CA CloudMinder Administration › Overview › Architecture

Architecture

The following high-level diagram illustrates the functional role of CA CloudMinder components and their interaction. The diagram does not illustrate precise data flow; rather, it shows how components relate to one another and how they connect to external components. This illustration shows one example of CA CloudMinder. In this case, it includes all three services: Advanced Authentication, Single Sign-on, and Identity Management.

The components of this architecture are defined as follows:

User Console

Is the main user interface to manage CA CloudMinder users, services, and to perform other functions for a specific tenant.

• Tenant administrators, as well as users such as employees and partners, log in to the User Console through a URL that is unique to each tenant. The CA CloudMinder service provider configures and provides the User Console URL for each tenant.
• A tenant administrator can run reports on user activity in the system. A user can update their user profile, password, or request access to a service.

Advanced Authentication Service

Delivers authentication or credential management, unique two-factor credentials plus real-time risk based authentication.

Single Sign-on (SSO) Service

Provides a cloud-based federation hub that lets customers connect to cloud-based applications, partner hosted applications or other on-premise applications in an organization. The SSO service is standards-based. The service uses SAML, WS-Federation, and WS-Trust to securely share user identity information across business partners.

Identity Management Service

Communicates with applications named managed endpoints, which are other applications, such as SAP, SalesForce, Webex, Oracle, or Microsoft Exchange. You use this service to assign accounts in these applications to CA CloudMinder users.

Cloud Applications

Represents cloud-based applications, such as Salesforce.com or Google. Also supported are partner hosted applications or other on-premise applications within your own organization.

CA IAM Connector Server

Communicates with applications on other systems, named managed endpoints. To create accounts on applications that exist in your on-premise environment, such as an email system, the CA IAM Connector Server is required. If you only want to create accounts on applications on cloud-based applications, such as Salesforce.com, you do not need to install this component.

CA SiteMinder

Provides user authentication, policy-based authorization, single sign-on and auditing for web applications. This is an optional component, since the SSO service provides the key features of CA SiteMinder with Federation Manager.

Identity Provider

Generates assertions or claims for users who request access to applications. Three possible choices exist; however, only the first choice appears in this illustration.

• On-premise Active Directory, which is synchronized to CA CloudMinder, as shown in this illustration.
• CA CloudMinder user store, which is an instance of CA Directory, an LDAP-based directory server.
• A public identity provider, such as Facebook.