Sun Java logo     Copyright      Index      Next     

Sun logo
Sun Java System Identity Server 2004Q2 Developer's Guide 

Contents


List of Figures

List of Tables

List of Procedures

List of Code Examples

About This Guide
Audience for This Guide
Identity Server 2004Q2 Documentation Set
Identity Server 2004Q2 Core Documentation
Identity Server Policy Agent Documentation
Your Feedback on the Documentation
Documentation Conventions Used in This Guide
Typographic Conventions
Terminology
Related Information
Related Third-Party Web Site References

Chapter 2   Introduction
Identity Server Overview
Data Management Components
Identity Server Management Services
Managing Access
Web Access
Application Access
Extending Identity Server
Service Definition With XML
Console Customization
Identity Server SDK
Identity Management SDK
Service Management SDK
Authentication Programming Interfaces
Utility API
Logging API And Logging SPI
Client Detection API
SSO API
Policy SDK
SAML SDK
Federation Management API
Identity Server File System
Client Browser Support

Chapter 3   The Identity Server Console
Overview
Console Interface
Generating The Console Interface
Plug-In Modules
Accessing The Console
Customizing The Console
The Default Console Files
Creating Custom Organization Files
To Create Custom Organization Files
Alternate Customization Procedure
Miscellaneous Customizations
To Modify The Service Configuration Display
To Modify The User Profile View
Display Options For The User Profile Page
To Localize The Console
To Display Service Attributes
To Customize Interface Colors
To Change The Default Attribute Display Elements
To Add A Module Tab
To Display Container Objects
Console API
Precompiling The Console JSP
Console Samples
Modify User Profile Page
Create A Tabbed Identity Management Display
ConsoleEventListener
Add Administrative Function
Add A New Module Tab
Create A Custom User Profile View

Chapter 4   Authentication Service
Overview
Authentication Via A Web Browser
Authentication Via The Java API
Authentication Via The C API
Redirection URLs
Authentication Service Modules
Authentication Configuration Service
Core Authentication Service
Anonymous Authentication Module
Certificate Authentication Module
HTTP Basic Authentication Module
Kerberos Authentication
Windows Desktop SSO Module Overview
Configuring the Windows Desktop SSO Authentication Module
LDAP Authentication Module
Membership Authentication Module
NT Authentication Module
RADIUS Authentication Module
SafeWord Authentication Module
SecurID Authentication Module
UNIX® Authentication Module
Authentication Service User Interface
The User Interface Login URL
Login URL Parameters
goto Parameter
gotoOnFail Parameter
org Parameter
user Parameter
role Parameter
locale Parameter
module Parameter
service Parameter
arg Parameter
authlevel Parameter
domain Parameter
iPSPCookie Parameter
IDTokenN Parameters
File Types Of The User Interface
JavaServer Pages
Authentication Module Configuration Files
JavaScript Files
Cascading Style Sheets
Image Files
Localization Properties Files
Customizing The Authentication User Interface
To Create New Directories For Custom Console Files
To Create A Custom Login Interface
Authentication Methods
Organization-based Authentication
Organization-based Authentication Login URLs
Organization-based Authentication Redirection URLs
Role-based Authentication
Role-based Authentication Login URLs
Role-based Authentication Redirection URLs
Service-based Authentication
Service-based Authentication Login URLs
Service-based Authentication Redirection URLs
User-based Authentication
User-based Authentication Login URLs
User-based Authentication Redirection URLs
Authentication Level-based Authentication
Authentication Level-based Authentication Login URLs
Authentication Level-based Authentication Redirection URLs
Module-based Authentication
Module-based Authentication Login URLs
Module-based Authentication Redirection URLs
Authentication Features
Account Locking
Physical Locking
Memory Locking
Authentication Module Chaining
Fully Qualified Domain Name Mapping
Possible Uses For FQDN Mapping
Persistent Cookie
Multi-LDAP Authentication Module Configuration
To Add An Additional LDAP Configuration
Session Upgrade
Validation Plug-in Interface
JAAS Shared State
Enabling JAAS Shared State
JAAS Shared State Store Option
Authentication DTD Files
Auth_Module_Properties.dtd
ModuleProperties Element
Callbacks Element
NameCallback Element
PasswordCallback Element
ChoiceCallback Element
ConfirmationCallback Element
Prompt Element
ChoiceValues and ChoiceValue Element
OptionValues and OptionValue Element
Value Element
The remote-auth.dtd Structure
AuthContext Element
Request Element
Response Element
IndexTypeNamePair Element
Subject Element
Callbacks Element
ModuleName Element
HeaderValue Element
ImageName Element
PageTimeOutValue Element
TemplateName Element
AttributeValuePair Element
Prompt Element
Locale Element
ChoiceValues Element
ChoiceValue Element
SelectedValues Element
SelectedValue Element
OptionValue Element
DefaultOptionValue Element
Custom Authentication Modules
Integrating A Custom Authentication Module
Configuring The Authentication Module
Elements Of The Authentication Module Configuration File
Customizing Membership.xml
Configuring Authentication Localization Properties
Modifying The Core Authentication Service
Pluggable Auth Module Classes Attribute
Organization Authentication Modules Attribute
Authentication Programming Interfaces
Application Programming Interfaces
Authentication API For Java Applications
Authentication API For C Applications
Authentication Option For Other Applications
XML Messages
Service Programming Interfaces
Implementing A Custom Authentication Module
Implementing A Pure JAAS Module
Implementing Authentication Post Processing
Authentication Samples
Certificate Authentication Sample
LDAP Authentication Sample
MSISDN (Wireless) Module
SPI Sample
JDBC Authentication Sample
JCDI Authentication Sample

Chapter 5   Single Sign-On And Sessions
Overview
Session Service Concepts
Session
Session ID
SSOToken
Single Sign-On Process
Contacting A Protected Resource
Providing User Credentials
Cookies and Sessions
Session Structure
Fixed Attributes
Protected And Custom Properties
Protected Properties
Custom Properties
Cross-Domain Support For SSO
Policy Agents
Cross-Domain Controller
A Cross-Domain SSO Scenario
Enabling Cross-Domain Single Sign-On
SSO API
Java API Overview
SSOTokenManager Class
SSOTokenID Interface
SSOToken Interface
SSOTokenEvent
SSOTokenListener
Sample SSO Java Files
C API Overview
C SSO Include Files
C SSO Properties
C SSO interfaces
C SSO Sample
Java versus C API
Non-Web-Based Applications
SSO Samples

Chapter 6   Identity Management
Overview
Identity Server Console
ums.xml
Identity Management Software Development Kit (SDK)
Identity-related Objects
Marker Object Classes
Identity-related Objects As LDAP Entries
Organizations
Containers
Users
Groups
Roles
Object Templates And ums.xml
Structure Of ums.xml
Structure Templates
Creation Templates
Search Templates
Modifying ums.xml
Adding Custom Object Classes
DAI Service
amEntrySpecific.xml
Identity Management SDK
Interfaces
AMAssignableDynamicGroup
AMCallback
AMConstants
AMDynamicGroup
AMEventListener
AMFilteredRole
AMGroup
AMGroupContainer
AMObject
AMOrganization
AMOrganizationalUnit
AMPeopleContainer
AMRole
AMSearchControl
AMStaticGroup
AMStoreConnection
AMTemplate
AMUser
AMUserPasswordValidation
Search Methods In The SDK
Search Method Parameters
searchUsers Sample Code
Search Groups Sample Code
Email Notification And The SDK
Caching And The SDK
Installing The SDK Remotely
Management Function Samples
Creating Objects
Retrieve Templates
Identity Management Samples
Adding User Attributes
Creating Objects With The SDK

Chapter 7   Service Management
Overview
XML Service Files
Document Type Definition Structure Files
Service Management SDK
Defining A Custom Service
Creating A Service File
Service File Naming Conventions
Service Attributes
Attribute Inheritance
Extending The Directory Server Schema
To Extend The Directory Server LDAP Schema
Adding Identity Server Object Classes To Existing Users
Importing The XML Service File
Configuring Console Localization Properties
Localizing With Two Languages
Updating Files For Abstract Objects
Registering The Service
DTD Files
The sms.dtd Structure
ServicesConfiguration Element
Service Element
Schema Element
Service Attribute Elements
SubSchema Element
AttributeSchema Element
The amAdmin.dtd Structure
Requests Element
OrganizationRequests Element
ContainerRequests Element
PeopleContainerRequests Element
RoleRequests Element
GroupRequests Element
UserRequests Element
ServiceConfigurationRequests Element
AttributeValuePair Element
CreateObject Elements
DeleteObject Elements
ModifyObject Elements
GetObject Elements
GetService Elements
ActionServiceTemplate Element
ActionServiceTemplateAttributeValues Element
ActionServices Elements
SchemaRequests Element
Federation Management Elements
XML Service Files
Default XML Service Files
Modifying A Default XML Service File
Batch Processing With XML Templates
XML Templates
Modifying A Batch Processing XML Template
Customizing User Pages
Creating Users Using A Modified Directory Server Schema
Service Management SDK
ServiceSchemaManager Class
Retrieve Logging Location
Retrieve User Or Dynamic Attributes
Retrieve Attribute Values

Chapter 8   Policy Management
Policy SDK
Java SDK For Policy
Policy API For Java
Policy Plugin API For Java
C Library For Policy
Policy Evaluation API for C
Extending the Policy Management Feature
Compiling the Policy Samples
Adding the Policy Service to Identity Server
Developing Custom Subjects, Conditions and Referrals
To Load the Modified Services
Creating Policies for the Service
Developing and Running Policy Evaluation Programs
To Run the Policy Evaluation Program
Constructing Policies Programmatically
To Run PolicyCreator.java
PolicyCreator.java

Chapter 9   SAML Service
Overview
Accessing The SAML Service
SAML Component Details
Profile Types
Web Browser Artifact Profile
Web Browser POST Profile
Assertion Types
SAML SOAP Receiver
SOAP Messages
Protecting The SOAP Receiver
amSAML.xml
SAML SDK
com.sun.identity.saml
com.sun.identity.saml.assertion
com.sun.identity.saml.common
com.sun.identity.saml.plugins
com.sun.identity.saml.protocol
AuthenticationQuery
AttributeQuery
AuthorizationDecisionQuery
com.sun.identity.saml.xmlsig
SAML Samples

Chapter 10   Auditing Features
Logging Service Overview
Logging Architecture
amLogging.xml
Log Files
Recorded Events
Time
Data
ModuleName
Domain
Log Level
Login ID
IP Address
Logged By
Host Name
Log File Formats
Flat File Format
Relational Database Format
Java Enterprise System Installation Logs
Identity Server Service Logs
Session Logs
Console Logs
Authentication Logs
Federation Logs
Policy Logs
Agent Logs
SAML Logs
amAdmin Logs
Logging Features
To Enable Secure Logging
Command Line Logging
Remote Logging
Using Remote Logging
Enabling Remote Logging
Logging API
Setting Environment Variables
Logger Class
LogRecord Class
Adding Log Data
Caching Log Records
Flushing Log Records
Sample Logging Code
Logging SPI
Log Verifier Plugin
Log Authorization Plugin
Debug Files
Debug Levels
Debug Output Files
Using Debug Files
Multiple Identity Server Instances And Debug Files

Chapter 11   Client Detection Service
Overview
Client Detection Process
Enabling Client Detection
Client Data
HTML
genericHTML
Client Detection API

Chapter 12   Identity Server Utilities
Utility API
AdminUtils
AMClientDetector
AMPasswordUtil
Debug
Locale
SystemProperties
ThreadPool
Password API Plug-Ins
Notify Password Sample
Password Generator Sample

Appendix A   AMConfig.properties File
Overview
Deployment Properties
Identity Server
Installation
Console
Cookies
Miscellaneous
Directory Server
Installation
Directory Server Tree
Configuration Properties
Debug Service
Stats Service
Notification Service
SDK Caching
Online Certificate Status Protocol (OCSP)
Identity Object Processing
Security
SSL
Certificate Database
Replication
Event And LDAP Connection
Event Connection
LDAP Connection
SAML
Keystore Properties
Miscellaneous Services
Read-Only Properties
Installation
Deployment
Shared Secret
Session Properties
Simple Mail Transfer Protocol (SMTP)
Authentication
LDAP
SecurID
Unix
Security
SecureRandom
SocketFactory
Encryption
IP Address Checking
Remote Policy API
Policy
Federation
FQDN Map
Encryption Key

Appendix B   serverconfig.xml File
Overview
Proxy User
Admin User
server-config Definition Type Document
iPlanetDataAccessLayer Element
ServerGroup Element
Server Element
User Element
DirDN Element
DirPassword Element
BaseDN Element
MiscConfig Element
Failover Or Multimaster Configuration

Appendix C   WAR Files
Overview
Web Components
Packaging Web Components
WARs And Their Contents
console.war
password.war
services.war
Redeploying Modified WARs
BEA WebLogic Server 6.1
To Deploy console.war On WebLogic
To Deploy services.war on WebLogic
To Deploy password.war on WebLogic
Sun Java System Application Server 7.0
To Deploy console.war On Sun Java System Application Server
To Deploy services.war On Sun Java System Application Server
To Deploy password.war on Sun Java System Application Server
IBM WebSphere Application Server

Appendix D   Notification Service
Overview

Appendix E   Directory Server Concepts
Overview
Roles
Managed Roles
Definition Entry
Member Entry
How Identity Server Uses Roles
Role Creation
Role Location
Displaying The Correct Login Start Page
Access Control Instructions
Defining ACIs
iplanet-am-admin-console-role-default-acis
iplanet-am-admin-console-dynamic-aci-list
Format of Predefined ACIs
Default ACIs
Class Of Service
CoS Definition Entry
cosClassicDefinition
CoS Template Entry
Conflicts and CoS

Glossary

Index


Copyright      Index      Next     

Copyright 2004 Sun Microsystems, Inc. All rights reserved.