Sun OpenSSO Enterprise 8.0 Administration Guide

Subjects

A subject defines the user or collection of users (for instance, a group or those who possess a specific role) that the policy affects. The general rule for subjects is that the policy would apply only if the user is a member of at least one subject in the policy. The default subjects are:

Authenticated Users

This subject type implies that any user with a valid SSOToken is a member. Thus, all authenticated users are member of this Subject even if they have authenticated to a realm that is different from the one in which the policy is defined. This is useful if the resource owner would like to offer access to resources managed for users from other organizations. To restrict access to protected resources belonging to a specific organization, use the Organization subject.

OpenSSO Identity Subject

This subject type implies that the identities defined under the Subjects tab of a particular realm can be added as a member.

Web Services Clients

This subject type implies that a web services client (WSC) identified by a valid SSOToken is a member IF the Distinguished Name (DN) of any principal contained in the SSOToken matches any value of this subject. Valid values are the DNs of trusted certificates in a local Java keystore that correspond to the certificates of trusted WSCs. This subject type has dependency on the Liberty Alliance Project Web Services Framework and should be used to authorize WSCs only by service providers that implement it. Also, be sure to create the keystore before you add this Subject to a policy.

The following additional subjects are available by selecting them in the Policy Configuration Service of the realm. If you enable any of them, you should also change the values of the LDAP Bind DN and LDAP Bind Password attributes in the Policy Configuration Service of the realm to reflect valid credentials for the LDAP directory. Please note that cn=amldapuser,ou=DSAME Users and the top level suffix is not created in the default configuration directory.

LDAP Groups

This subject type implies that any member of an LDAP group is member of this subject.

LDAP Roles

This subject type implies that any member of an LDAP role is a member of this subject. An LDAP Role is any role definition that uses the Directory Server role capability. These roles have object classes mandated by Directory Server role definition. The LDAP Role Search filter can be modified in the Policy Configuration Service to narrow the scope and improve performance.


Note –

Nested roles can be evaluated correctly as LDAP Roles in the subject of a policy definition.


LDAP Users

This subject type implies that any LDAP user is a member of this subject.

OpenSSO Roles (Legacy Mode)

This subject type implies that any member of an OpenSSO Enterprise role is a member of this subject. An OpenSSO Enterprise role is created using OpenSSO Enterprise running in legacy mode with the AMSDK datastore and has object classes mandated by OpenSSO Enterprise. OpenSSO Roles can only be accessed through the hosting OpenSSO Enterprise Policy Service.

Organization

This subject type implies that any member of a realm is a member of this subject


Note –

All OpenSSO Roles can be used as Directory Server roles. However, all LDAP roles are not necessarily OpenSSO Enterprise roles. LDAP roles can be leveraged from an existing directory by configuring the Policy Configuration Service. OpenSSO Enterprise roles can only be accessed through the hosting OpenSSO Enterprise Policy Service. The LDAP Role Search filter can be modified in the Policy Configuration Service to narrow the scope and improve performance.