Before you start
This tutorial provides an implementation solution for provisioning of users to a company's intranet platforms. The solution makes use of the Tivoli Security products to provide an integrated solution for doing so. Specifically, it highlights an integration scenario common to many customers environment, where a HR repository controls the lifecycle of a user within an organization, and the Tivoli security portfolio provides the provisioning framework for accounts on internal systems.
In many internal customer environments, a single HR repository holds the master definition of a user. The advantage of deploying Tivoli Identity Manager (TIM) architecture is that it provides this repository. However, in many situations, the HR repository is not controlled directly by an organization's identity management team (IMT). This causes the IMT to require a feed of user data from this repository on registration and de-registration of the user. This tutorial presents a practical solution to such a scenario using IBM products as follows:
- Tivoli Identity Manager (TIM) - responsible for provisioning of user accounts for a newly created user.
- IBM Directory Integrator (IDI) - provides a feed of the data from the HR database to the Identity Manager solution.
- Tivoli Access Manager (TAM) - the end point for provisioning of accounts for a particular user.
- IBM Directory Server (IDS) - used as the LDAP repository for TIM and TAM as well as for the purposes of simulating a HR feed to the TIM server through IDI.
Although this tutorial presents a solution for a single scenario, it introduces concepts that can be applied to varying customer problems around user provisioning. By the end of the tutorial, you should have a good understanding of the value of the Tivoli Security portfolio for solving varying customer requirements for user provisioning.
Anyone interested in the integration capabilities of the Tivoli Security products (using TIM and IDI specifically) may be interested in taking this tutorial. It provides you with an overview of many of the concepts surrounding identity management and user provisioning, and provides an example implementation that makes use of the Tivoli Security portfolio.
You should have the following skills before you start this tutorial:
- Tivoli Access Manager installation and configuration: This will allow you to implement a simple agent that provisions user accounts within TAM.
- Tivoli Identity Manager installation: This tutorial requires you to install and configure the TIM product.
- TIM agent installation and configuration: You should have some knowledge of installing and configuring TIM agent software.
In order to successfully complete the steps as demonstrated in this tutorial, you will need the following:
- A client machine hosting the software for providing the HR data feed to the TIM
infrastructure, which includes the following components:
- IBM Directory Server: This is IBM's LDAP Directory product. Within the solution two instances of the IBM Directory Server are deployed: One for simulating the HR feed for TIM, and the other for the directory to be used by the TIM and TAM products. .
- IBM Directory Integrator: To obtain this software, please consult your Tivoli sales specialist.
- IBM Tivoli Identity Manager infrastructure. To obtain this software, contact your
local Tivoli sales representative. This infrastructure includes the following software:
- IBM Directory Server is the user data store for TIM and TAM.
- IBM WebSphere MQ is for user provisioning workflow within TIM.
- IBM WebSphere hosts the TIM application.
- Tivoli Access Manager 4.1 Agent is also required within this tutorial for showing the provisioning capabilities of the TIM product. Agent software can be obtained from your Tivoli sales team.
- You'll also need Access Manager Infrastructure, which
includes the following:
- IBM Tivoli Access Manager Base and Policy Server
- IBM Tivoli Access Manager WebSEAL
Note that the TIM and TAM infrastructure will share the IBM Directory for user and group storage.
In order to limit the scope of the solution while demonstrating as many concepts as possible, we've made a number of assumptions about our hypothetical environment:
- The customer uses an HR database store that can alert other components when updates occur. In this tutorial, we'll use the IDS for the HR store, and use the changelog functionality provided by IDS to notify the Identity Manager solution when an update occurs.
- Many customers will have their own solution for data feeds out of their HR systems. In this tutorial we use IDS and IDI to simulate the creation of an account and subsequent HR feed to the TIM product.