2.0 Novell Credential Provisioning Policies with Novell SecureLogin

Novell® Credential Provisioning policies allow you to automatically provision application credentials that Novell SecureLogin® supports. This section documents the steps required to configure objects and policies in Identity Manager. It does not contain deployment and configuration information for any SecureLogin components. For SecureLogin documentation, see the Novell SecureLogin 6.0 Documentation Web Site.

To implement Credential Provisioning with SecureLogin requires a repository object, an application object, and policies. The repository and application objects store the SecureLogin information so that Identity Manager can use it. The policies are used to enable a driver to use Credential Provisioning. See Section 3.0, Implementing Novell Credential Provisioning Policies with Novell SecureLogin for more information.

You can also configure the following options:

You can use random password generation to set the passwords for user accounts on connected systems to further secure your Identity Management environment. For more information, see Novell Identity Manager 3.5.1 Administration Guide for using random password generation.

Figure 2-1 shows a typical, yet simple, scenario involving the provisioning of the SecureLogin credentials for a new User of a SAP* Finance application in a Finance department. SAP User provisioning is used for this example because it is an application that requires more login parameters than the typical username and password provided for most applications.

This department provisions new users into the Identity Vault via a SAP HR system and Identity Manager. Depending on organizational information, the User object is then provisioned into a department authentication tree implemented on Active Directory*. This is where new users authenticate to the network and is therefore the location for the SecureLogin credential repository. As users are subsequently provisioned by Identity Manager to the various finance applications, their credentials for those systems are synchronized to the SecureLogin store in Active Directory.

Figure 2-1 shows user Glen’s authentication credentials being provisioned. When Glen authenticates to his department’s Active Directory authentication domain and launches the SecureLogin client, he has single sign-on to his SAP Finance account without ever needing to enter, or even know, his password on that system.

Figure 2-1 Credential Provisioning with SecureLogin

Figure 2-1 illustrates the following steps:

  1. A SAP HR system publishes the data for a newly hired user named Glen Canyon. The Identity Manager SAP HR driver processes this data.

  2. A new User object is created in the Identity Vault with a CN value of GCANYON and a workforceID value of 50024222. Because this user is assigned to the Finance organization of his company, he needs to authenticate to the Finance department Active Directory server in the finance.prod.testco.com domain. The Identity Manager Active Directory driver that synchronizes that domain now uses the Identity Vault information.

  3. Glen is provisioned to the Finance department Active Directory server.

  4. The driver is configured to obtain Glen’s fully distinguished LDAP name: CN=GLCanyon,OU=finace,dc=prod,dc=testco,dc=com.

  5. The driver places the name into the DirXML-ADContext attribute of the GCANYON user in the Identity Vault.

    Now that the required attributes are available in the Identity Vault, the SAP User Management driver processes the attributes of the GCANYON object.

  6. Because Glen is in the Finance organization, the driver provisions a SAP user account GCANYON on the SAP Finance server.

  7. After the account creation is successful, the SAP User Management driver policies provision Glen’s SAP authentication credentials to his AD user account. Because the command is an Add operation, the policies also provision his SecureLogin passphrase question and answer.