WebSEAL is a reverse proxy web server that performs authentication and authorizations. It is similar to CA SiteMinder Secure Proxy Server. The advantage of WebSEAL is that WebSEAL supports SPNEGO protocol and Kerberos authentication to support Windows desktop single sign-on. Actually, Apache HTTP server supports SPNEGO protocol, as well. However, TAM can map a user account in a domain controller to a web application's user account that has a different ID, in collaboration with IBM Tivoli Identity Manager (TIM).
Improvements to My Organization
The combination of TAM with IDM in IBM Tivoli Identity Manager helped us to realize robust and secure authentication infrastructure in accordance with industry regulations and laws.
- Providing centralized authentication authority and enforce consistent authorization policies to users.
- Realizing ease of user accesses using enterprise level single sign-on.
- Improving traceability of application uses.
On the other hand, Tivoli Identity Manager known as TIM provides centralized ID lifecycle management as an IDM solution.
By using TIM together with TAM, the following benefits are served:
Many actual accounts in several LDAPs including TAM LDAP are managed by TIM LDAP. (LDAP directory tree supports a nest structure known as “Person has many accounts” model). In addition, person can have many attributes like; department code, Job grade, hiring date, resignation date in the future, etc.
By using these attributes, all accounts which belong to the person automatically are able to be activate/or inactivate. Specifically, account creation/deletion/update can execute automatically by using HR information. If someone reaches his/her retirement date, the account is inactivated by automate workflow process, without raising the account deletion request.
In addition, a process called “Reconciliation” checks several LDAPs (e.g. Active Directory), and can harmonize account information and its attributes between TIM and the LDAP. For example, if an improper account is directly created into Active Directory, scheduled Reconciliation process detects the account, and revoke the account based on pre-setting rules.
This is the reason I recommend to use TAM together with TIM.
Room for Improvement
Due to a constraint of the built-in browser in a Handy phone (called NTT i-Mode), the former version of TAM could not be used in the Japan market. The issue was resolved by the decline of Japan-specific Handy phones.
Cookies were not supported in i-Mode browser ver.1, which had the highest market share in Japan. Hence, sessions between that browser and WebSEAL could not maintain the session state using a cookie. The constraint had widespread implications. Some examples: re-authentication, session affinity, cookie-based failover mechanisms. Besides, IBM Japan declared that all browsers built in Handy phones were not supported officially in that version.
Rather than a weakness of the WebSEAL specification, that constraint was caused by the insufficient i-Mode browser specification, which was developed by NTT Docomo. Considering the negatives, we could not use WebSEAL for Handy-phone facing applications. (A workaround might exist, but the industry-standardized manner of using cookies was in our favor.)
Use of Solution
An insurance company I left three years ago has been using TAM for 10 years.
I did not encounter any stability issues.
I did not encounter any special scalability issues, because Access Manager Policy Server offloads the access traffic to the Master authorization policy store to a replica on WebSEAL Server. Likewise, PD.Acld on a back-end web application acts as a proxy of Policy Server.
Customer Service and Technical Support
Technical support is 6/10.
Initial setup was complicated because TAM was implemented as a part of the IDM solution. It took me a long time to set up the directory integration among many user stores, e.g., Tivoli Identity Manager, Active Directory, Lotus Domino Directory, application user store using database.
Pricing, Setup Cost and Licensing
The user-based licensing is relatively expensive in a large-scale enterprise. Therefore, proper understanding of the AAA solution by executive management is strongly needed to obtain the budget, in addition to discount negotiation.
Other Solutions Considered
I evaluated the following solutions:
After the results, the company decided to use TAM, following my recommendation at that time.
It is essential to hire an SME who has the appropriate skills with the products, in order to avoid vendor lock-in.
Which version of this solution are you currently using?