Hitachi ID Identity Manager network architecture
Hitachi ID Identity Manager is designed for:
Identity Manager is installed on hardened servers.
All sensitive data is encrypted in storage and transit. Strong
authentication and access controls protect business processes.
Multiple Identity Manager servers can be
installed, using a built-in data replication facility. Workload
can be distributed using any load-balancing technology (IP, DNS, etc.).
The end result is a multi-master, distributed architecture that
is very easy to setup, as replication is handled at the application
Identity Manager uses a normalized, relational and indexed
database back end. All access to the database is via
stored procedures, which help to minimize communication
overhead between the application and database. All
Identity Manager code is native code, which provides a 2x to 10x
performance advantage as compared to Java or .NET
Open standards are used for inbound integration (SOAP)
and outbound communications (SOAP, SMTP, HTTP, etc.).
Both the Identity Manager user interface and all
functionality can be customized to meet enterprise requirements.
- Low TCO:
Identity Manager is easy to set up and requires minimal
Figure [link] illustrates the Identity Manager network
Network architecture diagram
- Users normally access Identity Manager using HTTPS from a web browser.
- Multiple Identity Manager servers may be load balanced using either
an IP-level device (e.g., Cisco Local Director, F5 Big/IP) or
simply using DNS round-robin distribution.
- Native password changes on some systems may trigger transparent
password synchronization. A password change interceptor DLL,
library or exit may capture such changes and initiate transparent
- Users may interact with Identity Manager via an app on their phone.
Where this is allowed by Hitachi ID Systems customer, the app on the phone connects
via HTTPS to a Linux/Tomcat proxy server in the cloud or on the
Hitachi ID Systems customer DMZ. Simultaneously, each Identity Manager server keeps open
a pool of HTTPS connections to the same proxy system(s). The
proxies broker communication from user phones to the on-premise
Identity Manager server(s) after authenticating both connections.
The app is authenticated by offering up a key, which was deployed
earlier at phone activation time and which may be revoked at
- Users may make a voice phone call to an IVR system
and be authenticated either using touch-tone input of personal
information or using a voice print. Authenticated users may initiate
a password reset.
- Identity Manager
connects to most target systems using their native APIs
and protocols and thus requires no software to be installed locally on
- Local agents are provided for Unix/Linux servers and z/OS
mainframes. A local agent is recommended for z/OS -- on Unix/Linux
it's only included in case there is no SSHD. Use of these agents
improves transaction security, speed and concurrency.
- A local agent is mandatory on older RSA SecurID servers (version
7.x and later exposes a remote API).
- Where target systems are remote and communication with them is
slow, insecure or blocked by a firewall or NAT, a Identity Manager proxy
server may be co-located with the target system in the remote
location. In this case, servers in the main Identity Manager server
cluster initiate fast, secure connections to the remote proxies,
which decode these transactions and forward them to target systems
locally, using native, slow and/or insecure protocols.
- Identity Manager can look up and update user profile data in an existing
system, including HR databases (ODBC), directories (LDAP) and
meta-directories (e.g., WMI to Microsoft ILM).
- Identity Manager can send e-mails to users asking them to complete
enrollment, participate in workflow processes or to notify them of
events impacting their profiles. Over
300 events can
trigger e-mail notification.
- Identity Manager can create tickets on many types of incident management
systems, either recording completed activity or requesting
assistance (security events, user service follow-up, etc.).
300 events can trigger ticket generation.
Binary integrations are available for 20 help
desk applications and open integration is possible using mail,
ODBC, SQL and web services.
- Network architecture:
Identity Manager network architecture.
- Replicated, High Performance Database Architecture:
Identity Manager includes built-in data replication and uses stored procedures to ensure optimized transaction processing.
- Included Connectors:
Connectors included in Identity Manager and their capabilities.
- Auto-Discovery System:
How the Identity Manager automatically discovers new, deleted and changed users on integrated systems and applications.
- Reconciling User IDs:
How Identity Manager maps user IDs on different systems back to their human users, both automatically and with human assistance.
Integrations between Identity Manager and other parts of an IT infrastructure.
- Custom Business Logic:
How organizations can implement their own business logic without modifying the core Identity Manager product or impairing system reliability or upgradeability.
- Dynamic Workflow:
How Identity Manager invites business users to review and approve changes to user profiles.
- Reliable Authorization:
Using parallel invitations, reminders, escalation and delegation to get reliable results from human authorizers.
- Roles & Rules:
Using roles and rules to simplify the management of user provisioning policies.
- Self-service Group Management:
Using the included Group Manager module to move AD group management to a self-service model.
- Event Notification:
Identity Manager can alert people and other systems of changes that it detects on target systems and of events that took place within identity management and access governance business processes.
- Server Requirements:
How to configure Identity Manager servers and how many are required.
- Customizable User Interface:
How the Identity Manager user interface can be branded, rearranged and adapted to specific customer requirements.
- Language Support:
Languages in which Identity Manager can display its user interface.