1.7 Sample Identity Manager Deployments

Identity Manager allows you to control user identities and their access to applications and accounts on connected systems. Based on the functionality you need, select which Identity Manager Edition to install, which in turn determines the components to install. The following table lists the features provided by Identity Manager Advanced Edition and Identity Manager Standard Edition.

Feature

Advanced Edition

Standard Edition

Components to Install

Rule-based automated user provisioning

Identity Manager Engine and Designer

Real-time identity synchronization

Identity Manager Engine and Designer

Password management and password self-service

Identity Manager Engine and SSPR

Uniform identity information tool (Analyzer)

Analyzer

REST APIs and single sign-on support

(limited support only)

Identity Manager Engine, OSP, and Identity Reporting

Current state reporting

Identity Manager Engine and Identity Reporting

Role-based enterprise-level provisioning

Identity Manager Engine and Identity Applications

Automated approval workflows for business policy enforcement

Identity Manager Engine, Designer, and Identity Applications

Advanced self-service in the identity applications

Identity Manager Engine and Identity Applications

Resource model and catalog for easy resource provisioning

Identity Manager Engine and Identity Applications

Historical state reporting

Identity Manager Engine and Identity Reporting

Connected systems reporting

Identity Manager Engine and Identity Reporting

Role and resource administration

Identity Manager Engine and Identity Applications

NOTE:In all Identity Manager installations, Identity Manager Server is the central component. Depending on the Identity Manager edition, only Identity Reporting or both Identity Reporting and Identity Applications are installed on a Tomcat application server. Use the Identity Manager component-specific installer to install other components as needed. For example, install Designer, Analyzer, or Sentinel Log Management for Identity Governance and Administration.

In addition, review the goals for your implementation and pay attention to the physical topology options, such as high availability and scalability before installing Identity Manager. This helps you identify the configuration that matches your organization's requirements.

High availability ensures efficient manageability of critical network resources including data, applications, and services. You can implement high availability by reducing any single points-of-failure and by using redundant components. Similarly, connecting multiple instances of identity management components with a load balancer can provide a highly available environment.

This section describes two examples to illustrate Advanced Edition and Standard Edition implementations at a high level. You can use them as a reference to come up with a deployment diagram for your implementation.

1.7.1 Sample Advanced Edition Deployment

Figure 1-4 shows a high-level deployment topology of an Identity Manager Advanced Edition installation.

Figure 1-4 Sample Advanced Edition Deployment

  • Identity Manager Server components and its underlying repository (Identity Vault) and Web-enabled components (Identity Applications and Identity Reporting) are installed in the intranet zone. The load balancer then routes the traffic to the Identity Applications components. This deployment provides enhanced security because these components are separated from Internet traffic by firewalls.

  • The Identity Manager Server components are configured to use a two server (primary/secondary) configuration. A virtual logical IP address is active on the primary server, which acts as the primary (active) node and another server acts as the secondary node. If the primary server fails, the logical IP address is moved to the secondary server. All the processes are then started on the secondary server. The application processes accessing the secondary server may experience a temporary loss of service when the logical IP address is moved over, and all other processes are started. All the components use the same Identity Vault server at any point of time.

  • SSPR services are available inside and outside the firewall to address the password management needs of local and mobile users of the organization. The services installed inside the firewall address the local password management needs. In case of forgotten password, the mobile workforce cannot access VPN which will prevent them from accessing the internally placed SSPR services. They can directly access the SSPR services placed outside the firewall to manage their passwords.

  • User Application and authentication service (OSP) are deployed in a cluster to handle the load and support the failover process for Identity Applications. The cluster nodes are attached to the same Identity Applications database that is installed on a separate computer. This deployment provides increased scalability by allowing you to add more nodes to the cluster. The cluster configuration is immediately sent to the newly added nodes. The load balancer is typically part of the cluster. It understands the cluster configuration as well as failover policies. In this configuration, all the cluster nodes are active at any point of time. The load balancer distributes the load across the nodes to ensure that the nodes have roughly the same workload. If a node fails, it diverts the requests made to that node to the surviving nodes in the cluster. Because this installation is an intrasite, high availability solution, it provides protection from local hardware and software failures, using a two node hardware-based cluster to achieve high availability for Identity Applications components.

NetIQ has tested and recommends this configuration.

NOTE:Identity Manager does not support clustering the Identity Reporting components.

1.7.2 Sample Standard Edition Deployment

In production deployments, security policies might specify to not expose the authentication service that provides advanced authentication and protection for your environment to the public network. Figure 1-5 shows a high-level deployment topology of an Identity Manager Standard Edition installation .

Figure 1-5 Sample Standard Edition Deployment

  • Identity Manager Server components and its underlying repository (Identity Vault) and Identity Reporting components are installed in the intranet zone. Internet Web traffic is routed to the Identity Reporting components through the Web servers that are installed behind the firewall for added protection. This deployment provides enhanced security because these components are separated from Internet traffic by firewalls.

  • The Identity Manager Server components are configured to use a two-server (primary/secondary) configuration. A virtual logical IP address is active on the primary server, which acts as the active node while another server acts as the secondary node. If the primary server fails, the logical IP address is moved to the secondary server. All the processes are then started on the secondary server. The application processes accessing the secondary server may experience a temporary loss of service when the logical IP address is moved over, and all other processes are started. All the components use the same Identity Vault server at any point of time.

  • SSPR services are available inside and outside the firewall to address the password management needs of local and mobile users of the organization. The services installed inside the firewall address the local password management needs. In case of forgotten password, the mobile workforce cannot access VPN which will prevent them from accessing the internally placed SSPR services. They can directly access the SSPR services placed outside the firewall to manage their passwords.

NetIQ has tested and recommends this configuration.

NOTE:Identity Manager does not support clustering the Identity Reporting components.