This chapter provides information that you need to know to administer the Service Provider functionality in Sun Identity Manager. To use this information, an understanding of Lightweight Directory Access Protocol (LDAP) directories and federation management is helpful. For a broader discussion of a Sun Identity Manager Service Provider (Service Provider) implementation, see the Sun Identity Manager Service Provider 8.1 Deployment.
This chapter contains the following topics:
In a service provider environment, you need the ability to manage user provisioning for all end-users, which includes extranet as well as intranet users. The Service Provider features enable company administrators to categorize identity accounts into two distinct types: Identity Manager users and Service Provider users. Service Provider users in Identity Manager are user accounts that have been configured as the Service Provider User type.
The Identity Manager user-provisioning and auditing capabilities extend to service provider implementations by providing the following features:
Enhanced end-user pages that are customizable for a Service Provider implementation are provided.
You can define account ID and password policies for Service Provider users and resource accounts, as with other Identity Manager users.
Policy checking code is activated for Service Provider users with the Service ProviderSystem Account Policy, which has been added to the main Policies table.
Synchronization for Identity Manager and Service Provider accounts can be configured to run on any Identity Manager server, or restricted to selected servers.
Service Provider Synchronization, like Identity Manager synchronization, can be easily stopped and started from the Resource Actions options on the Resources page. See Start and Stop Synchronization.
The Input Forms for Identity Manager user synchronization and Service Provider user synchronization differ. See End-User Interface.
You can use Sun Access Manager 7 2005Q4 for authentication on Service Provider end-user pages. If integration with Access Manager is configured, Access Manager ensures that only authenticated users can access the end-user pages.
Service Provider requires the user name for auditing purposes. Update the AMAgent.properties file to add the user’s ID to the HTTP headers, for example:
com.sun.identity.agents.config.response.attribute.mapping[uid] = HEADER_speuid
The end-user-page authentication filter puts the HTTP header value into the HTTP session where the rest of the code expects it to be.
To configure the Service Provider features, use the following procedures to edit Identity Manager configuration objects to the directory server:
Edit Main Configuration
Edit User Search Configuration
Before continuing, ensure that you have:
Defined your LDAP resource. A sample resource named Service Provider End-User Directory is imported by default. You can configure multiple resources if user and configuration information is to be stored in different directories.
The schema must include mapping for an XML object.
If desired, configure your Service Provider Account Policy.
The Base context configured for the directory resource only applies to the users stored in the directory.
In the Administrator interface, click Service Provider in the menu.
Click Edit Main Configuration.
The Service ProviderConfiguration page opens.
Complete the Service Provider Configuration form.
Use the instructions provided in the following sections:
In the Directory Configuration section, provide information to configure the LDAP Directory and specify Identity Manager attributes for service provider users.
Figure 17–1 shows this area of the Service Provider Configuration page, as well as the User Forms and Policy area discussed in the next section.
Select the Service Provider End-User Directory from the list.
Select the LDAP directory resource where all Service Provider user data is stored.
Enter the Account ID Attribute Name.
This is the name of the LDAP account attribute that contains a unique short identifier for the account. This is considered the name of the user for authentication and account access through the API. The attribute name must be defined in the schema map.
Specify an IDM Organization Attribute Name.
This option specifies the name of the LDAP account attribute that contains the name or ID of an organization within Identity Manager to which the LDAP account belongs. It is used for delegated administration of LDAP accounts. The attribute name must exist in the LDAP resource schema map and is the Identity Manager system attribute name (the name on the left side of the schema map).
Specify the Identity Manager Organization Attribute Name (and IDM Organization Attribute Name Contains ID, if needed) if you want to enable delegated administration through organization authorization.
If you choose to select IDM Organization Attribute Name Contains ID, enable this option.
Select this option if the LDAP resource attribute, that refers to the Identity Manager organization to which the LDAP account belongs, contains the ID of the Identity Manager organization, and not the name.
If you choose to select Compress User XML, enable this option.
Select this option if you choose to compress user XML stored in the directory.
Click Test Directory Configuration to verify your entries for the configuration.
You may test your Directory, Transaction, and Audit Configurations as appropriate to your needs. To fully test all three, click all three tests configuration buttons.
In the User Forms and Policy area, shown in Figure 17–1 above, specify the forms and policies to use for service provider user administration.
Select the End User Form from the list.
This form is used everywhere except for the Delegated Administrator pages and during synchronization. If None is selected, no default user form is used.
Select the Administrator User Form from the list.
This is the default user form that is used in Administrator contexts. This includes the Service Provider Accounts edit pages. If None is selected, no default user form is used.
If you do not choose an Administrator User Form, then administrators will not be able to create or edit Service Provider users from Identity Manager.
Select a Synchronization User Form from the list.
The Synchronization User Form is the default form used if no form is specified for a resource running Service Provider synchronization. If an input form is specified on a resource’s synchronization policy, that form will be used instead. Resources usually require different synchronization input forms. In this case, you should set the synchronization user form on each resource instead of selecting a form from the list.
Select an Account Policy from the list.
The choices include any Identity Account Policy defined through Configure > Policies.
Select an Is Account Locked Rule from the list.
Select a rule to be run against the Service Provider User view that can determine if an account is locked.
Select a Lock Account Rule.
Select a rule to be run against the Service Provider User view that can set attributes in the view that cause the account to be locked.
Select a Unlock Account Rule.
Select a rule to be run against the Service Provider User view that can set attributes in the view that cause the account to be unlocked.
Use this section of the Service Provider Configuration page, shown in Figure 17–2, to configure a transaction database. These options are required only when using the JDBC Transaction Persistent Store. Changing any of these values requires that you restart the server to apply them.
The database table for transactions must be set up according to the schema shown in the create_spe_tables DDL scripts (located in the sample directory of your Identity Manager installation). The appropriate script may have to be customized for the target environment.
Enter the following database information:
Driver Class. Specify the JDBC Driver class name.
Driver Prefix. This field is optional. If specified, the JDBC DriverManager is queried before registering a new driver.
Connection URL Template. This field is optional. If specified, the JDBC DriverManager is queried before registering a new driver.
Host. Enter the name of the host where the database is running.
Port. Enter the port number the database server is listening on.
Database Name. Enter the name of the database to use.
User Name. Enter the ID of a database user with permission to read, update, and delete rows from the transaction and audit tables in the selected database.
Password. Enter the database user password.
Transaction Table. Enter the name of the table in the selected database to use for storing pending transactions.
If appropriate, click Test Transaction Configuration to verify your entries.
Continue to the next section of the Service Provider Configuration page to configure tracked events.
When event collection is enabled, it allows you to track statistics in real time thereby helping to maintain expected or agreed-upon levels of service. Event collection is enabled by default, as shown in Figure 17–3. Clearing the Enable event collection check box disables collection.
Select the Time zone from the list.
Select the time zone to use when recording tracked events, or select Set to Server Default to use the time zone set on the server.
Select the Time Scales to collect options.
Collection is aggregated over the following time intervals: every 10 seconds, every minute, every hour, daily, weekly, and monthly. Disable any of the intervals for which you do not want collection to occur.
When synchronizing resources in a Service Provider implementation, it may be necessary to define Account Indexes to properly correlate events sent by the resource to users in the Service Provider directory.
By default, resource events are required to contain a value for the attribute accountId which matches the accountId attribute in the directory. In some resources, accountId is not consistently sent. For example, delete events from ActiveDirectory contain only the ActiveDirectory generated account GUID.
Resources that do not include the accountId attribute must include a value for either of the following attributes.
guid. This attribute typically contains a system generated unique identifier.
identity. This attribute is normally the same as accountId for all resources except LDAP resources, where identity contains the full DN of the object.
If you need to correlate using either guid or identity you must define an account index for those attributes. An index is simply the selection of one or more directory user attributes that may be used to store resource specific identities. Once the identities are stored in the directory, they can be used in search filters to correlate synchronization events.
To define account indexes, first determine which resources will be used for synchronization, and which of those require an index. Then edit the Resource definition for the Service Provider directory and add attributes in the schema map for the GUID or identity attributes for each of the Active Sync resources. For example, if you were synchronizing from ActiveDirectory, you might define an attribute named AD-GUID mapped to an unused directory attribute such as manager.
After defining all of the index attributes in the Service Provider resource, perform the following steps:
In the Synchronization Account Indexes area of the configuration page, click the New Index button.
The form expands to contain a resource selection field, followed by two attribute selection fields. The attribute selection fields remain empty until a resource is selected
Select a Resource from the list.
The attributes fields now contain values defined in the schema map for the selected resource.
Select the appropriate index attribute for either the Guid Attribute or the Full Identity Attribute.
It is not usually necessary to set both. If both are set, the software first attempts to correlate using the GUID, then the full identity.
You may click New Index again to define index attributes for other resources.
To delete an index, click the Delete button to the right of the Resource selection field.
Deleting an index only removes the index from the configuration, it does not modify all of the existing directory users that may currently have values stored in the index attributes.
Deleting an index only removes the index from the configuration, it does not modify all of the existing directory users that may currently have values stored in the index attributes.
Select this option in the Callout Configuration section to enable callouts. When callouts are enabled, the callout mappings appear enabling you to select pre-operational and post-operational options for each transaction type listed.
By default, the pre- and post-operation options are set to None.
If you specify post-operation callouts, use the Wait for post-operation callout option to specify that the transaction must wait for the post-operation callout processing to complete before finishing. This ensures that any dependent transaction is executed only after the post-operation callout has successfully completed.
After completing your selections for all sections on the Service Provider Configuration page, click Save to complete the configuration.
Use this page, shown in Figure 17–4, to configure the default search settings for searches made by delegated administrators on the Manage Service Provider Users page. These defaults apply to all users of the Manage Service Provider Users page, but they can be overridden on a per-session basis.
Click Service Provider from the menu bar.
Click Edit User Search Configuration.
Enter a number for Maximum Results Returned (default 100).
Enter a number for Results Per Page (default 10).
Select the Available Attributes next to Result Attributes to Display using the arrow keys.
Select the Attribute to search from the list.
Select the Search Operation from the list.
Changes made to the search configuration do not take effect until you log off and log back on.
These configuration objects are not available if the Service Provider Directory has not been configured.
A transaction encapsulates a single provisioning operation, for example creating a new user or assigning new resources. To ensure that these transactions complete when resources are unavailable, they are written to the Transaction Persistent Store.
The following topics in this section contain procedures for managing service provider transactions:
These options control how transactions are executed, including synchronous/asynchronous processing and when they are persisted to the Transaction Persistent Store. They can be overridden in the IDMXUser view or through the form used to process it. For more information, see Sun Identity Manager Service Provider 8.1 Deployment.
Click Service Provider -> Edit Transaction Configuration.
The Service Provider Transaction Configuration page appears.
Figure 17–5 shows the Default Transaction Execution options area.
Select the appropriate Guaranteed Consistency Level options to specify the level of transaction consistency for user updates.
These options include:
None. No guaranteed ordering of resource updates for a user.
Local. Resource updates for a user being processed by the same server are guaranteed to be ordered.
Complete. All resource updates for a user are guaranteed to be in order, across all servers. This option requires all transactions to be persisted before attempting the transaction or before asynchronous processing.
Enable the Default Transaction Execution options as needed.
These options include:
Wait for First Attempt. Dictates how control returns to the caller when an IDMXUser view object is checked in. If the option is enabled, the check-in operation is blocked until the provisioning transaction has completed a single attempt. If asynchronous processing is disabled, then the transaction either succeeds or fails when control is returned. If asynchronous processing is enabled, then the transaction continues to be retried in the background. If the option is disabled, the check-in operation returns control to the caller before attempting the provisioning transaction. Consider enabling this option.
Enable Asynchronous Processing. This option controls whether processing of provisioning transactions continues after the check-in call returns.
Enabling asynchronous processing allows the system to retry transactions. It also improves throughput by allowing the worker threads configured in Set Advanced Transaction Processing Settings to run asynchronously. If you select this option, configure the retry intervals and attempts for the resources being provisioned to or updated using the synchronization input form.
When you select Enable Asynchronous Processing, enter a Retry Timeout value. This is an upper bound expressed in milliseconds of how long the server retries a failed provisioning transaction. This setting complements the retry settings on the individual resources, including the Service Provider user LDAP directory. For example, if this limit is reached before the resource retry limits are reached, the transaction is aborted. If the value is negative, then the number of retries is only limited by the settings of the individual resources.
Persist Transactions Before Attempting. If enabled, provisioning transactions are written to the Transaction Persistent Store before they are attempted. Enabling this option might incur unnecessary overhead because most provisioning transactions succeed on the first attempt. Consider disabling this option unless the Wait for First Attempt option is disabled. This option is not available if Complete consistency level is selected.
Persist Transactions Before Asynchronous Processing(default selection). If enabled, provisioning transactions are written to the Transaction Persistent Store before they are processed asynchronously. If the Wait for First Attempt option is enabled, then transactions that need to be retried are persisted before control is returned to the caller. If the Wait for First Attempt option is disabled, then transactions are always persisted before they are attempted. It is recommended to enable this option. This option is not available if Complete consistency level is selected.
Persist Transactions on Each Update. If enabled, provisioning transactions are persisted after each retry attempt. This can aid in isolating problems because the Transaction Persistent Store, which is searchable from the Search Transaction page, is always up-to-date.
The options on the Service Provider Transaction Configuration page apply to the Transaction Persistent Store. The type of store can be configured as well as additional queryable attributes to expose in the store, as shown in the following figure.
Select the desired Transaction Persistent Store Type from the list.
If the Database option is selected, then the RDBMS configured on the main Service Provider configuration page is used for persisting provisioning transactions. This guarantees transactions that must be retried are not lost when a server is restarted. Selecting this option requires configuring the RDBMS on the main Service Provider configuration page. If the Simulated memory-based option is selected, then transactions that require retry are only stored in memory and are lost when the server restarts. Enable the Database option for production environments.
Memory-based transaction persistent store is not suitable for use in clustered environments.
When Transaction Persistent Store Type is changed, you must restart all running Identity Manager instances for the change to take effect.
If desired, enter Customized queryable user attributes.
Select additional attributes of the IDMXUser object to expose in transaction summaries. These attributes are queryable from the search transaction page and appear in search results.
These attributes include:
User path expression. Enter a path expression into the IDMXUser object.
Display name. Choose a display name corresponding to the path expression. This display name is shown on the transaction search page.
These advanced options control the inner-workings of the transaction manager. Do not change the provided defaults unless performance analysis indicates they are not optimal. All entries are required.
Figure 17–5 illustrates the Advanced Transaction Processing Settings area on the Edit Transaction Configuration page.
Enter the desired number of Worker Threads (default 100).
This is the number of threads used to process transactions. This value limits the number of transactions that are processed concurrently. These threads are statically allocated at startup.
When the Worker Threads setting is changed, you must restart all running Identity Manager instances for the change to take effect.
Enter the desired Lease Duration (ms) (default 600000).
This controls how long a server locks a transaction that it is retrying. The lease is renewed as needed. However, if the server does not shutdown cleanly, then another server is not able to lock the transaction until the original server’s lease expires. The value should be at least one minute. Setting the value smaller can impact the load on the Transaction Persistent Store.
Enter the Lease Renewal (ms) time (default 300000).
This controls when the lease of a locked transaction is renewed. It is renewed when there are this many milliseconds remaining on the lease.
Enter the time to Retain Completed Transactions in Store (ms) (default 360000).
How many milliseconds to wait before removing completed transactions from the Transaction Persistent Store. Unless transactions are configured to be immediately persisted, the Transaction Persistent Store does not contain all completed transactions.
Enter the Ready Queue Low Water Mark (default 400).
When the transaction scheduler’s queue of ready-to-run transactions falls below this limit, it refills the queue with any available ready-to-run transactions up to the high water limit.
Enter the Ready Queue High Water Mark (default 800).
When the transaction scheduler’s queue of ready-to-run transactions falls below the low water mark, it refills the queue with any available ready-to-run transactions up to this limit.
Enter the Pending Queue Low Water Mark (default 2000).
The transaction scheduler’s pending queue holds failed transactions that are pending a retry. If the size of the queue exceeds the high water mark, then all transactions beyond the low water mark, are flushed to the Transaction Persistent Store.
Enter the Pending Queue High Water Mark (default 2000).
The transaction scheduler’s pending queue holds failed transactions that are pending a retry. If the size of the queue exceeds the high water mark, then all transactions beyond the low water mark, are flushed to the Transaction Persistent Store.
Enter the Scheduler Period (ms) (default 500).
This is how often the transaction scheduler should run. When it runs, the transaction scheduler moves ready-to-run transactions from the pending queue to the ready queue, and performs other periodic duties such as persisting transactions to the Transaction Persistent Store.
Click Save to accept the settings.
Service Provider transactions are written to the Transaction Persistent Store. You can search for transactions in the Transaction Persistent Store to view the transaction status.
Using the Edit Transaction Configuration page (see Transaction Management), the administrator can control when transactions are persisted. For instance, they can be persisted immediately, even before they are attempted for the first time.
The Transactions Search page allows you to specify search conditions that enable you to filter the transactions to view based on specific criteria related to the transaction event, such as user, type, status, transaction ID, current state and success or failure of the transaction. This includes transactions that are still being retried, as well as transactions that have already completed. Transactions that have not completed can be cancelled preventing any further attempts.
In the Administrator interface, click Server Tasks -> Service Provider Transactions.
The Service Provider Transaction Search page opens, allowing you to specify search conditions.
The search returns only transactions that match all of the conditions selected below. This is similar to the Accounts -> Find Users page.
Configure your search.
Choose one or more of the following options:
User Name. Allows you to search for transactions that apply only to users with the accountId that you enter.
If you have configured any Customized queryable user attributes on the Service Provider Transaction Configuration page, then they appear here. For example, you could choose to search based on Last Name or Full Name if these were configured as customized queryable user attributes.
Type. Allows you to search for transactions of the selected type or types.
State. Allows you to search for transactions in the following selected state or states:
Unattempted transactions have not yet been attempted.
Pending retry transactions have been attempted one or more times, have had one or more errors, and are scheduled to be retried up to the retry limits configured for the individual resources.
Success transactions have completed successfully.
Failure transactions have completed with one or more failures.
Attempts. Allows you to search for transactions based on how many times they have been attempted. Failed transactions are retried up to the retry limits configured for the individual resources
Submitted. Allows you to search for transactions based on when they were initially submitted in increments of hours, minutes, or days.
Completed. Allows you to search for transactions based on when they were completed in increments of hours, minutes, or days.
Cancelled Status. Allows you to search for transactions based on whether or not they have already been cancelled.
Transaction ID. Allows you to search for transactions based on their unique id. Use this option to find a transaction based on the id value you enter, which appears in all audit log records.
Running On. Allows you to search for transactions based on the Service Provider server where they are running. The server’s identifier is based on its machine name unless it has been overridden in the Waveset.properties file.
Limit the search to results to first number of entries selected from the list. Only results up to the specified limit are returned. No indication is made if additional results are available.
The search results are displayed.
You can click Download All Matched Transactions at the bottom of the results page to save the results to an XML formatted file.
To cancel transactions returned in the search results, select the transaction in the results table and click Cancel Selected. You cannot cancel transactions that have completed or have already been cancelled.
Delegated administration for Service Provider users is enabled through the use of Identity Manager admin roles, or through the organization-based authorization model.
Identity Manager provides delegation of administrative duties through the organization-based authorization model, by default.
Keep the following in mind when creating delegated administrators in an organization-based authorization model:
Service provider administrators are Identity Manager users with specific capabilities and controlled organizations.
The values of the users’ organization attributes can either be the name of the Identity Manager organization or the object ID. This depends on the setting of the Identity Manager Organization Attribute Name Contains ID field in the Identity Manager Main Configuration screen.
You can create an Identity Manager hierarchy and place organizations in that hierarchy in the way you want to delegate the administration of those organizations. Use specific identification for the organizations instead of the organizations’ simple names.
Service Provider users have their organization taken from user attributes in the directory server.
You must set attributes in the schema map for the directory server resource.
The comparison of attributes is by exact match to an administrator’s controlled organization list. The value stored in the directory must match the organizations name, not the entire hierarchy. If an administrator controls Top:orgA:sub1, then sub1 must be the value stored in the organization attribute for the Service Provider user.
If the attribute is not set or does not correspond to an Identity Manager organization, the Service Provider user is treated as a member of the Top organization. This requires that the Service Provider administrators have Service Provider user capabilities in Top to manage these users.
Attribute settings determine the scope for searches by Service Provider administrators.
To create a delegated administrator account, you first create an Identity Manager administrator and then add Service Provider administrator capabilities. There are capabilities specific to Service Provider tasks which can be assigned to the user (on the Security Tab of the Edit User page). The controlled organizations specify which Service Provider users the administrator can modify. Any resources available to Service Provider users are available to all Identity Manager administrators.
For granting fine-grain capabilities and scope of control on Service Provider users, use a Service Provider User Admin Role. The Admin Roles can be configured to be dynamically assigned to one or more Identity Manager or Service Provider Users at login time.
Rules can be defined and assigned to Admin Roles that specify the capabilities (such as Service Provider Create User) granted to users assigned the admin role.
To use Admin Role delegation for service provider users, you must enable it in the Identity Manager system configuration object (Editing Identity Manager Configuration Objects).
If delegation through Admin Role assignment is enabled, then the IDM Organization Attribute Name in the Service Provider Configuration is not required.
To enable service provider admin role delegation (Service Provider delegated administration), open the system configuration object for modification (Editing Identity Manager Configuration Objects) and set the following property to true:
security.authz.external.app name.object type
where app name is the Identity Manager application (such as Administrator Interface) and object type is Service Provider Users
This property can be enabled per Identity Manager application (for example, for the Administrator Interface or User Interface) and per object type. Currently, the only supported object type is Service Provider Users. The default value is false.
For example, to enable Service Provider Delegated Administration for Identity Manager administrators, set the following attribute in the System Configuration configuration object to “true”:
security.authz.external.Administrator Interface.Service Provider Users
If Service Provider Delegated Administration is disabled (set to false) for a given Identity Manager or Service Provider application, the organization-based authorization model is used.
When Service Provider Delegated Administration is enabled, tracked events capture information about the number and duration of authorization rules executed. These statistics are available in the dashboard.
To configure a Service Provider User Admin Role, create an admin role and specify the scope of control, capabilities, and to whom it should be assigned.
Before creating a Service Provider User Admin Role, define the search context, search filter, after search filter, capabilities, and user assignment rules for the admin role.
To use the following rules, you must specify the rule's authType:
Identity Manager provides sample rules that you can use to create these rules for Service Provider User Admin Roles. These rules are available in sample/adminRoleRules.xml in the Identity Manager installation directory.
For more information about creating these rules for your environment, see Sun Identity Manager Service Provider 8.1 Deployment.
In the Administrator interface, click Security on the menu, then click Admin Roles.
The Admin Roles page opens.
The Create Admin Role page opens.
Specify a name for the admin role and select Service Provider Users for the type.
Specify the Scope of Control, Capabilities, and Assign To Users options, as described in the following sections.
The scope of control for the service provider user admin role specifies which service provider users a given Identity Manager administrator, Identity Manager end user, or Identity Manager service provider end user is allowed to see. It is enforced when a request is made to list Service Provider Users in the directory.
You can specify one or more of the following settings for the Service Provider User Admin Role scope of control:
User search context. Specify whether a rule or text string is to be used to begin a search.
If None is specified, the default search context will be the base context specified in the Identity Manager Resource configured as the Service Provider User directory.
User search filter. Specify whether a rule or a text string that is to be applied for the search filter.
The text string specified or returned by the selected rule should be an LDAP-compliant search filter string that represents the set of users, within the search context, that will be controlled by users assigned this Admin Role. The specified filter will be combined with the user specified search filter to ensure that users returned from the search do not include any users that users assigned this AdminRole are not authorized to list.
After user search filter rule. Select a rule that will be applied after the User search filter is applied.
This rule is run after the initial LDAP search is performed against the Service Provider User directory and evaluates the results to determine which distinguished names (dn) the requesting user is allowed to access.
This type of rule can be used when you need to determine if a user should be in the requesting user’s scope of control using non-LDAP user attributes (for example, group membership), or when the filter decision needs to be made using a repository other than the Service Provider User directory (for example, an Oracle database or RACF).
Capabilities for the Service Provider User Admin Role specify which capabilities and rights the requesting user has on the Service Provider User for which access is being requested. It is enforced when a request is made to view, create, modify, or delete a Service Provider User.
On the Capabilities tab, select the Capabilities Rule to apply for this admin role.
Service Provider User Admin Roles can be dynamically assigned to service provider users by specifying a rule that will be evaluated at login time to determine whether to assign the authenticating user the Admin Role.
Click the Assign To Users tab, and select the rule to apply for the assignment.
Dynamic assignment of Admin Roles to users must be enabled for each login interface (for example, the User interface and the Administrator interface) by setting the following System Configuration object (Editing Identity Manager Configuration Objects) to true:
The default for all interfaces is false.
By default, Service Provider Users can assign (or delegate) Service Provider User Admin Roles assigned to them to other Service Provider Users in their scope of control.
In fact, any Identity Manager User with capabilities to edit Service Provider Users can assign the Service Provider User Admin Roles assigned to them to the service provider users in their scope of control.
A Service Provider User Admin Role can also include a list of Assigners who can assign the Admin Role regardless of scope of control. These direct assignments can ensure that at least one known user account can assign the Admin Role.
This section describes procedures and information for administering Service Provider users through Identity Manager.
This section contains the following topics:
With Service Provider, the value of an attribute on the user determines to which organization the user is assigned. This is specified by the Identity Manager Organization Attribute Name field in the Service Provider Main configuration (see Initial Configuration). However, the names of those organizations must match the value of a user attribute assigned in the directory server.
If the Identity Manager Organization Attribute Name is defined, then a multi-select list of available organizations appears on the Create User and Edit User pages. The short organization names are displayed by default. You can modify the Service Provider User Form to display the full organization path.
You may pick which attribute becomes the organization name attribute. The organization name attribute is then used in the Service Provider user administration pages to constrain which administrators can search for and manage that user.
There are now account ID and password policies for Service Provider and resource accounts.
The Service Provider System Account Policy is available from the main Policies table.
All service provider users must have an account in the Service Provider directory. If a user has accounts on other resources, then links to these accounts are stored in the user’s directory entry, so information about these accounts is available when the user is viewed.
A sample Service Provider User Form for creating and editing users is provided. Customize this form to meet the requirements for managing users in your Service Provider environment. For more information, see Chapter 3, Identity Manager Forms, in Sun Identity Manager Deployment Reference.
In the Administrator interface, click Accounts on the menu bar.
Click the Manage Service Provider Users tab.
Click Create User.
When using the default Service Provider User Form the actual fields that are displayed depend on the attributes configured in the Account Attributes table (Schema map) of the Service Provider directory resource. Also, when you assign resources to the user (such as a delegated administrator), you should see new sections added to the display where you can specify values for the attributes for those resources. You may also customize the fields.
Specify attribute values for these resources as required.
These attribute values include:
confirmation (password confirmation)
password retry count
account unlock time
Assign any desired Resources from the Available listing by using the arrow keys.
The Account Status displays whether the account is locked or unlocked. Click this option to lock or unlock the account.
This form automatically populates values for the resource account attributes based on the attributes defined for the directory account (at the top). For example, if the resource defines firstName, then the product populates it with the firstName value from the directory account. However, after this initial population, modifications to these attributes are not propagated to the resource accounts. If desired, customize the provided sample Service Provider User Form.
Click Save to create the user account.
Service Provider includes a configurable search capability to aid in administering user accounts. Only the users within your scope, (as defined by your organization, and perhaps other factors) are returned in a search.
To perform a basic search of service provider users, from the Accounts area in the Identity Manager interface, click Manage Service Provider Users, then enter the search value and click Search.
The following topics discuss the Service Provider search features:
Use the following instructions to perform an Advanced Search of Service Provider users.
From the Service Provider Users Search page, click Advanced.
Choose the desired Attribute from the list.
Choose the desired Operation from the list.
You are specifying a set of conditions in order to filter the users returned from the search and that the users returned must meet all of the specified conditions.
Enter the desired search value, and then click Search.
You can add or remove Attribute Conditions, using the following options:
Click Add Condition and specify the new attribute.
Select the item and click Remove Selected Conditions.
Service Provider search results are displayed in a table, as depicted in Figure 17–11. The results can be sorted by any attribute by clicking on the column header for that attribute. The results displayed depend on the attributes you selected.
The arrow buttons navigate to the first, previous, next, and last pages of results. You can jump to a specific page by entering the number in the text box and pressing Enter.
To edit a user, click the user name in the table.
The search results page enables you to delete users or unlink resource accounts, by selecting one or more users and clicking the Delete button. This action brings up a delete user page and presents additional options (see Delete, Unassign, or Unlink Accounts)
Service Provider may be installed in environments in which users have accounts on multiple resources. The account linking feature of Service Provider enables you to assign existing resource accounts to Service Provider users in an incremental fashion. The account linking process is controlled by the Service Provider linking policy, which defines a link correlation rule, a link confirmation rule, and a link verification option.
In the Administrator interface, click Resources in the menu bar.
Select the desired resource.
Select Edit Service Provider Linking Policy from the Resources Action menu.
Select a link correlation rule. This rule searches for accounts on the resource that the user may own.
Select a link confirmation rule. This rule eliminates any resource accounts from the list of potential accounts that the link correlation rule selects.
If the link correlation rule selects no more than one account, then the link confirmation rule is not required.
Select Link verification required to link the target resource account to the Service Provider user.
Click Accounts from the menu bar.
Click Manage Service Provider Users.
Perform a basic or advance search.
Select the desired user or users.
Click the Delete button.
Select one of the optional global options.
These options include:
Delete All resource accounts
Deleting a resource deletes the account, but the resource assignment still exists. A subsequent update of the user recreates the account. Delete always implies an unlink of the resource account.
Unassign All resource accounts
Unassigning a resource removes that resource assignment. Unassign implies an unlink of the resource account. The resource account is not deleted when the resource is unassigned.
Unlink All resource accounts
Unlinking removes the link between a user and the resource account, but this does not delete the account. The resource assignment is not removed either, so a subsequent update to the user relinks the account or creates a new account on the resource.
Alternatively, select an action for one or more resource accounts in the Delete, Unassign, or Unlink columns.
After selecting the desired user accounts, click OK.
In the Administrator interface, click Accounts in the menu bar.
Click Service Provider.
These options are only valid for the current login session. The options effect how the search results are displayed, that they effect both the basic and advanced search results, and that some settings only take effect on new searches.
Enter the Maximum Results Returned.
Enter the Number of Results Per Page.
Choose the desired Display Attribute from the Available Attributes using the arrow keys.
The bundled sample end-user pages provide examples for registration and self-service typical in xSP environments. The samples are extensible and can be customized. You may change the look and feel, modify navigation rules between pages, or display locale-specific messages for your deployment. For further information about customizing end-user pages see Sun Identity Manager Service Provider 8.1 Deployment.
In addition to auditing self-service and registration events, notification to the affected user can be sent using e-mail templates. Examples of using account ID and password policies, as well as account lockout, are also provided. Application developers can also leverage Identity Manager forms. The modular authentication service implemented as a servlet filter can be extended or replaced if necessary. This allows integration with access management systems like the Sun Access Manager.
The bundled sample end-user pages allow the user to register and maintain basic user information through a series of easy-to-navigate screens and receive email notification of their actions.
The example pages include the following features:
Login (and logout) including authentication using challenge questions
Registration and enrollment
User name changing
Challenge questions changing
Notification address changing
User name forgotten handling
Password forgotten handling
Identity Manager uses a validation table for registration. Only users in that table are allowed to register. For example, when user Betty Childs registers, an entry for Betty Childs with email address firstname.lastname@example.org, is found in the validation table and registration is accepted.
These pages are easy to customize for your deployment.
You can easily customize these pages for your deployment as follows:
Change the branding
Modify the configuration options (for example, the number of failed login attempts)
Add or remove pages
For more information on customizing the pages see Sun Identity Manager Service Provider 8.1 Deployment.
New users are asked to register. During registration users can set their login, challenge questions, and notification information.
Figure 17–15 shows the end user home tab and Profile page. A user may change their login ID and password, manage notification, and create challenge questions.
Synchronization for Service Provider users is enabled through the Synchronization Policy. To synchronize changes to attributes on resources with Identity Manager for service provider users, you must configure Service Provider Synchronization.
The following topics explain how to enable synchronization in a service provider implementation:
Service Provider synchronization is configured from the list of resources in the Resources area of Identity Manager.
To configure Service Provider synchronization, you edit the Synchronization Policy for resources as described in To Edit or Configure Synchronization.
When editing the Synchronization Policy, the following options must be specified to enable the synchronization processes for service provider users.
Select Service Provider User as the Target Object Type.
In the Scheduling Settings section, select Enable Synchronization.
Follow the instructions in To Edit or Configure Synchronization to specify other options as appropriate for your environment. The default synchronization interval for Service Provider synchronization tasks defaults to 1 minute.
The confirmation rule and form must use the IDMXUser view and not the Identity Manager input user view (see Sun Identity Manager Service Provider 8.1 Deployment for more information).
This is required because confirmation rules access a user view for each user identified in the correlation rule, impacting synchronization performance.
Click Save to save the policy definition. If synchronization is not disabled in the policy, it will be scheduled as specified. If disable synchronization is specified, the synchronization service is stopped, if currently running. If enabled, synchronization will be started when the Identity Manager server is restarted, or when Start for Service Provider is selected under the Synchronization Resource Action.
Identity Manager provides the following methods for monitoring Service Provider synchronization.
View the synchronization status in the description field on the Resource list.
Use the JMX interface to monitor synchronization metrics.
Service Provider synchronization is enabled by default when you configure Identity Manager for a service provider implementation.
In the Administrator interface, click Resources on the menu.
The List Resources page opens.
In the Service Provider area, select the resource and click Edit Synchronization Policy to edit the policy.
Clear the Enable Synchronization check box.
When the policy is saved synchronization stops.
To stop synchronization without disabling it, select Stop for Service Provider from the Synchronization resource action.
If you stop synchronization by using the resource action, without disabling synchronization, it will be started again when any Identity Manager server is started.
The Service Provider functionality contains an example user migration task and associated scripts. This task migrates existing Identity Manager users to the Service Provider User directory. This section describes how to use the example migration task. You are encouraged to modify this example for use in your situation.
In the Administrator interface, click Server Tasks on the menu.
The Find Tasks page opens.
Click Run Tasks in the secondary menu.
Click SPE Migration.
Enter a unique Task Name.
Select a Resource from the list.
This is a resource in Identity Manager that represents the Service Provider directory server. Links to this resource found in Identity Manager users are not migrated.
Enter an Identity Attribute.
This is the Identity Manager user attribute that contains the short unique identity for the directory user.
Select an Identity Rule from the list.
This is an optional rule that may calculate the name of the directory user from attributes of the Identity Manager user. The Identity rule can calculate a simple name (typically UID) which is then processed through the identity template of the Resource to form the directory server distinguished Name (DN.) The rule may also return a full specified DN which avoids the id template.
Click Launch to start the background migration task.
In a Service Provider implementation, Identity Manager’s audit logging system audits events related to extranet user activities. Identity Manager provides the Service Provider audit configuration group (enabled by default) that specifies the audit events logged for Service Provider users. See Figure 17–16.
For more information about audit logging, and modifying events in the Service Provider audit configuration group, see Chapter 10, Audit Logging