The next release of the appliance should be happening towards the middle of this year - v220.127.116.11. The following features are currently targeted for the ISAM for Web component of this release (NB: this is a personal blog which states what we are hoping to deliver and is not a commitment by IBM):
Appliance clustering enhancements, namely:
- We want to remove the restriction that all appliances within the cluster have to be activated to the same level;
- We want to make the cluster configuration screen a little bit easier to understand;
We want to introduce the concept of a DMZ/protected node within the cluster which will control whether:
- The machine is capable of being promoted to master (i.e. in most environment's you won't want the cluster master to be located in the DMZ);
The WPM application is available;
Kerberos single-sign-on to junctioned applications:
At the moment we provide SSO to kerberos-enabled applications by obtaining a delegated kerberos token from TFIM (aka TFIM/Kerberos junctions). We plan to remove our dependency on TFIM so that WebSEAL is able to natively generate this kerberos token.
Federated directory support:
At the moment ISAM is only able to interact with a single user registry, and this user registry will contain the user suffix as well as the ISAM suffix (i.e. secAuthority=Default). We plan to add support to ISAM which will allow the user suffixes to be kept in separate user registries (i.e. federated user registries). If multiple user registries are configured into ISAM it will use the suffix to determine the correct destination for any registry operation. This support has two main benefits:
- We no longer need to store the ISAM suffix in the corporate user registry (i.e. we no longer need to modify an existing customer user registry);
We will now be able to authenticate against Active Directory (the appliance doesn't currently support Acitve Directory for user authentication).
Trusteer Pinpoint integration:
It can automatically monitor and download updates to the snippets from the Trusteer servers;
Embedded LDAP server:
The appliance currently provides an embedded LDAP server which can be used as the ISAM user registry for proof-of-concepts. We plan to enhance this embedded LDAP server so that it can also be used in customer environments. It might not be suitable for large environments (>1M users), but a final decision is yet to be made on this. In particular we are:
- exporting the LDAPS port so that external software can manage the data within the user registry;
- allowing the administrator password to be set;
providing a mechanism to manage the suffixes within the user registry;
We plan to introduce the concept of roles into the LMI. Each role will have different authorization levels, controlling what the user can/cannot manage within the LMI. There will be some out-of-the-box roles created, and the LMI will allow you to customise these roles, and define new roles.