UnifiedLogon

Summary 

Arnica UnifiedLogon is an identity management system, which provides access control, personalization and configuration services, and allows you to implement single-point user log-on for access to multiple applications. It is a powerful tool for efficient control of granular user access to applications, application resources and functionalities, all managed through a web browser. Arnica UnifiedLogon was designed as an extremely scalable system, and is perfectly suited for management of any number of users - from a dozen of local users at a small organization to thousands of users in a large enterprise, to millions of users at a public web site.

Rich and Highly Extensible User Profile 

Arnica UnifiedLogon provides several ways of maintaining and extending user profile data to a virtually unlimited level of complexity. User profile data may be maintained using the following complementary features of Arnica UnifiedLogon: standard user properties, global custom user properties, application custom user properties, user configuration directory, and user-centric data stores.

Standard user properties (such as UserName, FirstName, LastName, etc.) come predefined. Administrators may extend this set of properties by defining additional custom user properties available globally to any application integrated with Arnica UnifiedLogon, or by creating a set of custom properties per application. An unlimited number of applications may be defined within Arnica UnifiedLogon, effectively creating custom user property categories. Hierarchical user properties may be saved in the configuration directory, where each user may have a different set of properties.  Furthermore, application-independent data stores may be created to store more data associated with users. User data is available in realtime via Arnica UnifiedLogon web services or database APIs. An audit trail function may be enabled for most of user profile data, which helps analyze when a particular part of user data was changed, who changed it and its previous value.

Applications and Resources 

Arnica UnifiedLogon manages resources distributed by applications. Resource may be a report, a form, a page, a collection of pages, or an element within a page (such as a button, a link, a particular area, etc.). Resources may be created automatically by activity collection services, or predefined by administrators. Once a resource is defined within an application, various resource features may be used for this resource, e.g. manage permissions, track activity statistics, collect system events, etc.

Configuration Directory and Configuration Services 

Arnica UnifiedLogon provides a hierarchical configuration data store, which allows maintaining and serving configuration metadata at realtime, usually represented as 'key + value'. Administrators create a hierarchical system of configuration keys, sub keys, sub-sub keys, etc., to serve the needs of a particular application. Within application data space in Arnica UnifiedLogon, keys may be global or user-specific. For example, global keys may describe the initial set of configuration properties on a specific page, and when users customize this set, the resulting data is created in the user-specific data space of the application.

User Groups and Application Roles 

Arnica UnifiedLogon allows user accounts to be members of user groups and application roles. User groups are created independently from applications, while application roles are created within the data space of a particular application. This powerful concept provides a foundation for managing both simple and complex access control tasks. User membership in user groups and roles may be configured to leave an audit trail, which captures the date and time of membership change, who made the change, and previous membership status.

Resource-Based and Function-Based Access Control 

Arnica UnifiedLogon allows user accounts to be members of user groups and application roles. User groups are created independently from applications, while application roles are created within the data space of a particular application.

Resource-based and function-based access control are complementary to each other and may be used either together or independently, based on on the type of access control required.

Resource-based access control is managed by giving users access to a particular resource (for example, "Financial Statement Report", "Customer Information Form", etc.). Alternatively, access control may be managed by making user a member of a user group or role, or making a resource a member of a resource group. Associating users, user groups, roles, resources and resource groups in any combination, provides a flexible and easy-to-maintain resource-based access control solution.

Function-based access control is managed by giving users access to a particular functionality (for example, "Create New Customer", "Delete Order", "Start Mass-Mailing", etc.). Functionalities are set up per application and are called application methods. Associating roles and user groups with methods and giving users membership in roles and user groups implements a function-based access control solution.

True Thin Client 

Arnica UnifiedLogon is a true thin client solution: administration, user and configuration management, log on page design, statistical reporting, and other tasks - are all done through a web browser. To ensure broader compatibility and high performance interactivity, Arnica UnifiedLogon uses pure HTML/XML/CSS content on web pages and does not utilize client-side ActiveX components, DLLs, or heavy-duty JavaScript libraries. Remote management through a web browser provides unprecedented flexibility and opportunities for both internal and outsourced types of administration.

Application Programming Interface (API) and Integration 

Various functionalities of Arnica UnifiedLogon are provided either via Administrator module interface, or via application programming interface (API). Arnica UnifiedLogon includes a rich set of web services (REST) and database APIs (views and stored procedures), which may be used by administrators and programmers to integrate their applications with Arnica UnifiedLogon. Examples of APIs are:  create user, get or update user properties, create resource, create or validate user session, validate user access rights, etc. 

Applications developed using various languages and technologies may be easily integrated with Arnica UnifiedLogon by making web requests to Arnica UnifiedLogon services.

Applications developed with Microsoft .NET technology may use drop-in security for immediate integration with Arnica UnifiedLogon.  This integration method requires zero code changes, and only a few deployment-level modifications, such as a global.asax file included in the root of the application and keys added into the web.config file.

UnifiedLogon APIs may be used by custom membership providers to implement seamless integration with Microsoft SharePoint, as well as to support federated identity delegation scenario using custom security token services.

Integration with External Directories 

Arnica UnifiedLogon provides authentication and authorization services for users created within its system or imported from external directories or files, for example Microsoft ActiveDirectory. Flexible external directory integration provides user export and import as well as pass-through authentication for users, who were defined as requiring authentication against an external directory. Different users integrated with different external directories may co-exist within the same user data space in Arnica UnifiedLogon.

Single Sign-on 

Arnica UnifiedLogon provides single log-on functionality for multiple applications. Applications integrated with Arnica UnfiedLogon may register their resources, roles and methods for participation in a centrally managed environment. Each application may have a dedicated or shared log-on page. Once a user logs into one application, there is no need to repeat the logon process for other applications integrated with the Arnica UnifiedLogon system. For each session, UnifiedLogon generates a session token, which is maintained through cookies, query string parameters, form parameters, or other state management techniques. Sessions have configurable expiry, which may be different for different application sharing the same session: more security sensitive applications may have a shorter session expiry interval, while more open application may have a longer session expiry interval. Administrator may analyze both active and expired sessions in realtime, and may terminate or force selected sessions to expire.

Activity Repository and Reporting 

Arnica UnifiedLogon provides a database-based repository for collecting user activity performed in the context of a particular application. Activity repository captures various information such as user identifier, resource identifier, date and time, browser type, query parameters, posted data, etc. All this information is then made available for activity reports to be analyzed by application, resource (page, report, form, etc.), user, date, and other parameters. Arnica UnifiedLogon includes standard administrative reports and APIs for statistical analysis, or administrators may create custom reports via documented database APIs. 

Centralized System Events Repository and Reporting 

In addition to activity services, Arnica UnifiedLogon provides a database-based repository for collecting system events generated from any server published to this repository via web services (for example, web GET request) or database APIs, which may be then centrally monitored and analyzed.  Events repository captures event description, as well as date and time, user, resource, server name, allows classifying events as "information", "warning" or "error".

Here is a typical scenario for use of the centralized system event repository: call center operator updates user profile - system event captures operator identity, identity of user with updated profile, date and time of update, application and form used to update profile and server identifier which processed the request. Arnica UnifiedLogon provides accumulated event information to reports to be searched and analyzed by various parameters.  Arnica UnifiedLogon includes administrative reports and APIs, which allow viewing and sorting of accumulated events, or administrators may create custom reports via documented database APIs. 

Foundation for Relationship Management 

As a standard feature, Arnica UnifiedLogon allows to maintain companies in addition to users. Users may be related to multiple companies, and vice versa. Users may also be related to multiple other users, same as companies may be related to other companies. Various relation definitions may be maintained, such as "employer", "competitor", "partner", "assistant", etc., thus facilitating the collection of valuable relationship data, which may also serve as a foundation for a Customer Relationship Management system, Employee Relationship Management System, etc.  

Context (State) Services 

To address the needs of contemporary web applications, Arnica UnifiedLogon provides a context management subsystem, which allows maintaining a state between web pages or other parts of an application, which was specifically designed for the web farm environment and is not bound to a specific web server. Context sessions may be analyzed in realtime for troubleshooting and monitoring purposes.