Sun Java System Access Manager 7.1 Federation and SAML Administration Guide

Overview

Sun Java System Access Manager is a software product that helps organizations manage secure access to the resources and web applications within their intranet and across the Internet. The initial release of Access Manager implemented the Liberty Identity Federation Framework (Liberty ID-FF) specifications, focusing on identity and provider federation, authentication domains, and single sign-on. Subsequent releases of Access Manager added new features as defined in version 1.2 of the Liberty ID-FF specifications as well as the version 1.1 specifications of the Liberty Identity Web Services Framework (Liberty ID-WSF). These web services include a framework for retrieving and updating identity data.

Identity data consists of all the information that companies maintain about individual customers, corporate partners, and employees. The data is stored in identity-based service providers (also referred to as identity providers) across the Internet. Federating the sources of identity data allows for accessing, transporting, sharing, and managing the data between partnered organizations and their applications without weakening existing security safeguards. For example, many corporations provide access to outsourced human resources services, such as health benefits and 401(k) plans. The corporate intranet offers central access to these services, but employees have to log in and authenticate themselves every time they access each service. Since employees might not want to share the same profile and password with both their 401(k) provider and their health care provider, federation of their identity data can provide seamless integration of these web resources across multiple security domains within the same enterprise.

To achieve this integration, enterprises can construct a network of partnered services for securely exchanging customer account information, transaction data, and credentials through a set of interoperable web services. Federation among partner networks allows identities to share key pieces of their respective data without sharing control. For example, logging in to one web site that represents an authentication domain consisting of an airline, a car rental company, and a hotel chain allows an identity to make travel plans even if one of the sites does not contain an identity data store.

The following sections contain additional information regarding the implementation of the Liberty Alliance Project specifications in Access Manager.

Sample Use Case

Using a cell phone, a principal is able to access a ring-tone vendor's site. Due to implementation of single sign-on, the ring-tone vendor recognizes the principal from the cell-phone provider's authentication. This allows the principal to purchase ring tones by interacting with the user's bank for payment. The following figure illustrates the process of requesting a service and being authenticated for access. It assumes the following:

MyWireless is a cellular service provider and an identity provider in a federation framework that contains access to the discovery service in a web services framework.
MyRingtones is a service provider in a federation framework that also acts as a web service consumer (WSC) in a web services framework. It sells ringtones for use with cellular phones.
MyBank is a web service provider (WSP) in a web services framework. Linking MyBank to My Ringtones offers the opportunity for seamless purchases.

Note –

The same web service can act as a different entity in different scenarios.

Figure 2–1 Process in a Liberty-enabled Use Case

This figure illustrates the process behind a
Liberty-enabled use case.

The user attempts to access MyRingtones and, after being prompted for credentials stored with MyBank, receives authorization through MyWireless. Single sign-on is accomplished in the back end. The entire process is based on implementations of the Liberty ID-FF, Liberty ID-WSF, and Liberty ID-SIS specifications.

Liberty Alliance Project Architecture in Access Manager

The figure below shows the architecture of the Access Manager features that are based on the Liberty Alliance Project specifications. These features leverage existing Access Manager services including those for policy, service management, session management, and auditing.

Figure 2–2 Liberty-based Architecture of Access Manager

Basic architecture of Liberty-based features
in Access Manager.

Note –

For a complete architectural overview of Access Manager, see the Sun Java System Access Manager 7.1 Technical Overview.