How Access Manager Works

When Access Manager starts up, it initializes the Access Manager information tree with configuration data from various Access Manager service plug-ins including those for Authorization, Policy, Identity Repository Management, and Service Configuration. When a browser sends an HTTP request for access to a protected resource, Access Manager immediately binds to the appropriate Identity Repository to obtain user information (which may include definitions for roles, realms, user IDs, and so forth). At the same time, a policy agent installed on the protected resource intercepts the request and examines it. If no session token is found, the policy agent contacts the Access Manager server which will then invoke the authentication and authorization processes. Figure 1–9 illustrates how policy agents protect the enterprise's web servers by directing HTTP requests to a centralized Access Manager server for processing.

Figure 1–9 Basic Access Manager Deployment

Access Manager integrates the following functions into one product. They can be viewed and configured using a single administration console:

• Authentication Service

• Policy Service

• User Session Management

• SAML Service

• Federation Service

• Logging

Authentication Service

Authentication is the first step in determining whether a user is allowed to access a resource protected by Access Manager. The Access Manager Authentication Service verifies that a user really is the person he claims to be. It consists of the following components:

• Plug-in modules

• A framework for connecting plug-in modules

• A core authentication component

• A graphical user interface

• Client APIs

The Authentication Service interacts with the Authentication database to validate user credentials, and with Identity Repository Management plug-ins to retrieve user profile attributes. When the Authentication Service determines that a user’s credentials are genuine, a valid user session token is issued, and the user is said to be authenticated.

Policy Service

Authorization is the process with which Access Manager evaluates policies associated with a user’s identity, and determines whether an authenticated user has permission to access a protected resource. The Access Manager Policy Service enables authorization to take place. It consists of the following components:

• Policy plug-ins

• A framework for connecting policy plug-ins

• A core policy component

• A graphical user interface

• Client APIs

The Policy Service interacts with Access Manager service configurations, a delegation plug-in (which helps to determine a network administrator’s scope of privileges), and identity repository plug-ins to verify that the user has access privileges from a recognized authority.

User Session Management

An Access Manager user session is the interval between the moment a user logs in to a network resource protected by Access Manager, and the moment the user logs out of the resource. During the user session, the Access Manager Session Service maintains information about the interactions the user has with the various applications. Access Manager uses this information to enforce time-dependent rules such as timeout limits. Also during the user session, Access Manager provides continuous proof of the user’s identity. This proof of identity enables the user to access multiple enterprise resources without having to provide credentials each time.

The Access Manager Session Service enables the following types of user sessions:

• Basic user session. The user provides credentials to log in to one application, and then logs out of the same application.

• Single sign-on (SSO) session. The user provides credentials once, and can then access multiple applications within the same DNS domain.

• Cross domain SSO (CDSSO) session. The user provides credentials once, and can then access applications among multiple DNS domains.

SAML Service

Access Manager uses the Security Assertion Markup Language (SAML), an XML-based framework for exchanging security information. While the Session Service enables SSO sessions among different DNS domains within the same intranet, the SAML Service enables CDSSO sessions among different business domains. Using the SAML protocol, business partners can securely exchange authentication and authorization information over the Internet. The SAML Service consists of the following components:

• A framework to which web services can connect

• A core SAML component

• A graphical user interface

Federation Service

Identity federation allows a user to consolidate the many local identities he has configured among multiple service providers. With one federated identity, the user can log in at one service provider’s site and move to an affiliated service provider site without having to re-authenticate or re-establish identity. The Federation Service uses SAML to enable SSO sessions among business partners over the Internet. It consists of the following components:

• A framework that complies with the Liberty Alliance Project specifications

• A core Federation component

• A graphical user interface

Logging

When a user logs in to a resource protected by Access Manager, the Logging component records information about the user's activity. You can write custom log operations and customize log plug-ins to generate log reports for auditing purposes.