Sun ONE logo      Previous      Contents      Index      Next     

Sun ONE Identity Server Deployment Guide

Chapter 1

Sun ONE Identity Server provides an infrastructure for an organization to administrate the processes used to manage the digital identities of customers, employees and partners who use their web-based services and non web-based applications. Because these resources may be distributed across a wide range of internal and external computing networks, attributes, policies and controls are defined to manage access. This introductory chapter describes the basic principles behind a deployment of Identity Server. It contains the following sections:

What is Identity Management?

Modern enterprises maintain an advanced information technology infrastructure to facilitate the management of its daily operations. Integral parts of this infrastructure might include:

Because they are deployed individually, each of these systems separately tracks users, controlling what they can and cannot see and do. This tracking process generally includes the management of identity data such as a personal profile, authentication information and access controls. Identity management simplifies the administration of this duplicated and oftentimes contrary data.

The Identity Management Infrastructure

Implementing a single infrastructure to manage all users across an enterprise is the objective of an identity management system. One identity management system simplifies the administration of user profiles by eliminating repetition and therefore maintaining consistency. One system also streamlines, simplifies and automates the identity management processes. The building blocks of an identity management system include:

These building blocks are further illustrated by Figure 1-1.

Figure 1-1  Building Blocks Of An Identity Management Solution

Building blocks of an identity management system

The Life Cycle of an Identity Profile

The challenges of identity management can be summed up by taking into account the life cycle of a typical identity profile. The three stages of an identity within an organization would be:

  1. Creating A Profile
  2. An identity profile is created when a user joins the organization. The profile might include personal information, employment data, password information and defined access privileges.

  3. Maintaining The Profile
  4. After setup, profiles must be managed. This might include modifying the profile data, maintaining policies for resoruce access, or updating access control instructions.

  5. Disabling The Profile
  6. When a user leaves, their profile needs to be flagged as such, and their access to system resources disabled.

Sun ONE Identity Server

Sun ONE Identity Server is a package of integrated, standards-based middleware that provides web services to support access management, federation, and identity administration. This makes Identity Server a total identity management solution, integrating the ability to create and maintain user profiles with security processes, access management tools and a directory for data storage. These capabilities enable an organization to deploy a comprehensive system that protects their resources, and information as well as securely deliver their web-based applications.

Access Management

Access management provides a common authentication and authorization infrastructure to replace ad hoc and application-specific authentication and authorization methods. From a central point of administration, organizations can provide policy-based control of access to multiple services. The collection of access management services in Identity Server provide the following functionalities.

Single Sign-On (SSO)

Single sign-on functionality enables a user to authenticate once yet gain access to multiple resources. Identity Server supports SSO for web-based applications, and provides programmatic interfaces to integrate the SSO functionality into applications that are not web-based.

Pluggable Authentication

The Java™ Authentication and Authorization Services-based (JAAS) authentication framework supports a variety of pluggable authentication modules including LDAP, Remote Authentication Dial-In User Service (RADIUS), X.509 digital certificates, SecureID®, SafeWord®, UNIX® (PAM-based), Windows® NT, HTTP Basic Authentication, Anonymous, and Self-registration. The framework also allows for the development of custom authentication modules using the provided authentication service provider interfaces (SPI). Authentication can be configured to support the needs of a variety of organizations, roles, or users simultaneously in the same system, and supports multi-factor chained configurations. Multi-level authentication allows resources to be assigned a different level of required authentication based on the sensitivity of the data or service. The Authentication Service can be accessed via web-based, Java, C, and XML interfaces.

Policy Evaluation

The Policy Service allows centralized configuration and evaluation of access management rules that can be mapped onto a variety of role and grouping mechanisms. Policy constraints such as IP address, day and time or custom conditions can be applied to a policy and evaluated at runtime.

Federation Management

Because the Internet is fast becoming the prime vehicle for business, community, and personal interactions, it has become necessary to fashion a system for users to aggregate their various account identities, enabling them to have one network identity. This system is identity federation. Identity federation allows a user to associate, connect, or bind multiple Internet service providers’ local identities. One network identity allows users to log in to one service provider’s site and then move to an affiliated site, without having to reauthenticate or reestablish their identity. Identity Server provides full implementations of Liberty 1.1, and SAML 1.0. This includes complete profile implementations, as well as SDK support for custom integration. Multi-hosting of Liberty identity and service providers is provided.

Liberty Alliance Project

Federation management provides a way to view, manage, and configure the metadata pertaining to authentication domains and providers. The Liberty Alliance Project, which was forged to make identity federation a reality, is comprised of more than two billion customers and 138 member companies representing a wide variety of industries. Its mission is to address the problem of fragmented identities by delivering and supporting a federated network identity solution that enables single sign-on for consumers and business users. Thus, a Liberty-enabled application can federate (or link) its user accounts with those of another Liberty-enabled application, and accomplish single sign-on between the two applications. Identity Server implements the Liberty Alliance Project’s specifications.

Security Assertion Markup Language (SAML)

SAML is a key enabler of business-to-business infrastructure. An application can use the SAML API integrated into Identity Server to exchange security information and execute business transactions with other trusted applications. An end user can employ a web browser to authenticate to Identity Server, then seamlessly access external URLs at trusted sites via an intersite transfer URL. Developers can use the SAML API in their applications to exchange authentication, authorization, and attribute information between trusted external applications.

Identity Management

Identity management itself provides an extensible browser-based interface that allows for user provisioning, policy configuration, and service management. The Identity Server console allows centralized identity management with a single interface but, can also be delegated to other administrators, such as local group managers and external partners, or even to end users.

User Profile Management

Simply, user profile management is the creation and deletion of identity profiles. But, it also entails delegating the management of those profiles to the administrators that know them as well as offering a self-service component where users can subscribe to a service or application, create a new user account and manage their own profiles (password changes, updating home addresses,

Policy Configuration

Policy configuration is the definition of the rules that are evaluated during access authorization. Delegation allows top-level administrators to distribute the configuration and management of policies to individuals at all levels of the organization ensuring that it is entrusted to people with authority over the resources.

Service Management

Service management allows the configuration, registration and administration of web services and their corresponding attributes. Identity Server also provides an interface for the services that it uses for its own administration.


Administrators can use highly-configurable logging functions to generate detailed reports on user activity, traffic patterns, and authentication and authorization violations. These functions can also be used to perform security-level audits on resource access. Message Authentication Code (MAC) and digital signature-based log security detects any tampering with log or audit records. A debug function can also be enabled.

Policy Agents

Access control in Identity Server is enforced using policy agents, which protect content on the designated web servers, application servers, and proxy servers from unauthorized intrusions. Identity Server supports both policy agents that protect web and proxy servers at the URL level as well as the Java™ 2 Platform, Enterprise Edition (J2EE) policy agents that enforce access on Java technology-enabled application servers.

Identity Server Console

The Identity Server console is a browser-based interface for creating, managing, and monitoring the identities, services, and policies configured throughout an Identity Server deployment. It is built with Sun ONE Application Framework, a J2EE framework used to help developers build functional web applications. XML files, JavaServer Pages™ (JSP) and Cascading Style Sheets (CSS) are used to define the look of the HTML pages.

Programmatic Interfaces

Non-graphical interfaces include the APIs, SPIs, and command line tools used to extend and customize Identity Server and allow other applications to access its functionality. More information on the APIs and SPIs can be found in "Identity Server SDK" and in the Sun ONE Identity Server Customization And API Guide. Additional information on the command line tools can be found in the Sun ONE Identity Server Administration Guide.

Sun ONE Directory Server

Sun ONE Directory Server acts as the integrated data repository for storing identity, policy, configuration and service information.

Deploying Identity Server

Identity Server is designed with an open-standards platform that can be used to integrate its authentication, authorization, single sign-on, policy, identity and administration capabilities with existing infrastructures. Its functions are delivered as a collection of Java servlets, JavaBeans™ and JSP that run inside the Java Virtual Machine (JVM) of the web container and can access the API and various server frameworks. Integrating Identity Server into a corporate infrastructure can accomplish the following tasks:

Integrating Identity Server

Identity Server is a complete identity management system but most likely organizations have already implemented aspects of an identity management system. For example, they might have already deployed a directory server or a web container. To allow Identity Server to interoperate with other systems, a policy agent must be downloaded and installed on the protected server. New agents are being developed and released concurrently with the development and release of Identity Server. As of this release of Identity Server 6.1, the following operating systems have agents that can be downloaded from the Sun Microsystems’ Web, Portal & Directory Servers Download Center. The Download Center page itself contains a more complete and up-to-date listing of released policy agents.


Policy agents for Identity Server are scheduled for release outside the release of the product itself. This list of policy agents has most probably grown since the publication of this guide. See the the Sun Microsystems’ Web, Portal & Directory Servers Download Center for a more up-to-date list of policy agents.

Solaris™ Operating System

Windows 2000 Server



Deployment Road Map

Mapping out your Identity Server integration is imperative to ensuring its success. This will include collecting information concerning hardware, currently deployed applications, identity data and access hierarchy. Identity Server deployment can be broken down into the following phases:

  1. Identify business objectives such as:
    • Increase operational efficiency
    • Assure data security
    • Assure continued productivity by:
      • Understanding the scope and relationships within the organization.
      • Analyzing the behavioral changes needed to support the business objectives.
  2. Develop a high-level technology analysis and map it to the business objectives by:
    • Listing technology services.
    • Listing tools needed to meet business objectives.
  3. Define initiatives for each technology service such as:
    • Storing employee history and data accumulated through personalization.
    • Accomplishing password synchronization and identity administration through identity management.
    • Realizing enterprise security through the development of role strategies.
  4. Prioritize initiatives based on:
    • Statistical accuracy
    • Predictability
    • Scope
    • Cost
    • Impact
    • Complexity
    • Behavior
    • Infrastructure
    • Benefit
    • Support
    • Dependencies

Deployment Guide Chapters

The following chapters in this guide follow the phases detailed in the Deployment Road Map:

Additional appendices have been added to the Deployment Guide for further edification. They include:

Related Identity Server Documentation

Additional information on Identity Server can be found in the following manuals:

Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.