manager account. Figure 9 shows the user and account object relationships (assuming AD is the domain user registry and the Tivoli Access Manager for Enterprise Single Sign-on repository).
MAPS TO
MAPS TO
Notes Account
Notes
MAPS TO
SAP Account
SAP
Figure 9 TAM E-SSO and Tivoli Identity Manager user and account data objects
In this figure there are four objects in Tivoli Identity Manager; the person object and three associated accounts (AD, Notes, and SAP). Each of these account objects are provisioned to their targets: AD, Notes, and SAP. There is also a relationship between the AD account (in AD), the AD account in Tivoli Identity Manager and the SSO user entry. If the normal user container in AD is shared by Tivoli Access Manager for Enterprise Single Sign-on, then the SSO user entry is under the AD user entry. If there is a separate container used to hold the SSO users (for example, OU=People,OU=TAMES,), then there is a unique SSO user entry under this container (but with the same user ID as the AD entry). The Notes and SAP SSO credentials are under the SSO user entry (for example, associated with) in the same way that the Notes and SAP accounts in Tivoli Identity Manager are related to the person object. We have not described how the Tivoli Access Manager for Enterprise Single Sign-on data objects and Tivoli Identity Manager data objects are physically mapped. The Maps To link in Figure 9 indicates the logical mapping. The next section discusses this topic.
14
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
vgoapplicationuseridmeta
vgossouseridmeta
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
15
The service form is modified to include these vgo* attributes for each service that is defined as an application in Tivoli Access Manager for Enterprise Single Sign-on. So, continuing our previous example, there would be vgo* attributes defined on both the SAP service and the Notes service. Notice that the vgoapplicationmeta attribute seems to map to the application name as shown in Figure 2 on page 5 and Figure 6 on page 9. However the one defined in Tivoli Identity Manager has a leading asterisk (*Basic Auth). This naming convention is done to flag this service as the root service. This is so the workflow operations can differentiate between the creation or deletion of the SSO user entry and the SSO credentials. The root service is the one where the Tivoli Access Manager for Enterprise Single Sign-on entries are held (in this example it is Active Directory). We describe the operational workflow components in the next section.
16
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
The standard Add Account operational workflow only has one node: the CREATEACCOUNT Extension node. The custom nodes that are added are: add_ssoid This Script node checks the relevant data to ensure a valid application ID and SSO user ID have been passed (metadata mapping defined in the service definition). If the data is present and can be parsed, then set a true flag for the rest of the processing. It also sets the owner for rootservice accounts. This Script node runs on a successful CREATEACCOUNT operation. It retrieves and checks (parse) all of the SSO data before setting the values on the current account (in relevant data). This Extension node runs the AddPasslogixCredential operation with an argument of Account and the account object (from relevant data). If the outcome of this modification is that the RootService has been set, then the owner's Person object is updated. This node modifies the person object if this is a root service. It sets/updates the uid attribute as set in the checkSSO Script node. It uses the standard modifyPerson extension.
checkSSO
setSSO
modPerson
In essence this workflow first creates the account (provisioned to the target system), then it creates the SSO user object (if this is a root service), and finally it creates the SSO credentials that match this account.
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
17
The standard workflow only has the CHANGEPASSWORD Extension node. The custom nodes added are: CheckSSO This Script node is run on the successful completion of the CHANGEPASSWORD operation. It retrieves the relevant data and checks the application ID, SSO user ID and application user ID. If the data passes the parsing, it is set on the current account object and a flag set to continue the processing. This Extension node runs the ChangePasslogixPassword operation with an argument of Account and the account object (from relevant data).
setSSO
This workflow first updates the password on the target system, and then it updates the password in the SSO credentials in Tivoli Access Manager for Enterprise Single Sign-on.
The standard workflow only has the DELETEACCOUNT Extension node. The custom nodes added are: CheckRootService This Script node checks to ensure that user ID, SSO application ID and SSO admin ID/password are set before deleting the SSO user. The link out of the node checks for Root Service and if it is a root service it runs the DeleteSSOUser node. DeleteSSOUser This Extension node runs the DeletePasslogixUser operation with an argument of Account and the account object (from relevant data). Even if this step fails, the workflow continues to delete the account on the target.
18
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
CheckSSO
This Script node runs if the delete was successful and the application is not a Root Service and there is an SSO account to process. It retrieves, validates and sets (on the current account object) the application ID, the user ID and the admin ID/password. It also sets a flag to drive the last step. This Extension node runs the DeletePasslogixCredential operation with an argument of Account and the account object (from relevant data).
setSSO
If a Root Service account is being deleted, the Tivoli Access Manager for Enterprise Single Sign-on user and credentials will be deleted prior to the target account being deprovisioned (incase the SSO data is being held under the target user object). Otherwise, it will delete the SSO credentials after the target account is de-provisioned.
The standard workflow only has the MODIFYACCOUNT Extension node. The custom nodes added are: checkSSO setSSO This Script node retrieves, checks (Parse) and sets the SSO attributes on the current account object (relevant data). This Extension node runs the ModifyPasslogixCredential operation with an argument of Account and the account object (from relevant data) if there is an SSO credential defined for this user on this service.
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
19
The custom nodes added are: checkPWDChg This Script node checks to see if the password has been changed as part of the restore operation. If so it sets a flag (isSSO); true means the password has been changed. checkSSO This Script node retrieves, checks (Parse) and sets the SSO attributes on the current account object (relevant data). It is only run if the isSSO flag is true (for example, password has been changed). This Extension node runs the ChangePasslogixPassword operation with an argument of Account and the account object (from relevant data). It is only run if the isSSO flag is true (for example, password has been changed).
setSSO
The SSO aspects of this workflow are only concerned with password changes as a result of reactivating an account.
These Extensions are located in the PMAPIInvoker-6.0.jar file (for Tivoli Access Manager for Enterprise Single Sign-on V6.0) which is installed into the WebSphere Application Server enRole.ear directory (for example, the Tivoli Identity Manager application code tree). This is also called the Tivoli Identity Manager Provisioning Workflow Interface Connector. This .jar file includes a configuration file: PMClientConfiguration.properties. Among the settings in this file are three related entries to how the TAM E-SSO: Provisioning Adapter client contacts the TAM E-SSO: Provisioning Adapter server: javaCLI.serviceurl javaCLI.serviceuser javaCLI.serviceuserpassword This is the URL to which the server service is listening (for example, http://adserver/v-GO PM Service/UP.asmx). The administrative user that is used to access the service (for example, odi\tamespa). The password for the administrative user that is used to access the service.
Each of the Java modules are built on the TAM E-SSO: Provisioning Adapter Client CLI calls. These are in the pmcli.jar file that is defined into a shared library in WebSphere Application Server. The next section summarizes how the components work together.
20
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
Provisioning from Tivoli Identity Manager to Tivoli Access Manager for Enterprise Single Sign-on
Figure 16 summarizes the calls from Tivoli Identity Manager into the Tivoli Access Manager for Enterprise Single Sign-on Client CLI.
AddPasslogixCredential
ChangePasslogixPassword
/vGO PM Service/
DeletePasslogixUser
call
DeletePasslogixCredential ModifyPasslogixCredential
call
PMClientConfiguration .properties
PMAPIInvoker-6.0.jar
Figure 16 Tivoli Identity Manager calls into the TAM E-SSO: Provisioning Adapter Client CLI
The additional SSO data is held on the account and service objects in the Tivoli Identity Manager directory. Changes to accounts trigger operational workflows that have been customized to make calls out to the Tivoli Identity Manager Provisioning Workflow Interface Connector (for example, custom Java extensions for the SSO function). These extensions use the definitions in the configuration file and the TAM E-SSO: Provisioning Adapter Client CLI libraries to make API calls to the TAM E-SSO: Provisioning Adapter Server.
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
21
AddPasslogixCredential
/vGO PM Service/ PMAPI.jar (and assoicated TAM ESSO PA Client CLI libraries)
ChangePasslogixPassword
DeletePasslogixUser
call
DeletePasslogixCredential ModifyPasslogixCredential
call
PMClientConfiguration .properties
PMAPIInvoker-6.0.jar
We can use a use case of Create Account to describe the flow through the integration: An administrator logs into Tivoli Identity Manager and creates a new account for a person. This account is for a service that has SSO defined. The Add Account operational workflow is invoked. This workflow provisions the new account to the target system but also calls the relevant Extension nodes to create the SSO user (if it is a root service) and the SSO credentials (such as user ID and password). The Java extensions use the TAM E-SSO: Provisioning Adapter Client CLI libraries and the server definitions in the PMClientConfiguration.properties file to send a Web services call to the TAM E-SSO: Provisioning Adapter Server. The server adds the credentials (and optionally adds the SSO user entry) to the SSO Repository. The Tivoli Access Manager for Enterprise Single Sign-on Agent synchronizes with the SSO Repository and retrieves the SSO credentials. The user can be SSO'd to the target system. An administrator can use the TAM E-SSO: Provisioning Adapter console to see whether the credentials have been successfully sent from Tivoli Identity Manager to the SSO Repository. The outcome of the client calls are recorded with the Tivoli Identity Manager transactions and are viewable through the View Completed Requests panel in the Tivoli Identity Manager UI. If there have been problems with the extensions, the API calls or the TAM E-SSO: Provisioning Adapter Server, and the error messages are recorded in the transaction history. This completes the discussion of the Tivoli Identity Manager and Tivoli Access Manager for Enterprise Single Sign-on provisioning integration.
22
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, NY 10504-1785 U.S.A. The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs.
Copyright International Business Machines Corporation 2007. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
23
This document REDP-4325-00 was created or updated on June 18, 2007. Send us your comments in one of the following ways: Use the online Contact us review Redbooks form found at: ibm.com/redbooks Send your comments in an e-mail to: redbooks@us.ibm.com Mail your comments to: IBM Corporation, International Technical Support Organization Dept. HYTD Mail Station P099 2455 South Road Poughkeepsie, NY 12601-5400 U.S.A.
Redpaper
Trademarks
The following terms are trademarks of the International Business Machines Corporation in the United States, other countries, or both:
Redbooks (logo) IBM Lotus Notes Lotus Notes Tivoli WebSphere
The following terms are trademarks of other companies: SAP, and SAP logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries. Adobe, Acrobat, and Portable Document Format (PDF) are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both. Java, and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Active Directory, Microsoft, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others.
24
Exploring the Integration between IBM Tivoli Identity Manager and IBM Tivoli Access Manager for Enterprise Single Sign-On