Lot of thanks Tim, now I have very clear the terms.

Best Regards.

Hi, I am optima with other user, I have some questions and doubts about your comments:

Eric Labiner you say: "It is possible to use the Virtual Directory product as a central login service which will act as the first access point for all users."

I have two doubts and questions about it:

1. How do you do the Virtual directory will be the central login service? What is happen with the initial windows authentication? Or you think in a scenario with two authentication level, one for enter to the pc and the second in the virtual directory.

2. In a customer we have a scenario with a central active directory for the global company and multiple distributed active directory for centers that are in differents location.

The authentication in the centers (hotels) are with individual active directory that are inside. There are a process periodically of distribution of idenities from the central active directory to the local. My question is, is possible to replicate that scenario if we used identity as login central service? That I understand we would have to have a central identity management and multiple local identity management like now with active directory.

Tim,about your question "you are interested in using Initial Windows Authentication for SSO purposes, e.g. using the Active Directory domain authentication which already occurs when user logs onto their desktop ?"

Yes that is our purpose. But my doubt if we used that, idm is able to authenticate the user with NTLM or something like that?

Erich Vogel, you say idm cover: "authentication services, single sign-on" Could you explain more about it?

Thanks to all I think that discussion is very much productive to clarify ideas.

Best Regards.

Thanks Erich,

You are correct that HR should be the AS but is not in some cases, exactly my point as contractors or Temp staff in my comments above.

Interestingly I would like to share this with all of you in one scenario my clients told me that they would love to consider SAP Identity and Access management "IDM" system to be Authoritative for some Temp staff that are not handled by any source (HR or otherwise). The Temp staff is handled by Helpdesk and is created in LDAP by manual process, these identities are not known by any system other than the swipe card system.( I could use the ID system as the source but the clients did not prefer that)

So i created a web workflow in SAP that created the user and used the same business rules to populate the IDstore which then provisioned into all the systems connected. This scenario will always keep track of the temp identity, there were tremendous amount of benefits (bidirectional flow) that could be reaped by HR , Financials or any other system that would like to use these identities.

Cheers

Dev

Hello everybody,

I think it is important to clarify some terms. In general Identity Management covers various topics, e.g. user provisioning, role management, access management, authentication serivces, single sign-on, etc. Burton and Gartner list some 15 topics under the "IdM umbrella". Howerver most suppliers use "Identity and Access Management" as a synonym for their user provisioning solutions.

It is also important to distinguish between user provisioning and single sign-on. User Provisioning gives the IT control over user identities in various systems and the related personel data. It synchronizes data changes, automates account and access management processes and provides for compoliance reporting.

Single Sign-On only covers the authentication process and therefore it has only one small interface to user provisioning, and that is the fact that one NEEDS an account to log on (automatically through sso or manually!).

One last comment: It is absolutely correct that HR should be the source for user provisioning processes. However in our various projects we have always used a second authoritative source for all the non-employees who needs accounts and access to xyz systems. In very rare cases, HR also takes over responsibility for Externals.

I hope this helps

best regards

Erich Vogel

Hi Gurus,

I would like the ADD some thing here. The Authoritative Source for IDM should always be the HR system. (in special cases it might not) ideally it should.

IDM system just takes care of consistency if Identities in all the systems and Applications. There are SSO applications which are not part of the Domain and are third party. IDM can maintain the sync identities there as well which in essence becomes a "One User" "One password" scenario.

Its all about what you want to do and how you want to CUSTOMIZE IDM connectors according to the business rules. I have seen scenarios where all identities are not coming from HR, like contractors or Temp staff; you can have source repositories which can then be amalgamated with the existing identities in the IDM store.

So in conclusion Idm repository is not used for Authentication but is used to keep a consistent non-redundant environment for identities through out the organization.

Cheers!

Dev

Hello,

For SSO implementation, you need 2 factors:

1. A single trustworthy authentication authority.

2. Correlation between the user's identity in all involved systems.

IDM is mostly usefull for the second requirement. It helps to ensure synchronization between the user's data in different systems.

But IDM can answer the 1st requirement too. It is possible to use the Virtual Directory product as a central login service which will act as the first access point for all users.

This is really on the tip of the needle.

Eric