Hitachi ID Management Suite Architecture
ID-Certify® is a component of Hitachi ID Management Suite®. The following architectural description applies to the entire Hitachi ID Management Suite:
Hitachi ID Management Suite is designed for:
- Security:
Hitachi ID Management Suite is installed on hardened servers. All sensitive data is encrypted in storage and transit. Strong authentication and access controls protect business processes.
- Scalability:
Multiple Hitachi ID Management Suite servers can be installed, using a built-in data replication facility. Workload can be distributed using any load-balancing technology (IP, DNS, etc.).
- Openness:
Open standards are used for inbound integration (SOAP) and outbound communications (SOAP, SMTP, HTTP, etc.).
- Flexibility:
Both the Hitachi ID Management Suite user interface and all functionality can be customized to meet enterprise requirements.
- Low TCO:
Hitachi ID Management Suite is easy to set up and requires minimal ongoing administration.
Network architecture diagram (1)
Figure (_label_fig:combined-net-arch) illustrates the Hitachi ID Management Suite network architecture:
- Users normally access Hitachi ID Management Suite using HTTPS from a web browser.
- Multiple Hitachi ID Management Suite servers may be load balanced using either
an IP-level device (e.g., Cisco Local Director, F5 Big/IP) or
simply using DNS round-robin distribution.
- Native user password changes on some systems
([link]) may trigger transparent password
synchronization. A password change interceptor DLL, library or
exit may capture such changes and initiate transparent password
synchronization.
- Users may call an
IVR (interactive voice response) system with a telephone and be authenticated
either using touch-tone input of personal information or using a
voice print. Authenticated users may initiate a password reset.
- Hitachi ID Management Suite
connects to most target systems using their native
APIs (application programming interfaces)
and protocols and thus requires no software to be installed locally on
those systems.
- Local agents are provided and recommended for Unix servers and OS/390
mainframes. Use of these agents improves transaction security,
speed and concurrency.
- A local agent is mandatory on RSA SecurID servers.
- Where target systems are remote and communication to them is
slow, insecure or both, an Hitachi ID Management Suite proxy server may be co-located
with the target system in the remote location. In this case, servers
in the main Hitachi ID Management Suite server cluster initiate fast, secure
connections to the remote proxies, which decode these
transactions and forward them to target systems locally, using
native, slow and/or insecure protocols.
- Hitachi ID Management Suite can look up and update user profile data in an existing
system, including HR databases (ODBC), directories (LDAP) and
meta-directories (e.g., WMI to Microsoft ILM).
- Hitachi ID Management Suite can send e-mails to users asking them to register or to
notify them of events impacting their profiles. Over
163
events can trigger e-mail notification.
- Hitachi ID Management Suite can send write tickets to most common help desk systems,
either recording completed activity or requesting assistance
(security events, user service follow-up, etc.). Over
163 can trigger ticket integration. Binary integrations
are available for 15 and open integration is
possible using mail, ODBC, SQL and web services.