Hitachi ID Suite 10.1

© 2017 Hitachi ID Systems, Inc. All rights reserved.

Contents

1 Introduction 1

2 Scope of the 10.1 release 1

3 Summary – what’s new 2

4 UI preview 4

4.1 Hitachi ID Identity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

4.2 Hitachi ID Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

4.3 Hitachi ID Privileged Access Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4.4 Hitachi ID Identity Express: Partner Portal Edition . . . . . . . . . . . . . . . . . . . . . . . . 16

i

Hitachi ID Suite 10.1

1 Introduction

This document outlines the new and improved features of the 10.1 release of Hitachi ID Identity and AccessManagement Suite. Version 10.1 was released to Hitachi ID Systems customers on 2017-06-12.

2 Scope of the 10.1 release

The Hitachi ID Identity and Access Management Suite 10.1 release includes all Hitachi ID Systems prod-ucts:

1. Hitachi ID Identity Manager – Entitlement administration and governance: Automation, requests, ap-provals, recertification, SoD and RBAC.

2. Hitachi ID Password Manager – Integrated credential management: Passwords, security questions,certificates, tokens, smart cards and biometrics.

3. Hitachi ID Privileged Access Manager – Securing access to administrator, embedded and serviceaccounts.

These products can be deployed separately or together, in the following combinations:

1. Identity Manager alone.Note: this includes Hitachi ID Group Manager and Hitachi ID Access Certifier.

2. Password Manager alone.Note: this includes Hitachi ID Login Manager and Hitachi ID Telephone Password Manager.

3. Identity Manager and Password Manager in a shared instance.

4. Privileged Access Manager alone.

5. Group Manager – a subset of Identity Manager strictly for group management.

Other combinations are technically possible but not actively tested.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 1

Hitachi ID Suite 10.1

3 Summary – what’s new

Hitachi ID Identity and Access Management Suite 10.1 is a major new release. It includes hundreds ofminor improvements and bug fixes in addition to the following major capabilities:

• Enhancements across the entire Hitachi ID Identity and Access Management Suite:

– Policy is now available to determine whether successive logins into Hitachi ID Suite require re-authentication, or whether recent and successful logins are ’remembered’ to provide a singlesign-on experience. A determination of whether and for how long to "remember" the user’s loginstatus may be based on group memberships or attributes of the user, time of day or day of week,device type and IP address range.

– The system now properly detects and responds to changes in the names of accounts and groupson target systems, treating them as renames rather than pairs of delete/add operations.

– Audit tables capture configuration changes to the product within its own database and supportreports on who changed what and when.

– The plug-in framework, in particular when submitting access requests, has been simplified andstreamlined.

• Hitachi ID Identity Manager:

– Access certification has been expanded with many new features, including:

* Reviewing and correcting identity attributes from the certification UI.

* Specifying request forms to trigger for revocation actions, which may capture additional in-formation, such as a deferred access revocation date.

* The ability to transfer selected items to a delegate, rather than the entire review.

* Collaboration between the original and delegated certifier, who can act on the same reviewsimultaneously.

– The certification UI is entirely new, with a cleaner look and the ability to apply single actions tomultiple selected items.

– The access request UI is entirely new, more mobile friendly and designed around a task-oriented,shopping-cart-like theme.

– A completely new reference implementation (Hitachi ID Identity Express) of IAM + passwordmanagement, designed to automate the management of identities, entitlements and credentialsfor users affiliated with business partners (business to business / B2B).

• Hitachi ID Privileged Access Manager:

– The Hitachi ID Mobile Access mobile app and associated cloud-hosted mobile proxy can nowlaunch SSH and RDP sessions. This allows authorized users to quickly diagnose problemsregardless of their location and what device they have available.

– A new framework for discovering and mapping SSH trust relationship graphs is included. Thisinforms Hitachi ID Privileged Access Manager business logic of what additional accounts a user

© 2017 Hitachi ID Systems, Inc. All rights reserved. 2

Hitachi ID Suite 10.1

would gain access to if he is signed into a given Unix/Linux accounts. Granting access via SSHtrust injection is also greatly simplified.

– Better support for enriching information about managed systems and managed accounts withmetadata, along with self-service request forms that enable system administrators to onboardsystems and accounts.

• Hitachi ID Password Manager:

– An application launch-pad is introduced into the main landing page, allowing users to initiatelogin sessions into applications that have been linked to Hitachi ID Suite via federated trustrelationships. Using this, users first sign into Hitachi ID Suite and then click on application iconsto launch additional logins into linked applications.

– New analytics monitor use of different authentication methods to sign into Hitachi ID Suite and oflogins to linked applications via SAML federation.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 3

Hitachi ID Suite 10.1

4 UI preview

The following screen shots offer an overview of new screens in the 10.1 release.

4.1 Identity Manager

The new request UI has a mobile-friendly UI with has a multi-step wizard-like theme modeled after ane-commerce shopping cart.

1. Hire a contractor: 1/4:

© 2017 Hitachi ID Systems, Inc. All rights reserved. 4

Hitachi ID Suite 10.1

2. Hire a contractor: 2/4:

3. Hire a contractor: 3/4:

© 2017 Hitachi ID Systems, Inc. All rights reserved. 5

Hitachi ID Suite 10.1

4. Hire a contractor: 4/4:

The same motif applies to all requests – for access and to update identity attributes.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 6

Hitachi ID Suite 10.1

5. Request membership in multiple groups (shopping cart):

6. Update contact information:

© 2017 Hitachi ID Systems, Inc. All rights reserved. 7

Hitachi ID Suite 10.1

7. Request new account: 1/3:

8. Request new account: 2/3:

© 2017 Hitachi ID Systems, Inc. All rights reserved. 8

Hitachi ID Suite 10.1

9. Request new account: 3/3:

A new access certification UI is highly interactive and supports fine-grained delegation.

10. Review and certify or revoke entitlements:

Using the new certification UI, stake-holders can be asked to review identity attributes as well as entitle-ments. This supports delegated directory cleanup, as well as entitlement revocation.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 9

Hitachi ID Suite 10.1

11. Review and correct identity attributes, not just entitlements:

Items can be selected and delegated to someone else to review. This creates a collaborative relationshipbetween the original reviewer, who can continue to work on the selected items, and the new reviewer, whosees just those items and can help decide what to do with each one.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 10

Hitachi ID Suite 10.1

12. Send multiple line items to a delegate:

Revocation actions are no longer hard-coded, and instead are configured using request forms. These formscan call for additional user input, such as a deferred deactivation date.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 11

Hitachi ID Suite 10.1

13. Deferred access revocation:

© 2017 Hitachi ID Systems, Inc. All rights reserved. 12

Hitachi ID Suite 10.1

4.2 Password Manager

Users can sign into Hitachi ID Password Manager first and launch logins into other applications, which areintegrated using SAML 2.0 federation. In this context, the Password Manager portal is the first thing userslaunch and remains open all day.

14. Application launchpad:

© 2017 Hitachi ID Systems, Inc. All rights reserved. 13

Hitachi ID Suite 10.1

4.3 Privileged Access Manager

15. Request access using a phone: 16. Manage an active check-out:

© 2017 Hitachi ID Systems, Inc. All rights reserved. 14

Hitachi ID Suite 10.1

17. Launch an RDP session on a smart phone: 18. Launch an SSH session on a smart phone:

Access can be requested and sessions initiated using a smart phone. Notably, there is no public URL toHitachi ID Privileged Access Manager nor are there TCP ports open on public IP addresses for RDP orSSH. This allows users to sign into systems and diagnose problems even when they have no computernearby.

© 2017 Hitachi ID Systems, Inc. All rights reserved. 15

Hitachi ID Suite 10.1

4.4 Identity Express: Partner Portal Edition

A completely redesigned reference implementation takes care of managing identities and credentials forpeople who work for partners. This allows organizations to delegate to each business partner the respon-sibility for managing their own users without seeing who the other partners are or who works for otherpartners.

19. B2B: Onboard a new partner:

20. B2B: Onboard a new user at a partner - 1/2:

© 2017 Hitachi ID Systems, Inc. All rights reserved. 16

Hitachi ID Suite 10.1

21. B2B: Onboard a new user at a partner - 2/2:

hitachi-id.com

500, 1401 - 1 Street SE, Calgary AB Canada T2G 2J3 Tel: 1.403.233.0740 Fax: 1.403.233.0725 E-Mail: sales@hitachi-id.com

Date: 2017-06-12 | 2017-11-30 File: / pub/ wp/ documents/ whats-new-v10.1/ whats-new-v10.1.a.tex