Planning for IAG authentication and authorization
Updated: February 10, 2010
Applies To: Intelligent Application Gateway (IAG)
Whale Communications Intelligent Application Gateway (IAG) 2007 allows you to do the following:
Require an HTTPS channel between client endpoints and the IAG server.
Apply session authentication. You can require client endpoints to authenticate in order to connect to a portal or an individually published Web application.
Configure application authorization. You can configure authorization settings that control how users and groups access specific applications published in a portal.
Planning for client endpoint access over HTTPS
When you create a trunk to publish a portal or specific Web application, you can specify that client endpoints communicate with the IAG server over an HTTPS connection. In this case, you must select a server certificate when you configure the trunk. This certificate is used to authenticate the IAG server to the client endpoint.
Planning for session authentication
IAG enables you to control access to internal resources by checking users against an authentication database. A portal or application session is opened only for users who authenticate successfully. Users who cannot authenticate successfully do not gain access. Access is granted per user, and each authentication instance is only valid for one connection. IAG can seamlessly integrate with numerous authentication schemes, even if the application being protected has no inherent support for the method you choose to implement, where IAG serves as a client of the third-party authentication server. In addition, IAG also enables non-intrusive, forced, periodic re-authentication by applying a logoff scheme. After a pre-determined time, users must re-enter credentials to continue working. If they do, they resume working where they left off; if they do not, their sessions are terminated.
To configure session authentication do the following:
Set up an authentication server against which users requesting access should authenticate. For information about supported authentication schemes and configuring authentication servers, see Configuring authentication and authorization servers in IAG.
Configure the portal or Web application trunk to require authentication. For more information, see Authenticating IAG sessions.
In addition to authenticating users in order to verify their identity before allowing them to access a published application, IAG provides single sign-on that enables a user with a domain account to log on to the network once by using a password or smart card and to gain access to any published application. For more information about single sign-on options provided by IAG, see Preparing for authentication to application servers in IAG.
About client certificate authentication
You can specify that client endpoints must use a client certificate for authentication. User identities are mapped to user objects in a Lightweight Directory Access Protocol (LDAP) repository such as an Active Directory server. Certificates can be deployed to clients from a remote certification authority (CA) or from a CA running locally on the IAG server. For more information, see Deploying client certificates for IAG certified endpoints and client authentication.
|Client certificates are also use to configure certified client endpoints. For more information, see About IAG certified client endpoints. You cannot combine client certificate authentication and certified client endpoint compliance on the same portal.|
Planning for application authorization
By default, all users are allowed to view and access an application published in a portal. You can disable the All Users Are Authorized default setting for an application, and configure application authorization. Application authorization allows you to control which users are authorized to view and access each of the applications published in a portal. This provides a personalized experience for different users, depending on their authorization permissions.
In order to use application authorization, you configure user or group authorization repositories against which users requesting access to portal applications can be evaluated. You can use repositories defined on existing authentication servers, or configure alternative authorization repositories. For more information, see Configuring users and groups for application authorization in IAG.
Note that application personalization only works when you use the default portal home page supplied with IAG. You can configure authorization with default or custom portal home pages.