Sun Java System Access Manager 7 2005Q4 Federation and SAML Administration Guide

Accessing the Liberty Alliance Project Features

Access Manager is installed with a set of default Liberty-based web services. They, the larger Federation component, application programming interfaces, and the Security Assertion Markup Language (SAML) are introduced in the following sections.

Federation in Access Manager

The Federation component of Access Manager provides an interface for creating, modifying, and deleting authentication domains and service and identity providers (both remote and hosted types) for a federated model. The web interface for the Liberty ID-FF in Access Manager is accessible from the Federation tab in the Access Manager Console, as shown in the following figure.

Figure 2–3 Federation Interface in Access Manager Console

Screen shot of the Federation interface in Access Manager Console

The following steps illustrate the process for creating a federation model using Access Manager:

Create an authentication domain.
Configure one or more hosted providers that belong to the authentication domain.
Configure one or more remote providers that belong to the authentication domain, and include the metadata for the remote providers.
Establish the trusted partnership between the providers. A hosted provider can choose to trust a subset of providers, either hosted or remote, that belong to the same authentication domain.

Liberty-based Web Services in Access Manager

Liberty-based web services are those based on specifications in the Liberty ID-WSF and the Liberty ID-SIS. They are accessible from the Access Manager Console by clicking the Web Services tab. The implemented web services include:

The following diagram illustrates how the different web service specifications have been implemented.

Figure 2–4 Architecture of Liberty-based Web Services

Diagram illustrating the architecture of Liberty-based
web services in Access Manager.

The web interface for the Liberty ID-WSF in Access Manager is accessible from the Web Services tab in the Access Manager Console, as shown in the following figure.

Figure 2–5 Web Services Interface in Access Manager Console

Screen shot of the Web Services interface in Access Manager Console.

Liberty Personal Profile Service

The Liberty Personal Profile Service is a data service that supports storing and modifying a principal's identity attributes. Identity attributes might include information such as first name, last name, home address, and emergency contact information. The Liberty Personal Profile Service is queried or updated by a WSC acting on behalf of the principal. For more information, see Chapter 6, Data Services.

Discovery Service

The Discovery Service is a web service that allows a requesting entity, such as a service provider, to dynamically determine a principal’s registered attribute provider. Typically, a service provider queries the Discovery Service, which responds by providing a resource offering that describes the requested attribute provider. (A resource offering defines associations between a piece of identity data and the service instance that provides access to the data.) The implementation of the Discovery Service includes Java and web-based interfaces. For more information, see Chapter 7, Discovery Service.

Note –

By definition, a discoverable service is assigned a service type Uniform Resource Identifier (URI), allowing the service to be registered in Discovery Service instances. The service type URI is typically defined in the Web Service Definition Language (WSDL) file that defines the service.

SOAP Binding Service

The SOAP Binding Service is a set of Java APIs used by the developer of a Liberty-enabled identity service. The APIs are used to send and receive identity-based messages using SOAP, an XML-based messaging protocol. For more information, see Chapter 8, SOAP Binding Service.

Authentication Web Service

The Authentication Web Service provides web service-based authentication to a WSC, allowing the WSC to obtain security tokens for further interactions with other services at the same provider. These other services may include a discovery service or single sign-on service. The Authentication Web Service is for service-to-service (nonuser) authentication. For more information, see Chapter 5, Authentication Web Service.

Note –

Do not confuse the Liberty-based Authentication Web Service with the proprietary Access Manager Authentication Service discussed in the Sun Java System Access Manager 7 2005Q4 Administration Guide.

Liberty-based Application Programming Interfaces

A number of the Liberty-based web services specifications have also been implemented in the back end of Access Manager as APIs. The services include the Interaction Service and PAOS binding. The following table summarizes the public APIs. They can be used to deploy Liberty-enabled components or extend the core services.

Table 2–1 Public Interfaces


Package Name	Description
`com.sun.identity.liberty.ws.authnsvc`	Provides classes to manage the Authentication Web Service. See Chapter 5, Authentication Web Service.
`com.sun.identity.liberty.ws.authnsvc.mechanism`	Provides an interface to process incoming Simple Authentication and Security Layer (SASL) requests and generate SASL responses for the different SASL mechanisms. See Chapter 5, Authentication Web Service.
`com.sun.identity.liberty.ws.authnsvc.protocol`	Provides classes to manage Authentication Web Service protocol. See Chapter 5, Authentication Web Service.
`com.sun.identity.liberty.ws.common`	Defines common classes that are used by many of the Access Manager Liberty-based web service components. See Common Service Interfaces of this chapter.
`com.sun.identity.liberty.ws.common.wsse`	Provides an interface to parse and create a X.509 Certificate Token Profile. See Common Service Interfaces of this chapter.
`com.sun.identity.liberty.ws.disco`	Provides interfaces to manage the Discovery Service. See Chapter 7, Discovery Service.
`com.sun.identity.liberty.ws.disco.plugins`	Provides a plugin interface for the Discovery Service. See Chapter 7, Discovery Service.
`com.sun.identity.liberty.ws.dst`	Provides classes to implement an identity service. See Chapter 6, Data Services for information about services built using this API.
`com.sun.identity.liberty.ws.dst.service`	Provides a handler class that can be used by any generic identity data service. See Chapter 6, Data Services for information about data services.
`com.sun.identity.liberty.ws.interaction`	Provides classes to support the Interaction RequestRedirect Profile. See the section on the Interaction Service for information on this profile.
`com.sun.identity.liberty.ws.interfaces`	Provides interfaces that are common to all Access Manager Liberty-based web service components. See Chapter 7, Discovery Service and Chapter 6, Data Services for information about default implementations. See the section on Common Service Interfaces for more general information.
`com.sun.identity.liberty.ws.paos`	Provides classes for web applications to construct and process PAOS requests and responses. See PAOS Binding of this chapter.
`com.sun.identity.liberty.ws.security`	Provides an interface to manage Liberty-based web service security mechanisms. See Common Security API of this chapter.
`com.sun.identity.liberty.ws.soapbinding`	Provides classes to construct SOAP requests and responses and to change the contact point for the SOAP binding. See Chapter 8, SOAP Binding Service.
`com.sun.identity.saml`	Provides a service provider interface (SPI) in which proprietary XML/signature implementations can be plugged in. See Chapter 9, SAML Administration.
`com.sun.identity.saml.assertion`	Provides classes to manage assertions and profiles. See Chapter 9, SAML Administration.
`com.sun.identity.saml.common`	Provides classes that are common to all SAML elements. See Chapter 9, SAML Administration.
`com.sun.identity.saml.plugins`	Provides SPIs to integrate SAML into custom services. See Chapter 9, SAML Administration.
`com.sun.identity.saml.protocol`	Provides classes that parse the XML messages used to exchange assertions and information. See Chapter 9, SAML Administration.
`com.sun.identity.saml.xmlsig`	Provides an SPI in which proprietary XML/signature implementations can be plugged in. See Chapter 9, SAML Administration.
`com.sun.liberty`	Provides interfaces common to the Access Manager Federation Management module. See Chapter 3, Federation.

For more information, see Chapter 10, Application Programming Interfaces. For detailed API documentation, including classes, methods and their syntax and parameters, see the Java API Reference in /AccessManager-base/SUNWam/docs or on docs.sun.com.

SAML Service

Access Manager uses SAML as the means for exchanging security information. SAML uses an eXtensible Markup Language (XML) framework to achieve interoperability between vendor platforms that provide SAML assertions.

In anticipation of the next release of Access Manager and support of SAML 2.0, SAML attributes have been moved under the Federation tab although it’s usage is independent of the functionality discussed in this guide. The Liberty-based features in Access Manager use SAML but that usage is not configurable. For more information on the independent SAML Service, see Chapter 9, SAML Administration.