Hitachi ID Identity Manager network architecture
Hitachi ID Identity Manager is designed for:
Identity Manager is installed on hardened servers.
All sensitive data is encrypted in storage and transit. Strong
authentication and access controls protect business processes.
Multiple Identity Manager servers can be
installed, using a built-in data replication facility. Workload
can be distributed using any load-balancing technology (IP, DNS, etc.).
The end result is a multi-master, distributed architecture that
is very easy to setup, as replication is handled at the application
Identity Manager uses a normalized, relational and indexed
database back end. All access to the database is via
stored procedures, which help to minimize communication
overhead between the application and database. All
Identity Manager code is native code, which provides a 2x to 10x
performance advantage as compared to Java or .NET
Open standards are used for inbound integration (SOAP)
and outbound communications (SOAP, SMTP, HTTP, etc.).
Both the Identity Manager user interface and all
functionality can be customized to meet enterprise requirements.
- Low TCO:
Identity Manager is easy to set up and requires minimal
Figure [link] illustrates the Identity Manager network
Network architecture diagram
- Users normally access Identity Manager using HTTPS from a web browser.
- Multiple Identity Manager servers may be load balanced using either
an IP-level device (e.g., Cisco Local Director, F5 Big/IP) or
simply using DNS round-robin distribution.
- Native password changes on some systems may trigger transparent
password synchronization. A password change interceptor DLL,
library or exit may capture such changes and initiate transparent
- Users may call an IVR system with a telephone and be authenticated
either using touch-tone input of personal information or using a
voice print. Authenticated users may initiate a password reset.
- Identity Manager
connects to most target systems using their native APIs
and protocols and thus requires no software to be installed locally on
- Local agents are provided and recommended for Unix servers and z/OS
mainframes. Use of these agents improves transaction security,
speed and concurrency.
- A local agent is mandatory on older RSA SecurID servers (version
7.x and later exposes a remote API).
- Where target systems are remote and communication with them is
slow, insecure or both, a Identity Manager proxy server may be co-located
with the target system in the remote location. In this case, servers
in the main Identity Manager server cluster initiate fast, secure
connections to the remote proxies, which decode these
transactions and forward them to target systems locally, using
native, slow and/or insecure protocols.
- Identity Manager can look up and update user profile data in an existing
system, including HR databases (ODBC), directories (LDAP) and
meta-directories (e.g., WMI to Microsoft ILM).
- Identity Manager can send e-mails to users asking them to register or to
notify them of events impacting their profiles. Over
events can trigger e-mail notification.
- Identity Manager can create tickets on most common incident management systems,
either recording completed activity or requesting assistance
(security events, user service follow-up, etc.). Over
189 events can trigger ticket generation. Binary integrations
are available for 17 help desk applications
and open integration is
possible using mail, ODBC, SQL and web services.