Thursday May 08, 2008

Access Manager Windows Desktop SSO

Configuring Windows Desktop SSO in Access Manager is simple and easy, the technology is also simple, basically user presents the Kerberos token to the Access Manager through the SPNEGO protocol to perform Kerberos based SSO to Access Manager. But often configuring WindowsDesktopSSO takes more time than expected. So, here are the few things that needs to be remembered or aware of to configure Windows Desktop SSO.

- Make sure Active Directory is setup properly, because sometimes i have seen Active Directory not letting users to bind unless the user is part of administrator group. So, first, make sure end users can authenticate to AD without any problems. Making sure AD configured properly is very important.

- Access Manager and Active Directory systems clocks should be synchronized.

- Most of the Active Directory environments has multiple domain controllers, so, make sure ktpass run on the Primary Domain Controller, also make sure no typos.

- Access Manager and Domain Controller must have correct DNS entries, both forward and reverse DNS lookup should work.

- Make sure browser supports the SPEGO protocol, and user should be authenticated against domain controller to login to their Desktop.

- Restart the Access Manager after configuring desktop SSO authentication module.

- Enable Access Manager debug logs to troubleshoot the problem by checking amAuth and amAuthWindowsDesktopSSO log files.

Thursday Mar 13, 2008

Three things to remember for successful Identity Manager deployment

Deploying Identity Manager in any organization is bit complex and involved many things, very often customer struggle to have successful IdM (Identity Manager) deployment because of various reasons. To me, identity manager deployment is like eating a big elephant, do not try to eat whole thing at a time. As a experienced IdM senior architect, here are the top three things to remember for a successful IdM deployment.

1. Beat your own politics: We all know Identity management deployment is not as simple as most people think, it gets more complex because of legacy applications, business needs, complexity in current process and number of applications that user needs to be provisioned and managed. Like you all know it is more political then technical. As soon as project started every application owner and team member start thinking about how it is going effect their own application, current process, ownership, job, etc. Thats where the deployment team start facing political difficulties. So you can reduce political difficulties by explaining following benefits by project sponsor/owner to application owners.

- Necessity and importance of project.
- Need of automated identity management system by explaining problems in current process problems.
- More productivity from employees.
- Compliance with government audit policies, and to find who has access to what.
- Reduce helpdesk calls for password resets/ management, and other user management issues.
- Why this is right time to do it.

2. Phased deployment: Deploying IdM in a phased approach is most important for success of the project. As soon as the project is started every application owner want their application provisioning is automated and integrated with IdM as soon as possible. It is not recommended to integrate all applications/resources with IdM in one phase deployment, but at the same time each phase scope should give some justification of IdM deployment by showing benefits to business. So, here are the key things to remember to define scope of each phase.

- Authoritative resources for both employee and contractor should be in Phase1.
- Password management should be in phase 1, it is going to be good business justification for the project which saves lot of money by reducing the help-desk calls.
- Key application/resource (ex: Active Directory or Sun LDAP) should be in Phase.
- Next phase scope should be extension or addition to the previous Phase.
- Do not integrate more than 3 application for each Phase.
- Admin or End user interface customization should handled in separate Phase.

3. Deploy IdM right way and smart way: Follow all possible best practices to do it right, often Application owners or administrators want IdM interface to be customized similar to current process even though IdM interface provides better way of doing things, do not try to implement complex current process in new IdM deployment. And, try not to do huge amount of customization to solve very little problem to support application which are going to deprecated or going away soon, these are just samples, there are many more things like this will come up in IdM deployment, so be careful when designing any end user or admin interface customization.


Ashok Anumandla


« July 2016