Sun Java System Access Manager 6 2005Q1 Technical Overview |
Chapter 1
Overview of Access ManagerSun Java System Access Manager 6 2005Q1 provides a comprehensive solution for managing federated identities and for enforcing authorized access to network services and resources. It tightly integrates the policy, identity management, service management, and SAML to simplify the administration of users and to provide a single identity across a range of web and application servers. Access Manager also serves the base for the Liberty specification implementation.
This chapter provides an overview Access Manager and how its components work together. Topics include:
An Identity Management ParadigmThink of all the different types of information a company must store and be able to make available through its enterprise. Now consider the various enterprise users who must make use of that information in order for the company’s business to run smoothly. For example, the following are routine information transactions that occur every day in a typical company:
- A rank-and-file employee looks up a colleague’s phone number in the corporate phone directory.
- A managing employee looks up the salary histories of all her reports to help determine an individual’s merit raise.
- An administrative assistant adds a new hire to the corporate database, which triggers the company’s health insurance provider to add the new hire to its enrollment.
- An engineer sends an internal URL for a specification document to another engineer who works for a partner company.
- A customer logs into the company’s website and looks for a product in the company’s online catalog.
- A vendor submits an online invoice to the company’s accounting department.
In each of these examples, the company must determine who is allowed to view its information or use its applications. Some information such as the company’s product descriptions and advertising can be made available to everyone, even the public at large, in the company’s online catalog. Other information such as accounting and human resources information must be restricted to only employee use. And some internal information is appropriate to share with partners and suppliers, but not with customers.
The Problem
Many enterprises grant access to information on a per-application basis. For example, an employee might have to set up a user name and password to access the company’s health benefits administration website, and a separate user name and password to access the accounting department online forms. A customer sets up a user name and password to access the “Customers” branch of the company website. For each website or service, there is an administrator who converts the enterprise user’s input into a data format that the service can recognize. Each service added to the enterprise must be provisioned and maintained separately.
The Solution
Access Manager reduces the administrative costs and eliminates the redundant user information associated with per-application solutions. Access Manager creates a single record or directory entry for each enterprise user, and enables an administrator to assign specific rules or policies governing which information or services each user can access. Policy agents can be deployed on application or web servers to enforce the policies. Together, a user’s directory entry and its associated access policies comprise the user’s enterprise identity. Access Manager makes it possible for a user to access many resources in the enterprise with just one identity.
How Access Manager WorksWhen an enterprise user or an external application tries to access content stored on a company’s web server, the policy agent intercepts the request and directs it to Access Manager. Access Manager asks the user to present credentials such as a username and password. If the credentials match those stored in the central Directory Server, Access Manager verifies that the user is who he says he is. Next, Access Manager evaluates the policies associated with the user’s identity, and then determines whether the user is allowed to view the requested information.
Finally, Access Manager either grants or denies the user access to the information. Figure 1-1 illustrates one way Access Manager can be configured to act as the gatekeeper to a company’s information resources.
Figure 1-1 Access Manager is the gatekeeper to a company’s enterprise resources.
Access Manager consolidates four major features into a single product that can be viewed in a single administration console:
Identity Administration
Access Manager provides an identity framework for creating and managing directory objects such as organizations, groups, roles, and userIDs. When you use Access Manager to create or modify user objects, you update the entries stored in Directory Server. Access Manager schema includes pre-defined administrator userIDs and associated access control instructions (ACIs). This makes it possible to delegate user management tasks to various administrators—and to non-administrators as well—in the enterprise. The Identity Management functionality is further described in Chapter 2, "Identity Management".
Access Management
Access Manager implements authentication service and policy administration to regulate access to a company’s information and applications. These features make it possible to verify that a user is who he says he is, and that the user is authorized to access web or application servers deployed within the enterprise. The Access Management functionality is further described in Chapter 3, "Access Management".
Service Management
Access Manager provides a service management SDK that gives application developers the interfaces necessary to register and un-register services as well as to manage schema and configuration information. It also provides a number of services that it uses for authentication and for its own administration. The Service Management functionality is further described in Chapter 4, "Services Management".
Federation Management
Identity federation allows a user to link the many local identities he has configured among multiple service providers. With one federated identity, the individual can log in at one service provider’s site and move to an affiliated service provider site without having to re-authenticate or re-establish his identity. The Federation Management functionality is further described in Chapter 5, "Federation Management".
Access Manager ArchitectureAccess Manager uses a Java technology-based architecture for scalability, performance, and ease of development. It leverages industry standards including the following:
Figure 1-2 illustrates how Access Manager integrates all of these technologies and connects to Directory Server. The Access Manager common identity infrastructure is built upon Directory Server which uses the LDAP protocol.
Figure 1-2 Access Manager Architecture.
Sun Java System Directory Server
In an Access Manager deployment, Directory Server acts as the centralized repository for user identities. Identities are stored as directory entries using the LDAP protocol and Directory Services Markup Language (DSML). LDAP is the “lightweight” version of the Directory Access Protocol (DAP) used by the ISO X.500 standard. DSML enables you to represent directory entries and commands in XML. This makes it possible for XML-based applications using HTTP to take advantage of directory services while making full use of the existing web infrastructure.
Access Manager Components
Access Manager functions are delivered as a collection of Java servlets, JavaBeans components, and JSP modules. Authentication Service, Policy Service, and an Administration Console are examples of such functions. These run inside the Java virtual machine of a J2EE container such as Sun Java System Web Server or Sun Java System Application Server.
Access Manager includes APIs for Single Sign-On, Logging, Identity, Federated Identity, Policy, SAML, and more. These public Java APIs provide an interface that external applications can use to implement either default or customized behavior.
Policy agents are an integral part of the identity management solution. Installed on web servers or web proxy servers in the enterprise, policy agents protect individual servers from unauthorized intrusions.
What’s New in This ReleaseNew features in Access Manager 2005Q1 include the following:
- Product name has changed from Identity Server to Access Manager
- Support for new web containers: BEA WebLogic 8.1.x and IBM WebSphere Application Server 5.1.x
- New authentication modules:
- Policy Management includes a new Resource Name plug-in: HttpURLResourceName.
- Console enhancements:
- Ability to customize the display of organizations as well as different attributes for each object type in the left navigation pane to include a descriptive name (such as the cn).
- Ability to modify the contents of the drop-down menu in the left navigation pane (for example, to add custom groups or roles).
- Session failover:
- Web-container independent: Support for Web Server, Application Server, IBM WebSphere Application Server, or BEA WebLogic as the web container.
- Session repository uses the Berkeley DB by Sleepycat Software, Inc and Sun Java System Message Queue (Message Queue) as the communications broker.
- Connection pooling based on the JDBC 2.0 driver connection pool interfaces.
- Federation Management:
- Support for the Liberty Alliance Project (LAP) Name Identifier Mapping Protocol
- Support for the LAP Identity Web Services Framework (ID-WSF) Discovery Service Specification, Version 1.1
- Support for the LAP ID-WSF Authentication Service Specification
- Support for the LAP Metadata Description and Discovery Specification
- Support for the LAP Liberty Identity Federation Framework (ID-FF) Extended Profiles:
- Client SDK:
- Performance tuning script is available to tune Application Server 8.1 as a web container