Chapter 2. Planning 47
2.4.4 Access Manager for Microsoft .NET Applications
Tivoli Access Manager exposes the aznAPIs at the .NET Common Language
Runtime (CLR) level. This allows Access Manager functionality to be available to
all .NET languages such as Managed C++, C#, and Visual Basic® .NET.
Access Manager for Microsoft .NET provides single sign-on from Tivoli Access
Manager Web security servers (WebSEAL and Plug-In for Web servers) to ASP
.NET applications. Put simply, the .NET application can accept an Access
Manager user ID or credential and authenticate traffic origin.
Figure 2-9 illustrates how Access Manager provides single sign-on in a Microsoft
.NET environment.
Figure 2-9 Access Manager for .NET single sign-on
In addition, role membership is evaluated using Tivoli Access Manager policy in
one of two ways:
򐂰 Declarative role security, where the ASP .NET container enforces roles
declared by the application
򐂰 Programmatic role security, where the application makes an API call to
determine whether a user possesses a particular role
No code changes are required to use Access Manager authorization provided
that the application is using either the declarative security model or the
programmatic security model. Access Manager uses one of two approaches to
determine if the user possesses a given role:
򐂰 User-to-role mapping via the user’s group membership
Windows Server OS
TAM Authentication Module
ASP.NET App
ASP.NET 1.1
IIS
Access
Manager
Web Security
Server
(WebSEAL or
Web Plug-In)
Legend
User
Access
Manager
Policy
Server
Access
Manager
Directory
User ID
or
Credential
IBM Tivoli
Tivoli Access Manager Authentication
Module
Access Manager
IPrincipal
(in context)
Tivoli Access Manager Authorization
Assembly
Microsoft
Customer

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.