Sun Java System Identity Server 2004Q2 Deployment Planning Guide |
Chapter 1
IntroductionSun Java System Identity Server (formerly Sun ONE Identity Server) provides an infrastructure for an organization to administrate the processes used to manage the digital identities of customers, employees, and partners who use their web-based services and non web-based applications. Because these resources may be distributed across a wide range of internal and external computing networks, attributes, policies, and controls are defined to manage access.
This introductory chapter describes the basic principles behind a deployment of Identity Server. It contains the following sections:
What is Identity Management?Modern enterprises maintain an advanced information technology infrastructure to facilitate the management of its daily operations. Integral parts of this infrastructure might include:
- Network servers running disparate operating systems
- Information data stores
- Human resources, payroll, and contract management systems
- Line-of-business applications for accounting, supply chain management, and resource planning
- Customer relationship management (CRM) systems that integrate sales, marketing, customer service, field support, and other client-related functions
- E-commerce applications for shopping, and secure credit card transactions
Because they are deployed individually, each of these systems separately tracks users, controlling what they can and cannot see and do. This tracking process generally includes the management of identity data such as a personal profile, authentication information and access controls. Identity management simplifies the administration of this duplicated and oftentimes contrary data.
The Identity Management Infrastructure
Implementing a single infrastructure to manage all users across an enterprise is the objective of an identity management system. One identity management system simplifies the administration of user profiles by eliminating repetition and therefore maintaining consistency. One system also streamlines, simplifies and automates the identity management processes. The building blocks of an identity management system include:
- Identity administration provides an infrastructure to support the creation and maintenance of identities and their corresponding attributes, credentials and entitlements. This function includes:
- Security services enable user identification to remain consistent across a network. This function includes:
- Access controls define a user’s entitlements (how and when they can use disparate resources). These controls tend to specify the user’s role within the organization. By creating and applying centralized policies and roles, an organization can delegate the responsibilities of its customers, employees and partners.
- Federation services provide authentication and authorization between independent information systems.
- A corporate LDAP directory acts as the authoritative data store for all identity information as well as the configuration information for the identity management system itself.
These building blocks are further illustrated by Figure 1-1.
Figure 1-1 Building Blocks Of An Identity Management Solution
The Life Cycle of an Identity Profile
The challenges of identity management can be summed up by taking into account the life cycle of a typical identity profile. The three stages of an identity within an organization would be:
- Creating a Profile
An identity profile is created when a user joins the organization. The profile might include personal information, employment data, password information and defined access privileges.
- Maintaining the Profile
After setup, profiles must be managed. This might include modifying the profile data, maintaining policies for resource access, or updating access control instructions.
- Disabling the Profile
When a user leaves, their profile needs to be flagged as such, and their access to system resources disabled.
Sun Java System Identity ServerSun Java System Identity Server is a package of integrated, standards-based middleware that provides web services to support access management, federation, and identity administration. This makes Identity Server a total identity management solution, integrating the ability to create and maintain user profiles with security processes, access management tools and a directory for data storage. These capabilities enable an organization to deploy a comprehensive system that protects their resources, and information as well as securely deliver their web-based applications.
Access Management
Access management provides a common authentication and authorization infrastructure to replace ad hoc and application-specific authentication and authorization methods. From a central point of administration, organizations can provide policy-based control of access to multiple services. The collection of access management services in Identity Server provide the following functionality.
Single Sign-On (SSO)
Single sign-on functionality enables a user to authenticate once yet gain access to multiple resources. Identity Server supports SSO for web-based applications, and provides programmatic interfaces to integrate the SSO functionality into applications that are not web-based.
Pluggable Authentication
The Java Authentication and Authorization Services-based (JAAS) authentication framework supports a variety of pluggable authentication modules including LDAP, Remote Authentication Dial-In User Service (RADIUS), X.509 digital certificates, SecureID®, SafeWord®, UNIX® (PAM-based), Windows® NT, HTTP Basic Authentication, Anonymous, and Self-registration.
The framework also allows for the development of custom authentication modules using the provided authentication service provider interfaces (SPI). Authentication can be configured to support the needs of a variety of organizations, roles, or users simultaneously in the same system, and supports multi-factor chained configurations.
Multi-level authentication allows resources to be assigned a different level of required authentication based on the sensitivity of the data or service. The Authentication Service can be accessed via web-based, Java, C, and XML interfaces.
Policy Evaluation
The Policy Service allows centralized configuration and evaluation of access management rules that can be mapped onto a variety of role and grouping mechanisms. Policy constraints such as IP address, day and time or custom conditions can be applied to a policy and evaluated at runtime.
Federation Management
Because the Internet is fast becoming the prime vehicle for business, community, and personal interactions, it has become necessary to fashion a system for users to aggregate their various account identities, enabling them to have one network identity. This system is identity federation. Identity federation allows a user to associate, connect, or bind multiple Internet service providers’ local identities. One network identity allows users to log in to one service provider’s site and then move to an affiliated site, without having to reauthenticate or reestablish their identity.
Identity Server provides full implementations of Liberty 1.1, and SAML 1.0. This includes complete profile implementations, as well as SDK support for custom integration. Multi-hosting of Liberty identity and service providers is provided.
Liberty Alliance Project
Federation management provides a way to view, manage, and configure the metadata pertaining to authentication domains and providers. The Liberty Alliance Project, which was forged to make identity federation a reality, is comprised of more than two billion customers and 138 member companies representing a wide variety of industries. Its mission is to address the problem of fragmented identities by delivering and supporting a federated network identity solution that enables single sign-on for consumers and business users.
Thus, a Liberty-enabled application can federate (or link) its user accounts with those of another Liberty-enabled application, and accomplish single sign-on between the two applications. Identity Server implements the Liberty Alliance Project’s specifications.
Security Assertion Markup Language (SAML)
SAML is a key enabler of business-to-business infrastructure. An application can use the SAML API integrated into Identity Server to exchange security information and execute business transactions with other trusted applications. An end user can employ a web browser to authenticate to Identity Server, then seamlessly access external URLs at trusted sites via an intersite transfer URL. Developers can use the SAML API in their applications to exchange authentication, authorization, and attribute information between trusted external applications.
Identity Management
Identity management itself provides an extensible browser-based interface that allows for user provisioning, policy configuration, and service management. The Identity Server console allows centralized identity management with a single interface but, can also be delegated to other administrators, such as local group managers and external partners, or even to end users.
User Profile Management
Simply, user profile management is the creation and deletion of identity profiles. But, it also entails delegating the management of those profiles to the administrators that know them as well as offering a self-service component where users can subscribe to a service or application, create a new user account and manage their own profiles (password changes, updating home addresses, et.al.).
Policy Configuration
Policy configuration is the definition of the rules that are evaluated during access authorization. Delegation allows top-level administrators to distribute the configuration and management of policies to individuals at all levels of the organization ensuring that it is entrusted to people with authority over the resources.
Service Management
Service management allows the configuration, registration and administration of web services and their corresponding attributes. Identity Server also provides an interface for the services that it uses for its own administration.
Auditing
Administrators can use highly-configurable logging functions to generate detailed reports on user activity, traffic patterns, and authentication and authorization violations. These functions can also be used to perform security-level audits on resource access. Message Authentication Code (MAC) and digital signature-based log security detects any tampering with log or audit records. A debug function can also be enabled.
Policy Agents
Access control in Identity Server is enforced using policy agents, which protect content on the designated web servers, application servers, and proxy servers from unauthorized intrusions. Identity Server supports both policy agents that protect web and proxy servers at the URL level as well as the Java 2 Platform, Enterprise Edition (J2EE) policy agents that enforce access on Java technology-enabled application servers. For more information, see Integrating Identity Server Using a Policy Agent.
Identity Server Console
The Identity Server console is a browser-based interface for creating, managing, and monitoring the identities, services, and policies configured throughout an Identity Server deployment. It is built with Sun Java System Application Framework, a J2EE framework used to help developers build functional web applications. XML files, JavaServer Pages (JSP) and Cascading Style Sheets (CSS) are used to define the look of the HTML pages.
Programmatic Interfaces
Non-graphical interfaces include the APIs, SPIs, and command line tools used to extend and customize Identity Server and allow other applications to access its functionality. More information on the APIs and SPIs can be found in Identity Server SDK and in the Identity Server 2004Q2 Developer’s Guide. Additional information on the command line tools can be found in the Identity Server 2004Q2 Administration Guide.
Sun Java System Directory Server
Java System Directory Server acts as the integrated data repository for storing identity, policy, configuration, and service information.
Deploying Identity ServerIdentity Server is designed with an open-standards platform that can be used to integrate its authentication, authorization, single sign-on, policy, identity and administration capabilities with existing infrastructures. Its functions are delivered as a collection of Java servlets, JavaBeans and JSP that run inside the Java Virtual Machine (JVM) of the web container and can access the API and various server frameworks. Integrating Identity Server into a corporate infrastructure can accomplish the following tasks:
- Eliminate ad hoc or proprietary utilities.
- Achieve secure authentication, access control and auditing across multiple web and application services.
- Implement centralized administration of identities with delegation capabilities [using configured levels of access control instructions (ACIs)] that allows an organization to:
- Configure the centralized policy framework to provide an authorization functionality to currently running applications and newly deployed services.
- Integrate federation management with support for both the Liberty Alliance specifications, v.1.1 and SAML.
Integrating Identity Server Using a Policy Agent
Identity Server 2004Q2 is a complete identity management system; however, your organization might have already implemented aspects of an identity management system. For example, you might have already deployed a directory server or a web container. To allow Identity Server to interoperate with other systems, you can download and install a policy agent on the protected server, if an agent is available that meets your organization’s requirements.
New policy agents are being developed and released concurrently with each release of Identity Server. For example, policy agents are available for various releases of Apache Webserver, BEA WebLogic, IBM HTTP Server, IBM WebSphere, Lotus Domino, Microsoft IIS, and PeopleSoft.
Operating systems that have available policy agents include the Solaris Operating System (SPARC® Platform Edition and x86 Platform Edition), Red Hat Linux, HP-UX 11.x, and Windows 2000.
Deployment Road Map
Mapping out your Identity Server integration is imperative to ensuring its success. This will include collecting information concerning hardware, currently deployed applications, identity data and access hierarchy. Identity Server deployment can be broken down into the following phases:
Deployment Planning Guide Chapters
The following chapters in this guide follow the phases detailed in the Deployment Road Map:
- Chapter 2, "Planning The Deployment"—defines a methodology (including goals and challenges) for assessing the current state of your organization’s identity management solution and defining future requirements.
- Chapter 3, "Identity Server Architecture"—provides a high-level architectural overview of all components of the Identity Server product.
- Chapter 4, "Pre-Deployment Considerations" will help to analyze specific requirements, including hardware, sources of data and technical expertise.
- Chapter 5, "Deployment Scenarios" details simple scenarios for planning a topology and deploying the application.
Additional appendices have been added to the Identity Server 2004Q2 Deployment Planning Guide for further edification. They include:
- Appendix A, "Installed Product Layout" details the directories and files created during the installation of Identity Server.
- Appendix B, "The User Session Life Cycle" details the session objects used to track user interaction with web applications across multiple HyperText Transfer Protocol (HTTP) requests.
- Appendix C, "Authenticate Against Active Directory" contains information on how authenticate users against a Microsoft Active Directory®.
- Appendix F, "Authenticate Against RADIUS Servers" contains information on how to authenticate users against a Remote Authentication Dial-In User Service (RADIUS) server.
- Appendix D, "Installing in a chroot Environment" contains information about Identity Server in a chroot environment, which can prevent malicious programs from accessing the real root file system.
Related Identity Server Documentation
Additional information on Identity Server can be found in the following manuals:
- Installation—For installation information, see the Sun Java Enterprise System 2004Q2 Installation Guide.
- Migration—For information on migrating existing data and updating previous versions of Identity Server, see the Sun Java Enterprise System 2004Q2 Installation Guide and the Identity Server 2004Q2 Migration Guide.
- Administration—For information on how to use the console and administer an Identity Server deployment, see the Identity Server 2004Q2 Administration Guide.
- Customization—For information on how to customize the application, see the Identity Server 2004Q2 Developer's Guide.