OpenSSO Enterprise 8.0 includes features such as access management, federation management, and web services security that are found in earlier releases of Sun Java System Access Manager and Sun Java System Federation Manager. OpenSSO Enterprise also includes the new features described in this section.
For the new features in version 3.0 policy agents, see one of these guides:
Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for J2EE Agents
or
Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for Web Agents
Simplified installation and configuration:
To install OpenSSO Enterprise, you simply deploy the opensso.war file using the respective web container administration console or command-line utility. When you first access the server using the deployment URI (/opensso), you are directed to the Configurator, which allows you to perform initial configuration tasks such as specifying administrator passwords and the configuration and user data stores.
You can also create and deploy specialized WAR files for a distributed authentication UI server, console only, server only, and Identity Provider (IDP) Discovery Service deployments using the opensso.war file.
Centralized server and agent configuration data:
OpenSSO Enterprise and version 3.0 policy agent configuration data is stored in a centralized configuration data repository. You specify configuration values using either the OpenSSO Enterprise Administration Console or the new ssoadm command-line utility. You no longer need to set properties in the AMConfig.properties or AMAgent.properties files.
Many of the configuration properties are “hot swappable,” which means you do not have to restart the web container after you modify a property.
The Embedded data store option allows you to store OpenSSO Enterprise and version 3.0 policy agent configuration data transparently without having to install Sun Java System Directory Server.
Command-line Configurator (in addition to the GUI Configurator) to perform the initial configuration of OpenSSO Enterprise server.
OpenSSO Enterprise Administration Console Common Tasks:
Create SAMLv2 Providers. You can easily create a SAMLv2 hosted or remote Identity Provider (IDP) or Service Provider (SP).
Create a Fedlet. A Fedlet is a lightweight Service Provider (SP) implementation of SAMLv2 SSO protocols. A Fedlet allows an Identity Provider (IP) to enable an SP that does not have federation implemented. The SP simply adds the Fedlet to a Java web application and then deploys the application.
Test Federation Connectivity. You can test or troubleshoot new or existing federated deployments to determine if connections are being made successfully and to identify the source of any problems.
New web containers are added, as described in Web Containers Supported For OpenSSO Enterprise 8.0.
Simplified Web Services Security agents can be deployed on GlassFish and Sun Java System Application Server 9.1 using providers based on the JSR 196 SPI.
WS-Federation supports the Identity Federation specification. OpenSSO Enterprise specifically supports the WS-Federation Passive Requestor Profile.
Support for XACML version 2.0 support is added, specifically for XACMLAuthzDecisionQuery and XACMLAuthzDecisionStatement, as specified in the SAML 2.0 profile of XACML v2.0.
Secure Authentication and Attribute Exchange allows an application to provide user authentication and attribute information with secure transfers between IDP and SP applications.
Multiple federation protocol hub allows an OpenSSO Enterprise IDP to act as federation hub to perform single logout among different federation protocols (such as SAMLv2, ID-FF, and WS-Federation).
SAMLv2 profile support includes IDP proxying, Affiliation, NameID mapping, ECP, Authentication Query, and Attribute Query.
Security Token Service (STS) is available on Web Containers Supported For OpenSSO Enterprise 8.0.
SAMLv2 assertion failover is supported.
New command-line utility (ssoadm) can configure both OpenSSO Enterprise server and version 3.0 policy agents.
Integration with Sun Identity Manager, SiteMinder, and Oracle Access Manager is added.
Service Tags are supported. See Using Service Tags With Sun Inventory.
The Distributed Authentication UI server includes a configurator that allows you to perform initial configuration tasks such as specifying the OpenSSO Enterprise server and providing the Distributed Authentication UI server user and password.
A Distributed Authentication UI server also provides support for cross domain single sign-on (CDSSO).
Internationalization and localization changes include:
In addition to English, OpenSSO Enterprise includes support for French, Spanish, German, Japanese, Korean, Simplified Chinese, and Traditional Chinese.
Localized files are bundled in the opensso.war file by default (unlike Access Manager 7 2005Q4 and Access Manager 7.1, where localized files reside in separate localized packages).
Unix, SecurID, and SafeWord authentication modules are available in OpenSSO Enterprise releases. SecurID is now a Java-based authentication module.
Upgrade support includes:
Upgrade to OpenSSO Enterprise 8.0 from Access Manager 7.0 or 7.1 and Federation Manager 7.0
Policy agent upgrade to version 3.0 from version 2.2 agents