Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun[TM] Identity Manager 8.0 Administration 

Chapter 17
Service Provider Administration

This chapter provides information that you need to know to administer the Service Provider functionality in Sun Identity Manager. To use this information, an understanding of Lightweight Directory Access Protocol (LDAP) directories and federation management is helpful. For a broader discussion of a Service Provider implementation, see Identity Manager Service Provider Deployment.

This chapter contains the following topics:

Overview of Service Provider Features

In a service provider environment, you need the ability to manage user provisioning for all end-users—that is extranet users, as well as intranet users. The Identity Manager Service Provider features enable company administrators to categorize identity accounts into two distinct types: Identity Manager users and Service Provider users. Service provider users in Identity Manager are user accounts that have been configured as the Service Provider User type.

The Identity Manager user-provisioning and auditing capabilities extend to service provider implementations by providing the following features:

Enhanced End-User Pages

Enhanced end-user pages that are customizable for a service provider implementation are provided.

Password and Account ID policy

You can define account ID and password policies for service provider users and resource accounts, as with other Identity Manager users.

Policy checking code is activated for service provider users with the Service Provider System Account Policy, which has been added to the main Policies table.

Identity Manager and Service Provider Synchronization

Synchronization for Identity Manager and Service Provider accounts can be configured to run on any Identity Manager server, or restricted to selected servers.

Service Provider Synchronization, like Identity Manager synchronization, can be easily stopped and started from the Resource Actions options on the Resources page. See Start and Stop Synchronization.

The Input Forms for Identity Manager user synchronization and Service Provider user synchronization differ. See End-User Interface.

Access Manager integration

You can use Sun Access Manager 7 2005Q4 for authentication on Service Provider end-user pages. If integration with Access Manager is configured, Access Manager ensures that only authenticated users can access the end-user pages.

Service Provider requires the user name for auditing purposes. Update the AMAgent.properties file to add the user’s ID to the HTTP headers, for example:

com.sun.identity.agents.config.response.attribute.mapping[uid] = HEADER_speuid

The end-user-page authentication filter puts the HTTP header value into the HTTP session where the rest of the code expects it to be.

Initial Configuration

To configure the Service Provider features, use the following procedures to edit Identity Manager configuration objects to the directory server:

Edit Main Configuration

To edit configuration objects for a Service Provider implementation, follow these steps:

  1. In the Administrator interface, click Service Provider in the menu.
  2. Click Edit Main Configuration.

    3. The Service Provider Configuration page opens.

  3. Complete the Service Provider Configuration form, as appropriate:

Directory Configuration

In the Directory Configuration section, provide information to configure the LDAP Directory and specify Identity Manager attributes for service provider users.

Figure 17-1 shows this area of the Service Provider Configuration page, as well as the User Forms and Policy area discussed in the next section.

Figure 17-1  Service Provider Configuration

Configuring the Service Provider directory and user forms and policies.

(Directory, User Forms and Policy)

To complete the Directory Configuration form, follow these steps:

  1. Select the Service Provider End-User Directory from the list.

    2. Select the LDAP directory resource where all Service Provider user data is stored.

  2. Enter the Account ID Attribute Name.

    3. This is the name of the LDAP account attribute that contains a unique short identifier for the account. This is considered the name of the user for authentication and account access through the API. The attribute name must be defined in the schema map.

  3. Specify an IDM Organization Attribute Name.

    4. This option specifies the name of the LDAP account attribute that contains the name or ID of an organization within Identity Manager to which the LDAP account belongs. It is used for delegated administration of LDAP accounts. The attribute name must exist in the LDAP resource schema map and is the Identity Manager system attribute name (the name on the left side of the schema map).

    Note

    You should specify the Identity Manager Organization Attribute Name — and IDM Organization Attribute Name Contains ID, if needed — if you want to enable delegated administration through organization authorization.

  4. If you choose to select IDM Organization Attribute Name Contains ID, enable this option.

    5. Select this option if the LDAP resource attribute, that refers to the Identity Manager organization to which the LDAP account belongs, contains the ID of the Identity Manager organization, and not the name.

  5. If you choose to select Compress User XML, enable this option.

    6. Select this option if you choose to compress user XML stored in the directory.

  6. Click Test Directory Configuration to verify your entries for the configuration.

    7. Note

    You may test your Directory, Transaction, and Audit Configurations as appropriate to your needs. To fully test all three, click all three tests configuration buttons.

User Forms and Policy

In the User Forms and Policy area, shown in Figure 17-1 above, specify the forms and policies to use for service provider user administration.

To specify the forms and policies to use for service provider user administration, follow these steps:

  1. Select the End User Form from the list.

    2. This form is used everywhere except for the Delegated Administrator pages and during synchronization. If None is selected, no default user form is used.

  2. Select the Administrator User Form from the list.

    3. This is the default user form that is used in Administrator contexts. This includes the Service Provider Accounts edit pages. If None is selected, no default user form is used.

    Note

    If you do not choose an Administrator User Form, then administrators will not be able to create or edit Service Provider users from Identity Manager.

  3. Select a Synchronization User Form from the list.

    4. The Synchronization User Form is the default form used if no form is specified for a resource running Service Provider synchronization. If an input form is specified on a resource's synchronization policy, that form will be used instead. Resources usually require different synchronization input forms. In this case, you should set the synchronization user form on each resource instead of selecting a form from the list.

  4. Select an Account Policy from the list.

    5. The choices include any Identity Account Policy defined through Configure > Policies.

  5. Select an Is Account Locked Rule from the list.

    6. Select a rule to be run against the Service Provider User view that can determine if an account is locked.

  6. Select a Lock Account Rule.

    7. Select a rule to be run against the Service Provider User view that can set attributes in the view that cause the account to be locked.

  7. Select a Unlock Account Rule.

    8. Select a rule to be run against the Service Provider User view that can set attributes in the view that cause the account to be unlocked.

Transaction Database

Use this section of the Service Provider Configuration page, shown in Figure 17-2, to configure a transaction database. These options are required only when using the JDBC Transaction Persistent Store. Changing any of these values requires that you restart the server to apply them.

The database table for transactions must be set up according to the schema shown in the create_spe_tables DDL scripts (located in the sample directory of your Identity Manager installation). The appropriate script may have to be customized for the target environment.

Figure 17-2  Service Provider Configuration (Transaction Database)

Screen capture of the Service Provider Configuration,Transaction Database form.

To configure a transaction database, follow these steps:

  1. Enter the following database information:
    • Driver Class - Specify the JDBC Driver class name.
    • Driver Prefix - This field is optional. If specified, the JDBC DriverManager is queried before registering a new driver.
    • Connection URL Template - This field is optional. If specified, the JDBC DriverManager is queried before registering a new driver.
    • Host - Enter the name of the host where the database is running.
    • Port - Enter the port number the database server is listening on.
    • Database Name - Enter the name of the database to use.
    • User Name - Enter the ID of a database user with permission to read, update, and delete rows from the transaction and audit tables in the selected database.
    • Password - Enter the database user password.
    • Transaction Table - Enter the name of the table in the selected database to use for storing pending transactions.
  2. If appropriate, click Test Transaction Configuration to verify your entries.

Continue to the next section of the Service Provider Configuration page to configure tracked events.

Tracked Event Configuration

When event collection is enabled, it allows you to track statistics in real time thereby helping to maintain expected or agreed-upon levels of service. Event collection is enabled by default, as shown in Figure 17-3. Clearing the Enable event collection check box disables collection.

Figure 17-3  Service Provider Configuration (Tracked Events, Account Indexes, and Callout Configuration)

Configuring tracked events, account indexes, and callout configuration information for a Service Provider configuration.

To set the time zone and specify collection intervals for service provider tracked events, follow these steps:

  1. Select the Time zone from the list.

    2. Select the time zone to use when recording tracked events, or select Set to Server Default to use the time zone set on the server.

  2. Select the Time Scales to collect options.

    3. Collection is aggregated over the following time intervals: every 10 seconds, every minute, every hour, daily, weekly, and monthly. Disable any of the intervals for which you do not want collection to occur.

Synchronization Account Indexes

When synchronizing resources in a Service Provider implementation, it may be necessary to define Account Indexes to properly correlate events sent by the resource to users in the Service Provider directory.

By default, resource events are required to contain a value for the attribute accountId which matches the accountId attribute in the directory. In some resources, accountId is not consistently sent. For example, delete events from ActiveDirectory contain only the ActiveDirectory generated account GUID.

Resources that do not include the accountId attribute must include a value for either of the following attributes.

If you need to correlate using either guid or identity you must define an account index for those attributes. An index is simply the selection of one or more directory user attributes that may be used to store resource specific identities. Once the identities are stored in the directory, they can be used in search filters to correlate synchronization events.

To define account indexes, first determine which resources will be used for synchronization, and which of those require an index. Then edit the Resource definition for the Service Provider directory and add attributes in the schema map for the GUID or identity attributes for each of the Active Sync resources. For example, if you were synchronizing from ActiveDirectory, you might define an attribute named AD-GUID mapped to an unused directory attribute such as manager.

After you have defined all of the index attributes in the Service Provider resource, follow these steps:

  1. In the Synchronization Account Indexes area of the configuration page, click the New Index button.

    2. The form expands to contain a resource selection field, followed by two attribute selection fields. The attribute selection fields remain empty until a resource is selected

  2. Select a Resource from the list.

    3. The attributes fields now contain values defined in the schema map for the selected resource.

  3. Select the appropriate index attribute for either the Guid Attribute or the Full Identity Attribute.

    4. It is not usually necessary to set both. If both are set, the software first attempts to correlate using the GUID, then the full identity.

  4. You may click New Index again to define index attributes for other resources.
  5. To delete an index, click the Delete button to the right of the Resource selection field.

Deleting an index only removes the index from the configuration, it does not modify all of the existing directory users that may currently have values stored in the index attributes.

Note

Deleting an index only removes the index from the configuration, it does not modify all of the existing directory users that may currently have values stored in the index attributes.

Callout Configuration

Select this option in the Callout Configuration section to enable callouts. When callouts are enabled, the callout mappings appear enabling you to select pre-operational and post-operational options for each transaction type listed.

By default, the pre- and post-operation options are set to None.

If you specify post-operation callouts, use the Wait for post-operation callout option to specify that the transaction must wait for the post-operation callout processing to complete before finishing. This ensures that any dependent transaction is executed only after the post-operation callout has successfully completed.

Note

After completing your selections for all sections on the Service Provider Configuration page, click Save to complete the configuration.

Edit User Search Configuration

Use this page, shown in Figure 17-4, to configure the default search settings for searches made by delegated administrators on the Manage Service Provider Users page. These defaults apply to all users of the Manage Service Provider Users page, but they can be overridden on a per-session basis.

Figure 17-4  Search Configuration

Setting the default search options in the Service Provider configuration

To configure the default search settings for searching Service Provider users, follow these steps:

  1. Click Service Provider from the menu bar.
  2. Click Edit User Search Configuration.
  3. Enter a number for Maximum Results Returned (default 100).
  4. Enter a number for Results Per Page (default 10).
  5. Select the Available Attributes next to Result Attributes to Display using the arrow keys.
  6. Select the Attribute to search from the list.
  7. Select the Search Operation from the list.
  8. Click Save.

    9. Note

    Changes made to the search configuration do not take effect until you log off and log back on.

    These configuration objects are not available if the Service Provider Directory has not been configured.

Transaction Management

A transaction encapsulates a single provisioning operation, for example creating a new user or assigning new resources. To ensure that these transactions complete when resources are unavailable, they are written to the Transaction Persistent Store.

The following topics in this section contain procedures for managing service provider transactions:

Setting Default Transaction Execution Options

These options control how transactions are executed, including synchronous/asynchronous processing and when they are persisted to the Transaction Persistent Store. They can be overridden in the IDMXUser view or through the form used to process it. For more information, see Identity Manager Service Provider Deployment.

To configure service provider transactions, follow these steps:

  1. Click Service Provider > Edit Transaction Configuration.

    2. The Service Provider Transaction Configuration page appears.

    Figure 17-5 shows the Default Transaction Execution options area.

    Figure 17-5  Transaction Configuration
    Setting the default transaction execution options in a Service Provider configuration

  2. Select the Guaranteed Consistency Level from the following options to specify the level of transaction consistency for user updates:
    • None — No guaranteed ordering of resource updates for a user
    • Local — Resource updates for a user being processed by the same server are guaranteed to be ordered.
    • Complete — All resource updates for a user are guaranteed to be in order, across all servers. This option requires all transactions to be persisted before attempting the transaction or before asynchronous processing.
  3. Select the following Default Transaction Execution options that you choose to enable:
    • Wait for First Attempt — dictates how control returns to the caller when an IDMXUser view object is checked in. If the option is enabled, the checkin operation is blocked until the provisioning transaction has completed a single attempt. If asynchronous processing is disabled, then the transaction either succeeds or fails when control is returned. If asynchronous processing is enabled, then the transaction continues to be retried in the background. If the option is disabled, the checkin operation returns control to the caller before attempting the provisioning transaction. Consider enabling this option.
    • Enable Asynchronous Processing — This option controls whether processing of provisioning transactions continues after the checkin call returns.

      Enabling asynchronous processing allows the system to retry transactions. It also improves throughput by allowing the worker threads configured in Set Advanced Transaction Processing Settings to run asynchronously. If you select this option, you should configure the retry intervals and attempts for the resources being provisioned to or updated via the synchronization input form.

      When Enable Asynchronous Processing is selected, enter a Retry Timeout value. This is an upper bound expressed in milliseconds of how long the server retries a failed provisioning transaction. This setting complements the retry settings on the individual resources, including the Service Provider user LDAP directory. For example, if this limit is reached before the resource retry limits are reached, the transaction is aborted. If the value is negative, then the number of retries is only limited by the settings of the individual resources.

    • Persist Transactions Before Attempting — If enabled, provisioning transactions are written to the Transaction Persistent Store before they are attempted. Enabling this option might incur unnecessary overhead because most provisioning transactions succeed on the first attempt. Consider disabling this option unless the Wait for First Attempt option is disabled. This option is not available if Complete consistency level is selected.
    • Persist Transactions Before Asynchronous Processing (default selection) If enabled, provisioning transactions are written to the Transaction Persistent Store before they are processed asynchronously. If the Wait for First Attempt option is enabled, then transactions that need to be retried are persisted before control is returned to the caller. If the Wait for First Attempt option is disabled, then transactions are always persisted before they are attempted. It is recommended to enable this option. This option is not available if Complete consistency level is selected.
    • Persist Transactions on Each Update — If enabled, provisioning transactions are persisted after each retry attempt. This can aid in isolating problems because the Transaction Persistent Store, which is searchable from the Search Transaction page, is always up-to-date.

Setting Transaction Persistent Store

The options on the Service Provider Transaction Configuration page apply to the Transaction Persistent Store. The type of store can be configured as well as additional queryable attributes to expose in the store, as shown in the following figure.

Figure 17-6  

Transaction Persistent Store

Configuring Service Provider Transaction Persistent Store

To set options on the Service Provider Transaction Configuration page, follow these steps:

  1. Select the desired Transaction Persistent Store Type from the list.

    2. If the Database option is selected, then the RDBMS configured on the main Service Provider configuration page is used for persisting provisioning transactions. This guarantees transactions that must be retried are not lost when a server is restarted. Selecting this option requires configuring the RDBMS on the main Service Provider configuration page. If the Simulated memory-based option is selected, then transactions that require retry are only stored in memory and are lost when the server restarts. Enable the Database option for production environments.

    Note

    Memory-based transaction persistent store is not suitable for use in clustered environments.

    When Transaction Persistent Store Type is changed, you must restart all running Identity Manager instances for the change to take effect.

  2. If desired, enter Customized queryable user attributes.

    3. Select additional attributes of the IDMXUser object to expose in transaction summaries. These attributes are queryable from the search transaction page and appear in search results. They include:

    • User path expression — Enter a path expression into the IDMXUser object.
    • Display name — Choose a display name corresponding to the path expression. This display name is shown on the transaction search page.

Set Advanced Transaction Processing Settings

These advanced options control the inner-workings of the transaction manager. Do not change the provided defaults unless performance analysis indicates they are not optimal. All entries are required.

Figure 17-5 illustrates the Advanced Transaction Processing Settings area on the Edit Transaction Configuration page.

Figure 17-7  Advanced Transaction Processing Settings

Configuring Advanced Transaction Processing settings.

  1. Enter the desired number of Worker Threads (default 100).

    2. This is the number of threads used to process transactions. This value limits the number of transactions that are processed concurrently. These threads are statically allocated at startup.

    Note

    When the Worker Threads setting is changed, you must restart all running Identity Manager instances for the change to take effect.

  2. Enter the desired Lease Duration (ms) (default 600000).

    3. This controls how long a server locks a transaction that it is retrying. The lease is renewed as needed. However, if the server does not shutdown cleanly, then another server is not able to lock the transaction until the original server's lease expires. The value should be at least one minute. Setting the value smaller can impact the load on the Transaction Persistent Store.

  3. Enter the desired Lease Renewal (ms) time (default 300000).

    4. This controls when the lease of a locked transaction is renewed. It is renewed when there are this many milliseconds remaining on the lease.

  4. Enter the desired time to Retain Completed Transactions in Store (ms) (default 360000).

    5. How many milliseconds to wait before removing completed transactions from the Transaction Persistent Store. Unless transactions are configured to be immediately persisted, the Transaction Persistent Store does not contain all completed transactions.

  5. Enter the desired Ready Queue Low Water Mark (default 400).

    6. When the transaction scheduler's queue of ready-to-run transactions falls below this limit, it refills the queue with any available ready-to-run transactions up to the high water limit.

  6. Enter the desired Ready Queue High Water Mark (default 800).

    7. When the transaction scheduler's queue of ready-to-run transactions falls below the low water mark, it refills the queue with any available ready-to-run transactions up to this limit.

  7. Enter the desired Pending Queue Low Water Mark (default 2000).

    8. The transaction scheduler's pending queue holds failed transactions that are pending a retry. If the size of the queue exceeds the high water mark, then all transactions beyond the low water mark, are flushed to the Transaction Persistent Store.

  8. Enter the desired Pending Queue High Water Mark (default 2000).

    9. The transaction scheduler's pending queue holds failed transactions that are pending a retry. If the size of the queue exceeds the high water mark, then all transactions beyond the low water mark, are flushed to the Transaction Persistent Store.

  9. Enter the desired Scheduler Period (ms) (default 500).

    10. This is how often the transaction scheduler should run. When it runs, the transaction scheduler moves ready-to-run transactions from the pending queue to the ready queue, and performs other periodic duties such as persisting transactions to the Transaction Persistent Store.

  10. Click Save to accept the settings.

Monitoring Transactions

Service Provider transactions are written to the Transaction Persistent Store. You can search for transactions in the Transaction Persistent Store to view the transaction status.

Note

Using the Edit Transaction Configuration page (see Transaction Management), the administrator can control when transactions are persisted. For instance, they can be persisted immediately, even before they are attempted for the first time.

The Transactions Search page allows you to specify search conditions that enable you to filter the transactions to view based on specific criteria related to the transaction event, such as user, type, status, transaction ID, current state and success or failure of the transaction. This includes transactions that are still being retried, as well as transactions that have already completed. Transactions that have not completed can be cancelled preventing any further attempts.

To search transactions, follow these steps:

  1. In the Administrator interface, click Server Tasks in the main menu.
  2. Click Service Provider Transactions in the secondary menu.

    3. The Service Provider Transaction Search page opens, allowing you to specify search conditions.

    Note

    The search returns only transactions that match all of the conditions selected below. This is similar to the Accounts > Find Users page.

  3. If desired, select User Name.

    4. This allows you to search for transactions that apply only to users with the accountId that you enter.

    Note

    If you have configured any Customized queryable user attributes on the Service Provider Transaction Configuration page, then they appear here. For example, you could choose to search based on Last Name or Full Name if these were configured as customized queryable user attributes.

  4. If desired, select search for Type.

    5. This allows you to search for transactions of the selected type or types.

  5. If desired, select search for State.

    6. This allows you to search for transactions in the following selected state or states:

    • Unattempted transactions have not yet been attempted.
    • Pending retry transactions have been attempted one or more times, have had one or more errors, and are scheduled to be retried up to the retry limits configured for the individual resources.
    • Success transactions have completed successfully.
    • Failure transactions have completed with one or more failures.
  6. If desired, select to search for Attempts.

    7. This allows you to search for transactions based on how many times they have been attempted. Failed transactions are retried up to the retry limits configured for the individual resources.

  7. If desired, select to search for Submitted.

    8. This allows you to search for transactions based on when they were initially submitted in increments of hours, minutes, or days.

  8. If desired, select to search for Completed.

    9. This allows you to search for transactions based on when they were completed in increments of hours, minutes, or days.

  9. If desired, select to search for Cancelled Status.

    10. This allows you to search for transactions based on whether or not they have already been cancelled.

  10. If desired, select to search for Transaction ID.

    11. This allows you to search for transactions based on their unique id. Use this option to find a transaction based on the id value you enter, which appears in all audit log records.

  11. If desired, select to search for Running On (which Server.)

    12. This allows you to search for transactions based on the Service Provider server where they are running. The server's identifier is based on its machine name unless it has been overridden in the Waveset.properties file.

  12. Limit the search to results to first number of entries selected from the list.

    13. Only results up to the specified limit are returned. No indication is made if additional results are available.

    Figure 17-8  Search Transactions
    Specify the search conditions to search for service provider user transactions.

  13. Click Search.

    14. The search results are displayed.

  14. If desired, click Download All Matched Transactions at the bottom of the results page. This saves the results to an XML formatted file.

    15. Note

    You can cancel transactions returned in the search results. Select the transaction in the results table and click Cancel Selected. You cannot cancel transactions that have completed or have already been cancelled.

Delegated Administration

Delegated administration for Service Provider users is enabled through the use of Identity Manager admin roles, or through the organization-based authorization model.

Delegation Through Organization Authorization

Identity Manager provides delegation of administrative duties through the organization-based authorization model, by default. Keep the following in mind when creating delegated administrators in an organization-based authorization model:

Delegation Through Admin Role Assignment

For granting fine-grain capabilities and scope of control on Service Provider users, use a Service Provider User Admin Role. The Admin Roles can be configured to be dynamically assigned to one or more Identity Manager or Service Provider Users at login time.

Rules can be defined and assigned to Admin Roles that specify the capabilities (such as Service Provider Create User) granted to users assigned the admin role.

To use Admin Role delegation for service provider users, you must enable it in the Identity Manager system configuration object ((more...) ).

If delegation through Admin Role assignment is enabled, then the IDM Organization Attribute Name in the Service Provider Configuration is not required.

Enabling Service Provider Admin Role Delegation

To enable service provider admin role delegation (Service Provider delegated administration), open the system configuration object for modification ((more...) ) and set the following property to true:

security.authz.external.app name.object type

where app name is the Identity Manager application (such as Administrator Interface) and object type is Service Provider Users

This property can be enabled per Identity Manager application (for example, for the Administrator Interface or User Interface) and per object type. Currently, the only supported object type is Service Provider Users. The default value is false.

For example, to enable Service Provider Delegated Administration for Identity Manager administrators, set the following attribute in the System Configuration configuration object to “true”:

security.authz.external.Administrator Interface.Service Provider Users

If Service Provider Delegated Administration is disabled (set to false) for a given Identity Manager or Service Provider application, the organization-based authorization model is used.

When Service Provider Delegated Administration is enabled, tracked events capture information about the number and duration of authorization rules executed. These statistics are available in the dashboard.

Configuring a Service Provider User Admin Role

To configure a Service Provider User Admin Role, create an admin role and specify the scope of control, capabilities, and to whom it should be assigned.

Note

Before creating a Service Provider User Admin Role, define the search context, search filter, after search filter, capabilities, and user assignment rules for the admin role. You must specify the authType for the rule to use these rules—that is, SPEUsersSearchContextRule, SPEUsersSearchFilterRule, SPEUsersAfterSearchFilterRule, CapabilitiesOnSPEUserRule, UserIsAssignedAdminRoleRule, SPEUserIsAssignedAdminRoleRule.

Identity Manager provides sample rules that you can use to create these rules for Service Provider User Admin Roles. These rules are available in sample/adminRoleRules.xml in the Identity Manager installation directory.

For more information about creating these rules for your environment, see Identity Manager Service Provider Deployment.

To configure a Service Provider User Admin Role, follow these steps:

  1. In the Administrator interface, click Security on the menu, then click Admin Roles.

    2. The Admin Roles page opens.

  2. Click New....

    3. The Create Admin Role page opens.

  3. Specify a name for the admin role and select Service Provider Users for the type.
  4. Specify the Scope of Control, Capabilities, and Assign To Users options, as described in the following sections.
Specifying the Scope of Control

The scope of control for the service provider user admin role specifies which service provider users a given Identity Manager administrator, Identity Manager end user, or Identity Mananger service provider end user is allowed to see. It is enforced when a request is made to list Service Provider Users in the directory.

You can specify one or more of the following settings for the Service Provider User Admin Role scope of control:

Specifying Capabilities

Capabilities for the Service Provider User Admin Role specify which capabilities and rights the requesting user has on the Service Provider User for which access is being requested. It is enforced when a request is made to view, create, modify, or delete a Service Provider User.

On the Capabilities tab, select the Capabilities Rule to apply for this admin role.

Assigning Admin Roles To Users

Service Provider User Admin Roles can be dynamically assigned to service provider users by specifying a rule that will be evaluated at login time to determine whether to assign the authenticating user the Admin Role.

Click the Assign To Users tab, and select the rule to apply for the assignment.

Note

Dynamic assignment of Admin Roles to users must be enabled for each login interface (for example, the User interface and the Administrator interface) by setting the following System Configuration object ((more...) ) to true:

security.authz.checkDynamicallyAssignedAdminRolesAtLoginTo.logininterface

The default for all interfaces is false.

Delegating Service Provider User Admin Roles

By default, Service Provider Users can assign (or delegate) Service Provider User Admin Roles assigned to them to other Service Provider Users in their scope of control.

In fact, any Identity Manager User with capabilities to edit Service Provider Users can assign the Service Provider User Admin Roles assigned to them to the service provider users in their scope of control.

A Service Provider User Admin Role can also include a list of Assigners who can assign the Admin Role regardless of scope of control. These direct assignments can ensure that at least one known user account can assign the Admin Role.

Administering Service Provider Users

This section contains procedures and information for administering service provider users through Identity Manager. It contains the following topics:

User Organizations

With Service Provider, the value of an attribute on the user determines to which organization the user is assigned. This is specified by the Identity Manager Organization Attribute Name field in the Service Provider Main configuration (see Initial Configuration). However, the names of those organizations must match the value of a user attribute assigned in the directory server.

If the Identity Manager Organization Attribute Name is defined, then a multi-select list of available organizations appears on the Create User and Edit User pages. The short organization names are displayed by default. You can modify the Service Provider User Form to display the full organization path.

You may pick which attribute becomes the organization name attribute. The organization name attribute is then used in the Service Provider user administration pages to constrain which administrators can search for and manage that user.

Note

There are now account ID and password policies for Service Provider and resource accounts.

The Service Provider System Account Policy is available from the main Policies table.

Create Users and Accounts

All service provider users must have an account in the Service Provider directory. If a user has accounts on other resources, then links to these accounts are stored in the user's directory entry, so information about these accounts is available when the user is viewed.

Note

A sample Service Provider User Form for creating and editing users is provided. Customize this form to meet the requirements for managing users in your Service Provider environment. For more information, see Identity Manager Workflows, Forms, and Views

To create a Service Provider account., follow these steps:

  1. In the Administrator interface, click Accounts on the menu bar.
  2. Click the Manage Service Provider Users tab.
  3. Click Create User.

    4. Note

    When using the default Service Provider User Form the actual fields that are displayed depend on the attributes configured in the Account Attributes table (Schema map) of the Service Provider directory resource. Also, when you assign resources to the user (such as a delegated administrator), you should see new sections added to the display where you can specify values for the attributes for those resources. You may also customize the fields.

  4. Enter the following values as required:
    • accountid (this field is required)
    • password
    • confirmation (this is the password confirmation)
    • firstname (this field is required)
    • lastname (this field is required)
    • fullname
    • email
    • home phone
    • cell phone
    • password retry count
    • account unlock time
  5. Assign any desired Resources from the Available listing using the arrow keys.
  6. The Account Status displays whether the account is locked or unlocked. Click this option to lock or unlock the account.

    7. Figure 17-9  Create Service Provider Users and Accounts
    Create Service Provider Users and Account attributes.

    Note

    This form automatically populates values for the resource account attributes based on the attributes defined for the directory account (at the top). For example, if the resource defines firstName, then the product populates it with the firstName value from the directory account. However, after this initial population, modifications to these attributes are not propagated to the resource accounts. If desired, customize the provided sample Service Provider User Form.

  7. Click Save to create the user account.

Search Service Provider Users

Service Provider includes a configurable search capability to aid in administering user accounts. Only the users within your scope, (as defined by your organization, and perhaps other factors) are returned in a search.

To perform a basic search of service provider users, from the Accounts area in the Identity Manager interface, click Manage Service Provider Users, then enter the search value and click Search.

The following topics discuss the Service Provider search features:

Advanced Search

To perform an advanced search of service provider users, from the Service Provider Users Search page, click Advanced and then complete the following actions:

  1. Choose the desired Attribute from the list.
  2. Choose the desired Operation from the list.

    3. You are specifying a set of conditions in order to filter the users returned from the search and that the users returned must meet all of the specified conditions.

  3. Enter the desired search value, and then click Search.

    4. Figure 17-10  Search Users
    Specify attribute conditions to search service provider users.

You can add or remove Attribute Conditions, using the following options:

Search Results

Service Provider search results are displayed in a table, as depicted in Figure 17-11. The results can be sorted by any attribute by clicking on the column header for that attribute. The results displayed depend on the attributes you selected.

The arrow buttons navigate to the first, previous, next, and last pages of results. You can jump to a specific page by entering the number in the text box and pressing Enter.

To edit a user, click the user name in the table.

Figure 17-11  Example of Search Results

Example of a Service Provider User search results.

The search results page enables you to delete users or unlink resource accounts, by selecting one or more users and clicking the Delete button. This action brings up a delete user page and presents additional options (see Delete, Unassign, or Unlink Accounts.)

Link Accounts

Service Provider may be installed in environments in which users have accounts on multiple resources. The account linking feature of Service Provider enables you to assign existing resource accounts to Service Provider users in an incremental fashion. The account linking process is controlled by the Service Provider linking policy, which defines a link correlation rule, a link confirmation rule, and a link verification option.

To link user accounts, follow these steps:

  1. In the Administrator interface, click Resources in the menu bar.
  2. Select the desired resource.
  3. Select Edit Service Provider Linking Policy from the Resources Action menu.
  4. Select a link correlation rule. This rule searches for accounts on the resource that the user may own.
  5. Select a link confirmation rule. This rule eliminates any resource accounts from the list of potential accounts that the link correlation rule selects.

    6. Note

    If the link correlation rule selects no more than one account, then the link confirmation rule is not required.

  6. Select Link verification required to link the target resource account to the Service Provider user.

Delete, Unassign, or Unlink Accounts

To delete, unassign, or unlink user accounts, follow these steps:

  1. Click Accounts from the menu bar.
  2. Click Manage Service Provider Users.
  3. Perform a basic or advance search.
  4. Select the desired user or users.
  5. Click the Delete button.
  6. If desired, select one of the global options:
    • Delete All resource accounts

      • Note

      Deleting a resource deletes the account, but the resource assignment still exists. A subsequent update of the user recreates the account. Delete always implies an unlink of the resource account.

    • Unassign All resource accounts

      • Note

      Unassigning a resource removes that resource assignment. Unassign implies an unlink of the resource account. The resource account is not deleted when the resource is unassigned.

    • Unlink All resource accounts

      • Note

      Unlinking removes the link between a user and the resource account, but this does not delete the account. The resource assignment is not removed either, so a subsequent update to the user relinks the account or creates a new account on the resource.

  7. Alternatively, select an action for one or more resource accounts in the Delete, Unassign, or Unlink columns.
  8. After selecting the desired user accounts, click OK.

    9. Figure 17-12  Delete, Unassign, or Unlink Accounts
    When deleting a service provider user, you can delete, unassign, or unlink accounts.

Set Search Options

To set search options for service provider users, follow these steps:

  1. In the Administrator interface, click Accounts in the menu bar.
  2. Click Service Provider.
  3. Click Options.

    4. Note

    These options are only valid for the current login session. The options effect how the search results are displayed, that they effect both the basic and advanced search results, and that some settings only take effect on new searches.

  4. Enter the Maximum Results Returned.
  5. Enter the Number of Results Per Page.
  6. Choose the desired Display Attribute from the Available Attributes using the arrow keys.

    7. Figure 17-13  Set Search Options for Service Provider Users
    Set Search Options for Service Provider Users.

End-User Interface

The bundled sample end-user pages provide examples for registration and self-service typical in xSP environments. The samples are extensible and can be customized. You may change the look and feel, modify navigation rules between pages, or display locale-specific messages for your deployment. For further information about customizing end-user pages see Identity Manager Service Provider Deployment.

In addition to auditing self-service and registration events, notification to the affected user can be sent using e-mail templates. Examples of using account ID and password policies, as well as account lockout, are also provided. Application developers can also leverage Identity Manager forms. The modular authentication service implemented as a servlet filter can be extended or replaced if necessary. This allows integration with access management systems like the Sun Access Manager.

Sample

The bundled sample end-user pages allow the user to register and maintain basic user information through a series of easy-to-navigate screens and receive email notification of their actions.

The example pages include the following features:

The pages are easy to customize for your deployment. The following may be customized:

For more information on customizing the pages see Identity Manager Service Provider Deployment.

Registration

New users are asked to register. During registration users can set their login, challenge questions, and notification information.

Figure 17-14  Registration Page

New Service Provider users must enter a first and last name and email address to register on first log in.

Home and Profile Screens

Figure 17-15 shows the end user home tab and Profile page. A user may change their login ID and password, manage notification, and create challenge questions.

Figure 17-15  

Service Provider users can set passwords, challenge password questions and manage notifications.

My Profile Page

Synchronization

Synchronization for service provider users is enabled through the Synchronization Policy. To synchronize changes to attributes on resources with Identity Manager for service provider users, you must configure Service Provider Synchronization. The following topics explain how to enable synchronization in a service provider implementation:

Configure Synchronization

To configure Service Provider synchronization, you edit the Synchronization Policy for resources as described in Configuring Synchronization.

When editing the Synchronization Policy, the following options must be specified to enable the synchronization processes for service provider users.

Follow the instructions in Configuring Synchronization to specify other options as appropriate for your environment. The default synchronization interval for Service Provider synchronization tasks defaults to 1 minute.

Note

The confirmation rule and form must use the IDMXUser view and not the Identity Manager input user view (see Identity Manager Service Provider Deployment for more information).

This is required because confirmation rules access a user view for each user identified in the correlation rule, impacting synchronization performance.

Click Save to save the policy definition. If synchronization is not disabled in the policy, it will be scheduled as specified. If disable synchronization is specified, the synchronization service is stopped, if currently running. If enabled, synchronization will be started when the Identity Manager server is restarted, or when Start for Service Provider is selected under the Synchronization Resource Action.

Monitor Synchronization

Identity Manager provides the following methods for monitoring Service Provider synchronization.

Start and Stop Synchronization

Service Provider synchronization is enabled by default when you configure Identity Manager for a service provider implementation.

To disable Service Provider Active Sync, follow these steps:

  1. In the Administrator interface, click Resources on the menu.

    2. The List Resources page opens.

  2. In the Service Provider area, select the resource and click Edit Synchronization Policy to edit the policy.
  3. Clear the Enable Synchronization check box.
  4. Click Save.

    5. When the policy is saved synchronization stops.

To stop synchronization without disabling it, select Stop for Service Provider from the Synchronization resource action.

Note

If you stop synchronization by using the resource action, without disabling synchronization, it will be started again when any Identity Manager server is started.

Migrate Users

The Service Provider functionality contains an example user migration task and associated scripts. This task migrates existing Identity Manager users to the Service Provider User directory. This section describes how to use the example migration task. You are encouraged to modify this example for use in your situation.

To migrate existing Identity Manager users, follow these steps:

  1. In the Administrator interface, click Server Tasks on the menu.

    2. The Find Tasks page opens.

  2. Click Run Tasks in the secondary menu.
  3. Click SPE Migration.
  4. Enter a unique Task Name.
  5. Select a Resource from the list.

    6. This is a resource in Identity Manager that represents the Service Provider directory server. Links to this resource found in Identity Manager users are not migrated.

  6. Enter an Identity Attribute.

    7. This is the Identity Manager user attribute that contains the short unique identity for the directory user.

  7. Select an Identity Rule from the list.

    8. This is an optional rule that may calculate the name of the directory user from attributes of the Identity Manager user. The Identity rule can calculate a simple name (typically uid) which is then processed through the identity template of the Resource to form the directory server distinguished Name (DN.) The rule may also return a full specified DN which avoids the id template.

  8. Click Launch to start the background migration task.

Configuring Service Provider Audit Events

In a service provider implementation, Identity Manager’s audit logging system audits events related to extranet user activities. Identity Manager provides the Service Provider Edition audit configuration group (enabled by default) that specifies the audit events logged for service provider users. See Figure 17-16.

For more information about audit logging, and modifying events in the Service Provider Edition audit configuration group, see Chapter 10, "Audit Logging."

Figure 17-16  Edit Service Provider Audit Configuration Group Page

Use the Edit Service Provider Audit Configuration Group page to edit service provider events.



Previous      Contents      Index      Next     

Part No: 820-2954-10.   Copyright 2008 Sun Microsystems, Inc. All rights reserved.