Identity Broker

Introduction

Identity BrokerClosed Identity Sharing mechanism between Identity Servers (PDP): (1) Communication channel between PDPs based on Web-API (2) Identity Sharing capabilities between PDPs - ability to add, remove, and update the identity session. is an identity sharing method between Policy Decision Points (PDPClosed Check Point Identity Awareness Security Gateway that acts as Policy Decision Point: acquires identities from identity sources; shares identities with other gateways. Gateways). The Policy Decision Points can share identities across different management domains in a distributed environment with multiple Identity AwarenessClosed Check Point Software Blade on a Security Gateway that enforces network access and audits data based on network location, the identity of the user, and the identity of the computer. Acronym: IDA. Security Gateways.

In a distributed environment with multiple Identity Awareness Security Gateways, you can use Identity Broker to propagate any received identity from one PDP Gateway to another. This helps to create a more scalable and robust sharing of hierarchy and topologies.

Identity Broker is a Web-API based functional part of the PDP instance. Identity Broker adds a new communication channel between PDPs.

The Identity Broker Solution

Identity Broker propagates identities between PDP Gateways. A PDP Gateway learns the Identities from the Identity Sources. This PDP Gateway performs the group membership query, calculates Access Roles, and then shares the identities to other PDP Gateways. This reduces the load on the PDP Gateways receiving the identities, identity sources, and/or User Directories.

The sharing can be performed between PDP Gateways managed by different Security Management Servers / Domain Management Servers.

Identity sharing between the Identity Brokers can be controlled through filters. You can:

  • Filter identities by network , user/machine name, domain, identity source, access roles, and distinguished name.

  • Share only local Identity sessions. When enabled, the PDP forwards only its own sessions, and not the sessions it learned from other PDPs.

The Identity Broker solution shares all the received identities by default. By applying filters, you can avoid sharing identities that are not required for other PDPs.

Terms and Description

Publisher

A Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. defined to share identities with one or more Subscribers.

Subscriber

A Security Gateway defined to receive identities from one or more Publishers.

Identity Broker Communication

Identity Broker uses WEB-API to communicate. Security Gateways share information in JSON format over HTTP post requests.

Each Identity Broker node verifies the other:

  • The Publisher identifies the Subscriber by verifying the presented SSL Certificate.

  • The Subscriber identifies the Publisher by verifying a pre-shared secret key.

    Publisher PDP Security Gateway

    New Identity Sharing method

    Publish identity

    Delete identity

    Update identity

    Subscriber PDP Security Gateway

For more information, see Identity Broker.