Provisioning Agent features

This topic describes the high-level specifications of the IBM® Security Access Manager for Enterprise Single Sign-On provisioning Active Directory agent, as well as the various deployment options.

No administrative costs for Active Directory-based user de-provisioning

The solution does not add administrative costs for user de-provisioning through the Active Directory management console.

No modification to existing Active Directory and provisioning infrastructure

The solution does not require modification to existing Active Directory and provisioning infrastructure. This feature eliminates the need to obtain approvals for infrastructure modifications, which are typically tedious and might take too long.

Complete de-provisioning of accounts

When users are de-provisioned on Active Directory, the solution performs a complete de-provisioning of the corresponding IMS Server users. Complete de-provisioning includes revoking the authentication factors of users, disabling user Wallets and creation of audit logs. It ensures that de-provisioning complies with relevant legislations, such as SOX.

IMS Server users can be either revoked or deleted.

Note: To retain audit log information for compliance initiatives, when de-provisioning, you can revoke an account instead of deleting it. IBM Security Access Manager for Enterprise Single Sign-On accounts that you revoke cannot be reactivated.

If a customer has an ADAM server, install the Provisioning Agent on the same machine as the ADAM. Search and directory lookup operations can complete faster because the ADAM host has its own cached copy of the user directory. However, the Provisioning Agent can also be configured to communicate directly with Active Directory.

An enterprise might have one or more ADAMs. If there are multiple ADAMs supporting multiple domains, each ADAM machine hosts one Provisioning Agent.