|
| |
| Sun Java System Identity Server 2004Q2 Technical Overview | |
Chapter 1
Overview of Identity ServerSun Java™ System Identity Server is an identity management solution designed to meet the needs of rapidly expanding enterprises. Identity Server enables you to get identities for your employees, your partners and suppliers into one online directory. Then it provides a means for establishing policies and permissions regarding who has access to which information in your enterprise. Identity Server is the key to all your data, your services, and who has access to what—it’s the key to all your internal and external business relationships.
This chapter provides an overview Identity Server and how its components work together. Topics include:
An Identity Management ParadigmThink of all the different types of information a company must store and be able to make available through its enterprise. Now consider the various enterprise users who must make use of that information in order for the company’s business to run smoothly. For example, the following are routine information transactions that occur every day in a typical company:
- A rank-and-file employee looks up a colleague’s phone number in the corporate phone directory.
- A managing employee looks up the salary histories of all her reports to help determine an individual’s merit raise.
- An administrative assistant adds a new hire to the corporate database, which triggers the company’s health insurance provider to add the new hire to its enrollment.
- An engineer sends an internal URL for a specification document to another engineer who works for a partner company.
- A customer logs into the company’s website and looks for a product in the company’s online catalog.
- A vendor submits an online invoice to the company’s accounting department.
In each of these examples, the company must determine who is allowed to view its information or use its applications. Some information such as the company’s product descriptions and advertising can be made available to everyone, even the public at large, in the company’s online catalog. Other information such as accounting and human resources information must be restricted to only employee use. And some internal information is appropriate to share with partners and suppliers, but not with customers.
The Problem
Many enterprises grant access to information on a per-application basis. For example, an employee might have to set up a user name and password to access the company’s health benefits administration website, and a separate user name and password to access the accounting department online forms. A customer sets up a user name and password to access the “Customers” branch of the company website. For each website or service, there is an administrator who converts the enterprise user’s input into a data format that the service can recognize. Each service added to the enterprise must be provisioned and maintained separately.
The Solution
Identity Server reduces the administrative costs and eliminates the redundant user information associated with per-application solutions. Identity Server creates a single record or directory entry for each enterprise user, and enables an administrator to assign specific rules or policies governing which information or services each user can access. Policy agents can be deployed on application or web servers to enforce the policies. Together, a user’s directory entry and its associated access policies comprise the user’s enterprise identity. Identity Server makes it possible for a user to access many resources in the enterprise with just one identity.
How Identity Server WorksWhen an enterprise user or an external application tries to access content stored on a company’s web server, the policy agent intercepts the request and directs it to Identity Server. Identity Server asks the user to present credentials such as a username and password. If the credentials match those stored in the central Directory Server, Identity Server verifies that the user is who he says he is. Next, Identity Server evaluates the policies associated with the user’s identity, and then determines whether the user is allowed to view the requested information.
Finally, Identity Server either grants or denies the user access to the information. Figure 1-1 illustrates one way Identity Server can be configured to act as the gatekeeper to a company’s information resources.
Figure 1-1 Identity Server is the gatekeeper to a company’s enterprise resources.
Identity Server consolidates four major features into a single product that can be viewed in a single administration console:
Identity Administration
Identity Server provides an identity framework for creating and managing directory objects such as organizations, groups, roles, and userIDs. When you use Identity Server to create or modify user objects, you update the entries stored in Directory Server. Identity Server schema includes pre-defined administrator userIDs and associated access control instructions (ACIs). This makes it possible to delegate user management tasks to various administrators—and to non-administrators as well—in the enterprise. The Identity Management functionality is further described in Chapter 2, "Identity Management".
Access Management
Identity Server implements authentication service and policy administration to regulate access to a company’s information and applications. These features make it possible to verify that a user is who he says he is, and that the user is authorized to access web or application servers deployed within the enterprise. The Access Management functionality is further described in Chapter 3, "Access Management".
Service Management
Identity Server provides a service management SDK that gives application developers the interfaces necessary to register and un-register services as well as to manage schema and configuration information. It also provides a number of services that it uses for authentication and for its own administration. The Service Management functionality is further described in Chapter 4, "Services Management".
Federation Management
Identity federation allows a user to link the many local identities he has configured among multiple service providers. With one federated identity, the individual can log in at one service provider’s site and move to an affiliated service provider site without having to re-authenticate or re-establish his identity. The Federation Management functionality is further described in Chapter 5, "Federation Management".
Identity Server ArchitectureIdentity Server uses a Java technology-based architecture for scalability, performance, and ease of development. It leverages industry standards including the following:
Figure 1-2 illustrates how Identity Server integrates all of these technologies and connects to Directory Server. The Identity Server common identity infrastructure is built upon Directory Server which uses the LDAP protocol.
Figure 1-2 Identity Server Architecture.
Sun Java System Directory Server
In an Identity Server deployment, Directory Server acts as the centralized repository for user identities. Identities are stored as directory entries using the LDAP protocol and Directory Services Markup Language (DSML). LDAP is the “lightweight” version of the Directory Access Protocol (DAP) used by the ISO X.500 standard. DSML enables you to represent directory entries and commands in XML. This makes it possible for XML-based applications using HTTP to take advantage of directory services while making full use of the existing web infrastructure.
Identity Server Components
Identity Server functions are delivered as a collection of Java servlets, JavaBeans components, and JSP modules. Authentication Service, Policy Service, and an Administration Console are examples of such functions. These run inside the Java virtual machine of a J2EE container such as Sun Java System Web Server or Sun Java System Application Server.
Identity Server includes APIs for Single Sign-On, Logging, Identity, Federated Identity, Policy, SAML, and more. These public Java APIs provide an interface that external applications can use to implement either default or customized behavior.
Policy agents are an integral part of the identity management solution. Installed on web servers or web proxy servers in the enterprise, policy agents protect individual servers from unauthorized intrusions.
What’s New in This ReleaseNew features in Identity Server 2004Q2 include the following:
Enhancements to Federation Management
The Federation Management component in Identity Server 2004Q2 is based on the Liberty 2.0 specification. The Liberty 2.0 architecture consists of multi-layered specifications set based on open standards, SAML and SOAP. Identity Server 2004Q2 extends the Identity Federation Framework provided in previous versions and offers two additional Liberty-based frameworks.
For more information, see the Identity Server 2004Q2 Federation Management Guide (http://docs.sun.com/doc/817-6362). This guide contains detailed information about the following three frameworks.
Identity Federation Framework
The liberty Identity Federation Framework (ID-FF) specifies protocols, schema and profiles for creating a Liberty-enabled environment. Identity Server 2004Q2 extends this framework which was first offered in Identity Server 6.1.
Liberty Identity Web Services Framework
The Liberty Identity Web Services Framework (ID-WSF) specifies protocols, schema and profiles for implementing identity services such as Identity Service Discovery and invocation. This is new in Identity Server 2004Q2.
Identity Service Instance Specification
The Liberty Identity Service Instance Specification (ID-SIS) use the Federation Framework and Web Services Framework to provide network identity services. A Personal Profile Service that can be used out-of-box, and a sample Employee Profile Service are included with Identity Server. The framework and services are new in Identity Server 2004Q2.
Enhancements to SAML
Identity Server 2004Q2 implements all mandatory parts of the Security Assertion Markup Language (SAML) 1.1 specifications which are also used in Liberty 2.0 specifications. SAML 1.0 specifications implemented in Identity Server 6.1 continue to be supported. Identity Server 2004Q2 uses the SAML 1.0 format for Liberty 1.1 data; for Liberty 2.0 data, the SAML 1.1. is used. The versioning of all SAML requests, responses, and data elements is handled automatically. All new features defined in SAML 1.1 specifications will be implemented.
Customized JAAS Authorization Framework
Identity Server implements and extends the JAAS interface for authorization. The Identity Server implementation offers the following added benefits over the standard JAAS interface:
- Identity Server policy is centralized, allowing distributed applications to execute policies defined in single secure store. This makes policies easier to manage across an enterprise.
- The Identity Server framework can handle non-boolean decisions such as " What is the salary of employee A?”
- Policies are resource-centric instead of user-centric to better serve the needs of web-based internet portals. For a given a resource, you can define who can use it and in what way.
Enhancements to Administration Console
The Identity Server administration console was enhanced to include the following new features. For detailed information, see the Identity Server Administration Guide (http://docs.sun.com/doc/817-5709).
Centralized Agents Management
Administrators can now view, create, modify and delete agent profiles using the Identity Server administration console.
Display Options and Available Actions
You can now use the Display Options view to customize the way in which Identity Server objects such as organizations, roles, and containers are displayed in the Identity Server console. Not all display options are available for all object types. For certain Identity Server object types, you can define user access rights through the Available Actions view.
Session Failover for Application Server
Identity Server 2004Q2 provides session failover using Sun Java System Application Server 7.0.0_01 Enterprise Edition (EE) as a web container.
Session failover automatically and transparently redirects an Identity Server request to a secondary server if the primary server fails because a hardware or software problem occurs or if the server is temporarily shut down.
Note
Application Server 7.0.0_01 EE is not a component of the Sun Java Enterprise System 2004Q2 release. To obtain a copy of this release, contact your Sun Microsystems technical representative.
For more information, see the Identity Server Deployment Planning Guide (http://docs.sun.com/doc/817-5707).
Nested Groups Support
This release of Identity Server supports nested groups, which are “representations” of existing groups contained in a single group. As opposed to sub-groups, nested groups can exist anywhere in the directory information tree (DIT). Nested groups allow you to quickly set up access permissions for a large number of users. For detailed information on nested groups, see the Identity Server Administration Guide (http://docs.sun.com/doc/817-5709).
Configuration and Tuning Scripts
Identity Server 2004Q2 provides new scripts for post-installation configuration and for performance tuning. For detailed information on the following scripts, see the Identity Server Administration Guide (http://docs.sun.com/doc/817-5709).
Configuration Script
After you have installed the first instance of Identity Server using the Java Enterprise System installer, you can use the a script to reconfigure the instance, or to deploy and configure additional Identity Server instances. First you edit the configuration variables in the silent mode input file, and then your run the amconfig script.
Tuning Scripts
The amtune scripts allow you to tune the performance of Identity Server, as well as optimize the performance settings for various components of your Identity Server deployment.
Enhancements to Authentication
For detailed information about the following new features, see the Identity Server Developer’s Guide (http://docs.sun.com/doc/817-5710):
JAAS Shared State
The JAAS shared state provides sharing of both user ID and password between authentication modules. Options are defined for each authentication module in the Authentication Configuration for each of the following objects:
Upon failure, the module prompts for its required credentials. After failed authentication, the module stops running, or the logout shared state clears
Agent Authentication
Agent authentication is now supported in LDAP and Application authentication modules.
Java Database Connectivity Authentication Module Sample
Java Database Connectivity (JDBC) technology provides authentication of users against an external database such as Oracle, MySQL, or Sybase databases. This module leverages container provided connection pools and has a pluggable password transform that translates encryption for varying password formats. This module also provides for configuration of the SQL statement that is used to retrieve a password from the database.
The JDBC sample provided with this Beta version of Identity Server 2004Q2 is not an officially supported authentication module. The sample and related information is located in this directory:
IdentityServer_base/SUNWam/samples/authentication/spi/jdbc
Java Card Digital Identity Authentication Module Sample
The Java Card Digital Identity (JCDI) Authentication module provides for authentication of Java Card (Certificate and Serial Number) using the com.sun.jndi.ldap. LdapCtxFactory package.The JCDI authentication sample demonstrates the use of Java Card authentication with Identity Server. The sample has two components:
The remote client component is located in the following directory:
IdentityServer_base/samples/authentication/api/jcdi directory
The server JCDI authentication module is located in the following directory:
IdentityServer_base/samples/authentication/spi/jcdi directory
The JDBC sample provided with this Beta version of Identity Server 2004Q2 is not an officially supported authentication module.
Windows Desktop Single Sign-On
Kerberos authentication is supported in this release of Identity Server. A new Windows Desktop Single Sign-On module allows a client or user who has already been authenticated by a Kerberos Distribution Center (KDC) to be authenticated by Identity Server without having to provide the login information again. The Microsoft Internet Explorer (5.01 or newer) on Windows 2000 or later is the only available client that currently supports this protocol. Therefore the module is designed for Windows desktop users. JDK 1.4 or above is required to utilize the new features of the Kerberos V5 authentication module, and Java GSS APIs are required to perform Kerberos-based SSO in this module.
