Sun Java System Access Manager 7 2005Q4 Technical Overview

Chapter 1 Introduction to Access Manager

Sun Java^TM System Access Manager 7 2005Q4 integrates authentication and authorization services, policy agents, and identity federation to provide a comprehensive solution for protecting your network resources. Access Manager prevents unauthorized access to web service applications and web content. This chapter provides an overview Access Manager features and architecture.

Topics in this chapter include:

An Access Management Paradigm

Think of all the different types of information a company must store and be able to make available through its enterprise. Now consider the various enterprise users who must make use of that information in order for the company’s business to run smoothly. For example, the following are routine information transactions that occur every day in a typical company:

An employee looks up a colleague’s phone number in the corporate phone directory.
A manager looks up the salary histories of her reports to help determine an individual’s merit raise.
An administrative assistant adds a new hire to the corporate database, which triggers the company’s health insurance provider to add the new hire to its enrollment.
An engineer sends an internal URL for a specification document to another engineer who works for a partner company.
A customer logs into the company’s website and looks for a product in the company’s online catalog.
A vendor submits an online invoice to the company’s accounting department.

In each of these examples, the company must determine who is allowed to view its information or use its applications. Some information such as the company’s product descriptions and advertising can be made available to everyone, even the public at large, in the company’s online catalog. Other information such as accounting and human resources information must be restricted to only employee use. And some internal information is appropriate to share with partners and suppliers, but not with customers.

The Problem

Many enterprises grant access to information on a per-application basis. For example, an employee might have to set up a user name and password to access the company’s health benefits administration website. The same employee must use a different user name and password to access the Accounting Department online forms. Within the same enterprise, a customer sets up a user name and password to access the public branch of the company website. For each website or service, an administrator must convert the enterprise user’s input into a data format that the service can recognize. Each service added to the enterprise must be provisioned and maintained separately.

The Solution

Access Manager reduces the administrative costs and eliminates the redundant user information associated with per-application solutions. Access Manager enables an administrator to assign specific rules or policies governing which information or services each user can access. Policy agents are deployed on application or web servers to process HTTP requests and to enforce active policies.

Together, a user’s information and associated access policies comprise the user’s enterprise identity. Access Manager makes it possible for a user to access many resources in the enterprise with just one identity.

What Access Manager Does

When an enterprise user or an external application tries to access content stored on a company’s web server, the Access Manager policy agent intercepts the request and directs it to the Access Manager server. Access Manager asks the user to present credentials such as a username and password. If the credentials match those stored in the appropriate identity repository, Access Manager determines that the user’s credentials are authentic.

Next, Access Manager evaluates the policies associated with the user’s identity. Policies identify which users or groups of users are authorized to access a resource, and specify conditions under which authorization is valid. Finally, based upon policy evaluation results, Access Manager either grants or denies the user access to the information. What Access Manager Does illustrates one way Access Manager can be configured to act as the gatekeeper to a company’s information resources.

Figure 1–1 Access Manager as the Gateway to a Company's Enterprise Resources

This figure illustrates how Access Manager controls access among
customers, employees, and employee administrators.

Access Manager integrates the following features into a single product that can be viewed in a single administration console:

Authentication Service

Authentication is the first step in determining whether a user is allowed to access a resource protected by Access Manager. The Access Manager Authentication service verifies that a user really is the person he claims to be. Authentication service consists of the following components: plug-in modules, a framework for connecting plug-in modules, a core authentication component, a web service interface, and client APIs. Authentication Service interacts with the Authentication database to validate user credentials, and interacts with Identity Repository Management plug-ins to retrieve user profile attributes. When Authentication Service determines that a user’s credentials are genuine, a valid user session token is issued, and the user is said to be authenticated.

Policy Service

Authorization is the process by which Access Manager evaluates policies associated with a user’s identity, and determines whether an authenticated user has permission to access a protected resource. Access Manager Policy service enables authorization to take place. Policy service consists of the following components: policy plug-ins, a framework for connecting policy plug-ins, a core policy component, a web service interface, and client APIs. Policy service interacts with Access Manager service configurations, delegation service, and identity repository plug-ins to verify that the user has access privileges from a recognized authority.

User Session Management

An Access Manager user session is the interval between the moment a user logs in to a network resource protected by Access Manager, and the moment the user logs out of the resource. During the user session, Access Manager session service maintains information about the user’s interaction with various applications the user accesses. Access Manager uses this information to enforce time-dependent rules such as timeout limits. Also during the user session, Access Manager provides continuous proof of the user’s identity. This continued proof of identity enables the user to access multiple enterprise resources without having to provide credentials each time.

The Access Manager Session Service enables the following types of user sessions:

Basic user session. The user provides credentials to log in to one application, and then logs out of the same application.
Single sign-on (SSO) session. The user provides credentials once, and can then access multiple applications within the same DNS domain.
Cross-domain SSO session. The user provides credentials once, and can then access applications among multiple DNS domains.

SAML Service

Access Manager uses the Security Assertion Markup Language (SAML), an XML based framework for exchanging security information. While Access Manager User Session service enables single sign-on sessions among different DNS domains within the same intranet, SAML service enables cross-domain sign-on (CDSSO) sessions among different business domains. Using the SAML protocol, business partners can securely exchange authentication and authorization information over the Internet. Access Manager SAML service consists of a web service interface, a SAML core component, and a SAML framework that web services can connect to.

Identity Federation Service

Identity federation allows a user to consolidate the many local identities he has configured among multiple service providers. With one federated identity, the user can log in at one service provider’s site and move to an affiliated service provider site without having to re-authenticate or re-establish his identity. Identity Federation service works with SAML service to enable single sign-on sessions among business partners over the Internet. Identity Federation services consists of a web service interface, a core Identity Federation component, and an Identity Federation Framework that complies with the Liberty Alliance Project specifications.

Logging

When a user logs in to a resource protected by Access Manager, the Logging component logs information about the user's activity. You can write custom log operations and customize log plug-ins to generate log reports for auditing purposes.

How Access Manager Works

When Access Manager starts up, it initializes the Access Manager information tree with configuration data. The configuration data comes from Access Manager service plug-ins including Authorization, Policy, Identity Repository Management, and Service Configuration plug-ins. By default, the Access Manager information tree resides in Sun Java System Directory Server, the same data store as the identity repository.

Figure 1–2 Basic Access Manager Installation

This figure illustrates how policy agents directs HTTP requests
to a centralized Access Manager Server for processing.

When a browser sends a request to access content or an application on a protected resource, Access Manager immediately binds to the appropriate Identity Repository to obtain user information. The user information may include definitions for roles, realms, user ids, and so forth. At the same time, a Policy Agent installed on the protected resource intercepts the initial HTTP request and examines the request. If no session token is found, the Policy Agent contacts the Access Manager server. Then Access Manager invokes authentication and authorization processes.

Access Manager Architecture

Access Manager uses a Java technology-based architecture for scalability, performance, and ease of development.

Access Manager leverages industry standards including HyperText Transfer Protocol (HTTP), eXtensible Markup Language (XML), Simple Object Access Protocol (SOAP), and Security Assertions markup Language (SAML) specification. The Access Manager internal architecture is multi-layered and includes a presentation layer, web services, core components, an integrated framework, and a plug-ins layer.

Custom applications access the Access Manager web services through the Access Manager client application programming interfaces (APIs) installed on each protected resource. Custom plug-in modules interact with the Access Manager service provider interfaces (SPIs) and plug-ins framework. The plug-in modules retrieve information from the Access Manager information tree and deliver required information to other plug-ins when necessary, and to the Access Manager framework for data processing.

Web Services

Web services follow a standardized way of integrating Web-based applications using XML, SOAP, and other open standards over an Internet protocol backbone. Web services enable applications from various sources to communicate with each other because web services are not tied to any one operating system or programming language. Businesses use web services to communicate with each other and with clients without having to know detailed aspects of each other's IT systems.

Access Manager provides web services that use XML and SOAP over HTTP. Access Manager web services are designed to be centrally provided in your network for convenient access by your client applications. The following table summarizes the web services provided in Access Manager.

Table 1–1 Access Manager Web Services


Web Service Name	Description
Authentication	Verifies that a user really is the person he claims to be.
Policy (Authorization)	Evaluates policies associated with a user’s identity, and determines whether an authenticated user has permission to access a protected resource.
SAML	Enables single sign-on sessions among different business domains. Allows business partners to securely exchange authentication and authorization information over the Internet.
Identity Federation	Enables a user to log in at one service provider’s site and move to an affiliated service provider site without having to re-authenticate or re-establish his identity.
Session	Maintains information about the user’s interaction with various applications the user accesses.

Access Manager uses both eXtensible Markup Language (XML) files and Java interfaces to and manage web services and web service configuration data. An Access Manager XML file is based on a structure defined in a corresponding DTD file. The DTD file defines the elements and qualifying attributes needed to form a valid XML document. Access Manager includes DTD files that define the structure for the different types of XML files it uses. The DTDs are located in AccessManager-base/SUNWam/dtd. The file sms.dtd defines the structure for all XML service files. All XML service files are located in /etc/opt/SUNWam/config/xml.

Caution –

Do not modify any of the Access Manager DTD files. The Access Manager APIs and their internal parsing functions are based on the default definitions. Alterations to the DTD files may hinder the operation of Access Manager.

Core Components and Services that Power Access Manager

The core components provide the logic that performs the main Access Manager functions. The core components work with services that run within Access Manager. These internal services process data solely for use by Access Manager. The following table lists the core Access Manager components and internal services along with brief descriptions of what they do.

Table 1–2 Access Manager Core Components and Internal Services


Core Component or Service	What it Does
Authentication component	Validates user’s credentials and verifies that the user is who he claims to be.
Authorization (Policy) component	Evaluates policies to determine whether the user has permission to access the requested resource.
Security Assertion Markup Language (SAML) component	Provides a protocol-based alternative to using cookies for performing a single sign-on session.
Identity Federation component	Enables user to access resources provided by multiple business partners in a single sign-on session.
User Session Management component	Maintains information about user session, and enforces timeout limits. Provides continued proof of identity to enable single sign-on sessions.
Logging service	Tracks a user’s interactions with web applications. Creates log messages to form an audit trail of important events within the system.
Naming service	Enables a client to locate other Access Manager services such as User Session Management Service, Logging Service, Policy Service, and so forth. Defines URLs used to access these internal services.
Platform service	Manages configurable attributes used in an Access Manager deployment.
Client Detection service	Detects the client type of the browser being used to access the Access Manager application. Client types include HTML, WML, and other protocols.

Client APIs

Enterprise resources cannot be protected by Access Manager until you install Access Manager client APIs on the Web Server or Application Server that you want to protect. The client APIs mirror the APIs and functionality contained in the Access Manager core components: Authentication, Authorization (Policy), SAML, Identity Federation, and User Session.

Access Manager Framework

The framework layer is where the Access Manager business logic is implemented. Each core component uses its own framework to retrieve customer data from the plug-in layer and to provide data to the core components. The Access Manager framework integrates all of these frameworks to form one layer in the architecture that is accessible to all core components and all Access Manager plug-ins.

Figure 1–3 Access Manager Internal Architecture

Plug-ins Layer

The Access Manager SPIs work with plug-ins to provide customer data to the framework for back-end processing. Some customer data comes from external data base applications such as identity repositories. Some customer data come from Access Manager plug-ins. You can develop custom plug-ins to work with Access Manager SPIs.

For a complete listing of Access Manager SPIs, see the Javadoc. The following table lists the plug-ins that are installed with Access Manager and a brief description what each plug-in does.

Table 1–3 Access Manager Plug-ins


Plug-in	Description
Authentication	Accesses user data in a specified identity repository to determine if user’s credentials are valid.
Policy	Aggregates policies and rules to determine whether a user is authorized to access a protected resource.
Service Configuration	Manages configuration data used in each core component framework: authentication, authorization, SAML, session, logging, and identity federation. Provides configuration data to any Access Manager plug-in or component that needs the data.
Delegation	Aggregates policies and rules to determine the scope of a network administrator’s authority.
Identity Repository Management	Authenticates identities and returns identity information such as user attributes and membership status.
AM SDK	Creates and modifies users and stores information in the user branch of the identity repository. Implements user management APIs used in previous Access Manager releases.

Access Manager Policy Agents

You install an Access Manager Policy Agent on a protected resource to enforce the policy decisions determined by the Policy Service. The policy agent intercepts requests from applications, and redirects the requests to Access Manager for authentication. Once the user is authenticated, the policy agent communicates with the Policy Service. The policy agent allows the user access or denies the user access depending upon the result of policy evaluation.

Architectural Changes In This Release

Access Manager includes new components that enable you to implement authentication and authorization solutions without having to make changes in your existing user directory information tree.

Access Control Realms

In Access Manager an access control realm is a group of authentication properties and authorization policies you can associate with a user or group of users. Realm data is stored in a proprietary information tree that Access Manager creates within a data store you specify. The Access Manager framework aggregates policies and properties contained in each realm within the Access Manager information tree.

By default, Access Manager automatically inserts the Access Manager information tree as a special branch in Sun Java Enterprise System Directory Server, apart from the user data.

Figure 1–4 Default Configuration for Access Manager Information Tree

Both the identity repository and the Access Manager information
tree can be installed on the same instance of Directory Server.

You can use access control realms while using any user database. The following figure illustrates the Access Manager information tree configured in a separate data store from the identity repository.

Figure 1–5 Access Manager Information Tree Configured in Second Data Store

The identity repository can reside in one data store, and the
Access Manager information tree can reside in a different data store.

When a user logs into an application, Access Manager plug-ins retrieve all user information and access information that Access Manager needs to form a temporary, virtual user identity. Authentication service and Policy service use the virtual user identity to authenticate the user and to enforce authorization policies. The virtual user identity is destroyed when the user’s session ends.

Identity Repository Framework

An identity repository is a database where you can store user attributes and user configuration data. Previous versions of Access Manager relied on Sun Java System Directory Server as the only supported identity repository and the only supported software for creating, managing, and storing user data.

Access Manager provides an identity repository plug-in that connects to an identity repository framework. This new model enables you to view and retrieve Access Manager user information without having to make changes in your existing user database. The Access Manager framework integrates data from the identity repository plug-in with data from other Access Manager plug-ins to form a virtual identity for each user. Access Manager can then use the universal identity in authentication and authorization processes among more than one identity repository. The virtual user identity is destroyed when the user’s session ends.

You can configure the Identity Repository Management Service per realm to use its own list of Identity Repositories.

Using realm-based configuration, you can specify a single Identity Repository that will store service configurations for both users and roles. The Identity Repository Service provides a list of Identity Repositories that can provide user attributes to Policy, SAML , and Liberty services. The Identity Repository Services pluggable interface combines attributes obtained from different repositories. Identity Repository plug-ins provide interfaces to create, read , edit, and delete objects such as Realm, Role, Group, User, and Agent.

The default identity repository plug-in is designed to work with Sun Java Directory Server which is based on LDAP. In previous Access Manager versions, the functionality of this default plug-in was provided by the AM SDK component. In Access Manager 7.0, the AM SDK functionality still exists, but now in plug-in form.

Realm Mode and Legacy Mode

When you install Access Manager, you are asked to choose either Realm Mode or Legacy Mode.

Realm mode is new in Access Manager 7.0, and is based on the Access Manager information tree and Identity Repository Management Service described in the previous sections. Realm mode is appropriate in most new Access Manager deployments where you want to keep identity repositories independent of access management, or where you cannot maintain user data within the required object classes of Sun Java System Directory Server.

If you choose Realm Mode at installation, then after installation your identity repositories can exist in any of the following configurations:

In the same Directory Server instance and the same suffix as the Access Manager information tree.
In the same Directory Server instance but in a different suffix as the Access Manager information tree.
In a different directory server instance from the Access Manager information tree.

Figure 1–6 Realm Mode User Interface

This is figure illustrates the Access Manager administration
console in Realm Mode.

Legacy Mode is based on the Access Manager 6.3 architecture. This legacy Access Manager architecture uses the LDAP directory information tree (DIT) that comes with Sun Java System Directory Server. In Legacy Mode, both user information and access control information are stored in LDAP organizations. When you choose Legacy Mode, an LDAP organization is the equivalent of an access control realm. Realm information is integrated within LDAP organizations.

Legacy Mode is appropriate in deployments where you want to use Access Manager user management. Legacy Mode is typically used in deployments where Access Manager is built upon Sun Java System Portal Server or other Sun Java System communication products that require the use of Sun Java System Directory Server as the central identity repository.

If you choose Legacy Mode during installation, then after installation the top-level ream resides in the same Directory Server branch as the Access Manager information tree, and user information is intermingled with access information.

Figure 1–7 Legacy Mode User Interface

In Legacy Mode, a Directory Management tab is added to the Access
Manager administration console.

The following table compares realm mode and legacy mode.

Table 1–4 Comparison of Realm and Legacy Modes


	Realm Mode	Legacy Mode
Supports all new Access Manager 7 2005Q4 features.	Yes	Yes
Supports identity repositories in Sun Java System Directory Server and in other data stores.	Yes	Yes
Supports Access Manager 6 user management features.	No	Yes
Can coexist with Access Manager 6 2005Q1 in multiple-server installations.	No	Yes
Before installation, identity repository can exist in Sun Java Directory Server .	Yes	Yes
Before installation, identity repository can exist in an LDAP version 3 compliant directory server.	Yes	No

For more information about realm and legacy modes, see the Sun Java System Access Manager 7 2005Q4 Release Notes.

Distributed Authentication User Interface Component

The Distributed Authentication user interface enables a policy agent or an application that is deployed in a non-secured area to communicate with the Access Manager Authentication Service that is installed in a secured area of the deployment. Typically, the non-secured policy agent or application is separated from Access Manager by two firewalls. In such deployments, policy agents and applications are not usually allowed to communicate across two firewalls.

Figure 1–8 Distributed Authentication

This figure illustrates shows the Distributed Authentication
Service located in a non-secured area and the Authentication Service in a secured
area.

You can install the distributed authentication user interface on a J2EE web container within the non—secure layer of an Access Manager deployment. The web browser communicates an HTTP request to the remote authentication user interface, which in turn presents a login page to the user. The web browser sends user login information through a firewall to the remote authentication user interface. The remote authentication user interface communicates through the second firewall to the Access Manager Server. For detailed illustration and process flow, see User Authentication. For detailed installation and configuration instructions, see the Sun Java System Access Manager 7 2005Q4 Administration Guide.

Delegation Plug-In

The Delegation plug-in works together with the Identity Repository plug-in to determine a network administrator’s scope of privileges. Default administrator roles are defined in the Identity Repository plug-in. The Delegation plug-in forms rules that describe the scope of privileges for each network administrator, and also specifies the roles to which the rules apply. The following is a list of roles defined in the Identity Repository, and the default rule the Delegation plug-in applies to each role.

Table 1–5 Access Manager Roles and Scope of Privileges


Identity Repository Role	Delegation Rule
Realm Administator	Can access all data in all realms of the Access Control information tree.
Subrealm Administrator	Can access all data within a specific realm of the Access Control information tree.
Policy Administrator	Can access all policies in all realms of the Access Control information tree.
Policy Realm Administrator	Can access policies only within the specific realm of the Access Control information tree.

Authentication service and Policy service use the aggregated data to perform authentication and authorization processes. The Delegation plug-in code is not public in Access Manager.

Service Configuration Plug-Ins

The Service Configuration plug-in stores and manages data required by other Access Manager plug-ins. In previous versions of Access Manager, the functionality provided by the Service Configuration plug-in was known as the Service Management Service (SMS).