4.0 Novell Credential Provisioning Policies with Novell SecretStore

Novell® Credential Provisioning policies allow you to provision application credentials to User objects in a Novell SecretStore® repository. The capability to provision the Application Server and the User credentials as part of a standard Identity Manager provisioning scenario provides a much more secure and synchronized Web Single Sign-On experience for users.

This section contains the steps required to configure objects and policies in Identity Manager. It does not contain deployment and configuration information for any SecretStore components. For SecretStore documentation, see Novell SecretStore 3.3.3 documentation.

To implement Credential Provisioning with SecretStore requires a repository object, an application object, and creating policies. Repository and application objects store the SecretStore information so that Identity Manager can use it. The policies are used so that any driver can be enabled to use Credential Provisioning. It is also possible to configure the following options:

You can use random password generation to set the passwords for user accounts on connected systems to further secure your Identity Management environment. For more information, see the Novell Identity Manager 3.5.1 Administration Guide for using random password generation.

Figure 4-1 shows a typical, yet simple, scenario involving the provisioning of the Single Sign-On credentials for a new user in GroupWise®. This department provisions new users into the Identity Vault via a SAP HR system and Identity Manager. Depending on organizational information, the user is then provisioned into a department authentication tree implemented on eDirectory™. This is where new users authenticate to the network, and is also the repository of GroupWise security credentials that Novell iChain® or Novell Access Manager™ utilizes to provide secure Single Sign-On functionality from outside the company firewall. As users are subsequently provisioned by Identity Manager to GroupWise, the credentials for those systems are synchronized to their SecretStore attributes in the authentication tree.

Figure 4-1 Credential Provisioning with SecretStore

Figure 4-1 illustrates the following provisioning steps:

  1. The SAP HR system publishes the data for a newly hired user named Glen Canyon. The Identity Manager SAP HR driver processes this data.

  2. A new User object is created in the Identity Vault with a CN value of GCANYON and a workforceID value of 50024222. Because this user is assigned to the Finance organization of his company, he needs to authenticate to the Finance Department eDirectory server. The Identity Manager eDirectory driver that synchronizes that domain now uses the Identity Vault information.

  3. Glen is provisioned to the Finance department eDirectory server.

  4. The driver is configured to obtain Glen’s fully distinguished LDAP name: CN=GLCanyon,OU=finance,O=Testco Financials.

  5. The LDAP name is placed into the DirXML-AuthContext (extension of User object, copy of DirXML-ADContext) attribute of the GCANYON user in the Identity Vault.

    Now that the required attributes are available in the Identity Vault, the GroupWise driver processes the attributes of the GCANYON object.

  6. Because Glen is in the Finance organization, the driver provisions a GroupWise account for GCANYON on the Finance Departments GroupWise domain server.

  7. After the account creation is successful, the GroupWise driver policies provision Glen's GroupWise authentication credentials to the secret store of his eDirectory user account.

When Glen authenticates to his company's Web site from the Internet, an iChain server can use the SecretStore credentials to form-fill his authentication to his secure GroupWise e-mail account, eliminating the need for him to enter his GroupWise credentials and also providing additional security for the company's resources.