Administration Guide › Overview › CA CloudMinder Components › CA Directory

CA Directory

CA Directory is an LDAP-based directory server that hosts multiple CA CloudMinder data stores.

CA Directory provides the following functionality in CA CloudMinder:

• User Store

  Contains information about all of the managed users in CA CloudMinder.

  CA Directory can contain millions of users.

• Provisioning Directory

  Contains a representation of users who have accounts on endpoints such as Microsoft Exchange, Active Directory, and SAP. Users in the provisioning directory are called global users.

CA Directory securely stores the data of one tenant separately from the data of any other tenant. A tenant can never view or access the data of another tenant. User data and provisioning data is physically segregated into separate server instances, or DSAs, for each tenant. Any request that requires user or provisioning data contains information that identifies the request with a specific tenant. A router directs the request to the appropriate DSA.

CA SiteMinder Policy Server

The Policy Server provides the following functionality in CA CloudMinder:

• Authentication—The Policy Server supports a range of authentication methods. It can authenticate users based on user names and passwords, forms based authentication, and through public-key certificates.

  In deployments that include Advanced Authentication, the Policy Server integrates with CA AuthMinder to support strong authentication methods, such as One Time Password (OTP), and Arcot PKI.

• Authorization—The Policy Server is responsible for managing and enforcing access control rules established by the Policy Server administrator. These rules define the operations that are allowed for each protected resource.
• Password policy enforcement—The Policy Server enforces rules and restrictions that govern the following:
  • password expiration
  • composition
  • usage
• Partnership federation—Offers secure single sign-on and single logout across a network of trusted business partners.Partnership federation supports the following profiles:
  • SAML 1.1
  • SAML 2.0
  • WS-Federation Passive Requester

CA SiteMinder Secure Proxy Server

The CA SiteMinder Secure Proxy Server (SPS) is a stand-alone server that provides a proxy-based solution for access control.

The CA SiteMinder Secure Proxy Server uses a proxy engine that provides a network gateway for the enterprise. The SPS provides the following functionality in CA CloudMinder:

• An embedded and fully supported web server, including SSL accelerator card support and a GUI tool for managing keys and certificates
• Support for multiple session schemes (cookie-based, and cookie-less)
• Support for flexible proxy rules, such as the following:
  • Support for rules that are based on HTTP headers and CA SiteMinder responses, in addition to URLs.
  • Ease of use for complex rules.

CA IdentityMinder Server

CA IdentityMinder provides the core functionality of CA CloudMinder, including profile and entitlement management, policies to support business rules, user self-service, and reports. You also perform most provisioning tasks in CA IdentityMinder.

Provisioning Server

The Provisioning Server allows administrators to provision accounts on endpoints such as email servers, databases, and other applications to end users. To communicate with the endpoint systems, you also install connector servers for endpoint-specific connectors, such as an SAP connector.

CA IAM Connector Server

The CA IAM Connector Server manages connectors, software that enables communication between CA CloudMinder and an endpoint system. An endpoint can be any system that uses identities.

A typical deployment includes the following types of connector servers:

• Cloud CA IAM Connector Server

  Directly manages cloud endpoints, such as Google Apps or Salesforce. The cloud CA IAM Connector Server is installed in the host data center.

• On-premise CA IAM Connector Server

  Manages local endpoints in an internal network at the tenant site.

  The tenant administrator can install a local version of the CA IAM Connector Server in their internal network and enable routing from the cloud.

  Note the following requirements for the on-premise CA IAM Connector Server:

  • The on-premise CA IAM Connector Server must access the Cloud CA IAM Connector Server using HTTP/S.
  • The on-premise CA IAM Connector Server must be able to access the on-premise endpoints using traditional communication methods, such as LDAP, CAM/CAFT, and others.

You can add support for new connectors on-premise or in the cloud without restarting any servers.

The following example shows a deployment that includes two cloud endpoints and four on-premise endpoints.