Identity Manager provides the Sun Java System Access Manager Realm resource adapter to support Sun™ Java System Access Manager running in Realm mode.

This adapter is defined in the com.waveset.adapter.SunAccessManagerRealmResourceAdapter class.

Resource Configuration Notes

You can configure only one Access Manager server (whether in Realm mode or in Legacy mode). You can define multiple resources if you provision to different realms.

The Identity Server Policy Agent is an optional module that you can use to enable single sign-on (SSO). You can obtain this Policy Agent from the following location:

You must install the Identity Server Policy Agent on the same server where Identity Manager is installed.

To install the Policy Agent, follow the installation instructions provided with the Policy Agent, and then perform the following tasks:

Editing the AMAgent.properties File


Note	Use the Sun Access Manager Realm resource adapter for resources running in Realm mode. Use the Sun Access Manager resource adapter for resources running in Legacy mode. See Sun Java System Access Manager for information about this adapter.


Note	Do not attempt to follow the Policy Agent installation or configuration procedures if this product is not being used in your environment. For more information about Policy Agents, see: http://docs.sun.com/app/docs/coll/1322.1

You must modify the AMAgent.properties file to protect Identity Manager. This file is located in the AgentInstallDir/config directory.

Locate the following lines in the AMAgent.properties file.

com.sun.identity.agents.config.cookie.reset.enable = false
com.sun.identity.agents.config.cookie.reset.name[0] =
com.sun.identity.agents.config.cookie.reset.domain[] =
com.sun.identity.agents.config.cookie.reset.path[] =

Edit these lines as follows.

com.sun.identity.agents.config.cookie.reset.enable = true
com.sun.identity.agents.config.cookie.reset.name[0] = AMAuthCookie
com.sun.identity.agents.config.cookie.reset.domain[0] = .example.com
com.sun.identity.agents.config.cookie.reset.path[0] = /

Add the following lines.

com.sun.identity.agents.config.cookie.reset.name[1] = iPlanetDirectoryPro
com.sun.identity.agents.config.cookie.reset.domain[1] = .example.com
com.sun.identity.agents.config.cookie.reset.path[1] = /

Locate the following linesl.

com.sun.identity.agents.config.profile.attribute.fetch.mode = NONE
com.sun.identity.agents.config.profile.attribute.mapping[] =

Edit these lines as follows

com.sun.identity.agents.config.profile.attribute.fetch.mode = HTTP_HEADER
com.sun.identity.agents.config.profile.attribute.mapping[uid] = sois_user

You must restart the web server for your changes to take effect.

Creating a Policy in Sun Java System Access Manager

From within the Sun Java System Access Manager application, create a new policy named IDMGR (or something similar) with the following rules:


Service Type	Resource Name	Actions
URL Policy Agent	http://server:port/idm	Allow GET and POST actions
URL Policy Agent	http://server:port/idm/*	Allow GET and POST actions

Assign one or more subjects to the IDMGR policy.

Identity Manager Installation Notes

This section provides installation and configuration notes for the Sun Java System Access Manager Realm resource adapter and the Policy Agent.

General Configuration

Follow the instructions provided in the appropriate version of the Sun Java™ System Access Manager Developer's Guide to build the client SDK from the Sun Access Manager installation.

Extract the AMConfig.properties and amclientsdk.jar files from the war file that is produced.

Put a copy of the AMConfig.properties in the following directory:

$WSHOME/WEB-INF/classes

Place a copy of amclientsdk.jar in the following directory:

$WSHOME/WEB-INF/lib

Add the amclientsdk.jar file to the server class path.

Restart the Identity Manager application server.

After copying the files, you must add the Sun Java System Access Manager Realm resource to the Identity Manager resources list. Add the following value in the Custom Resources section of the Configure Managed Resources page.

com.waveset.adapter.SunAccessManagerRealmResourceAdapter

You must modify the administrator and user login modules so the Sun Java System Access Manager login modules will be listed first.


Note	You must first configure a Sun Java System Access Manager realm resource before performing the following procedure.

From the Identity Manager Administrator Interface menu bar, select Security.

Click the Login tab.

Click the Manage Login Module Groups button, located at the bottom of the page.

Select the Login Module to modify. For example, select Default Identity System ID/Pwd Login Module Group.

In the Assign Login Module select box, select Sun Access Manager Realm Login Module.

When a new Select option displays next to the Assign Login Module option, select the appropriate resource.

When the Modify Login Module page displays, edit the displayed fields as needed, and then click Save. The Modify Login Module Group is displayed again.

Specify Sun Access Manager Realm Login Module as the first resource in the module group, and then click Save.

Log out of Identity Manager

Security Notes

This section provides information about supported connections and authorization requirements needed to perform basic tasks.

Supported Connections

Required Administrative Privileges

The user name that connects to the Sun Java System Access Manager must be assigned permissions to add or modify user accounts.

Provisioning Notes


Feature	Supported?
Enable/disable account	Yes
Rename account	No
Pass-through authentication	Yes. Through the Policy Agent.
Before/after actions	No
Data loading methods	Import directly from resource Reconcile with resource

Account Attributes

The following table lists the Sun Java System Access Manager user account attributes supported by default. All attributes are optional, unless noted in the description.


Resource User Attribute	Resource Attribute Type	Description
uid	String	Required. Unique user ID for the user.
cn	String	Required. User's full name
givenname	String	User's first name
sn	String	User's last name
mail	Email	User's email address
employeeNumber	Number	User's employee number
telephoneNumber	String	User's telephone number
postalAddress	String	User's home address
iplanet-am-user-account-life	Date	Date and time the user's account expires
iplanet-am-user-alias-list	String	List of aliases for the user
iplanet-am-user-success-url	String	URL the user is redirected to when authentication is successful
iplanet-am-user-failure-url	String	URL the user is redirected to when authentication is unsuccessful
roleMemberships	String	List of roles to which user is subscribed
groupMemberships	String	List of groups to which user is subscribed

Resource Object Management


Resource Object	Features Supported	Attributes Managed
Groups	list, create, update, delete	name, user members
Roles	list, create, update, delete	name, user members
Filtered Roles	list, create, update, delete	name, nsrolefilter

Identity Template

Sample Forms

This section lists the sample forms that are built-in and available for the Sun Java System Access Manager Realm resource adapter.

Built-In

Also Available

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following class:

Previous Contents Index Next
Sun[TM] Identity Manager 8.0 Resources Reference