Review: IAM Suites: Page 8 of 24

ClearTrust uses an agent model consisting of three components--the dispatcher, authorization and entitlements services--that all run on one server. The authorization service makes policy decisions, the entitlements service provides the interface to the identity store, and the dispatcher maintains session keys between the components. In a typical scenario, when a user tries to access a protected resource, the agent checks to see if the user is logged in; if not, a login form is displayed. Once the user is logged in, the agent connects to the authorization service to verify that the user is authorized to access the resource. If the authorization service has this information in its cache, it returns the appropriate permission to the agent directly. If not, the authorization service communicates with the entitlements service, which retrieves the information from the identity store.

We installed the RSA ClearTrust agent on each of our Web servers that needed restricted access. On IIS, the agent was implemented as an ISAPI filter, as was the case with most products we tested. RSA supports most common Web servers, and unsupported servers can be secured by providing access through RSA's ClearTrust Access Control Module (ACM), which is a reverse-proxy server.

Unlike Novell's iChain, ClearTrust doesn't support multiple identity stores out of the box. RSA recommends that an organization consolidate its identities in one location. This might be a best practice, but it's not within the realm of reality for many enterprises. RSA says ClearTrust doesn't aim to manage identities across several different directories; if this were an organizational requirement, it would team up with a third party to provide this component. RSA's identity application does provide self-service, self-registration and password reset, but this is also not part of its core technology. Rather, RSA gains these user-management features through a partnership with Thor Technologies.