Chapter 3   Service Configuration


This chapter describes the service management features of Sun ONE Identity Server. The Service Configuration interface provides a way to view, manage and configure all Identity Server services and their values (both default and customized) in addition to configuring Identity Server console display settings. This chapter contains the following sections:

• Definition of a Service

• Identity Server Services Defined

• Attribute Types

• Service Configuration Interface

Definition of a Service

---

A service is a group of attributes defined under a common name. The attributes define the parameters that the service provides to an organization. For instance, in developing a payroll service, a developer might decide to include attributes that define an employee name, an hourly rate and a tax exemption. When the service is registered to an organization, that organization can use these attributes in the configuration of its entries.

Identity Server defines services using Extensible Markup Language (XML). The Service Management Services Document Type Definition (sms.dtd) defines the structure of a service XML file. This file can be found in the following directory:

Identity_Server_root/SUNWam/web-apps/services/dtd/

For more information on defining a Identity Server service, see the Sun One Identity Server Programmer's Guide.

Identity Server Services Defined

---

The default services provided with Identity Server are defined by XML files located in the following directory:

Identity_Server_root/SUNWam/web-apps/services/WEB-INF/config/xml

Some of these services, when configured through the Service Configuration interface, define values for the Identity Server application. Others are registered to a specific organization configured within Identity Server and are used to define default values for the organization.

Administration

The Administration service allows for the configuration of the console at both the application level (similar to a Preferences or Options menu for the Identity Server application) as well as at a configured organization level (Preferences or Options specific to a configured organization).

Authentication

There are eight authentication services including a base service. This allows the administrator the opportunity to choose the method with which each defined organization would have their users' authorization verified.

Anonymous

This service allows for log in without specifying a user name and password. Anonymous connections have limited access to the server and are customized by the administrator.

Certificate-based

This service allows login through a personal digital certificate (PDC). Sun One Certificate Server can be installed as a Certificate Authority. For more information on Certificate Server, see the documentation set located at http://docs.sun.com/db/coll/S1_s1CertificateServer_47.

Core

The Core service is the general configuration base for the Identity Server authentication services. It must be registered and configured to use any of the specific services. It allows the administrator to define default values that will be picked up for those not specifically set in the Anonymous, Certificate-based, LDAP, Membership and RADIUS, SafeWord and Unix services.

LDAP

This service allows for authentication using LDAP bind, an operation which associates a password with a particular LDAP entry.

Membership (Self-Registration)

This service allows a new user to self-register for authentication with a login and password.

NT

This service allows for authenticating users using an Windows NT™ server.

RADIUS

This service allows for authenticating users using an external Remote Authentication Dial-In User Service (RADIUS) server.

SafeWord

This service allows for authenticating users using Secure Computing's SafeWord™ or SafeWord PremierAccess™ authentication servers.

Unix

This service allows for authenticating users using a Unix server.

---

Note	The Unix authentication service is not supported on the Windows 2000 platform.

---

Authentication Configuration

The Authentication Configuration service allows you to configure authentication on for roles, users and services and organizations to set the rules determining the precedence of the authentication modules.

Client Detection

The Client Detection Service defines attributes to detect the client and perform actions based on client type.

Logging

The Logging service is where the administrator configures values for the Identity Server application logging function. Examples include log file size and log file location.

Naming

The Naming service is used to get and set URLs, plug-ins and configurations as well as request notifications for various other Identity Server services such as session, authentication and logging.

Platform

The Platform service is where additional servers can be added to the Identity Server configuration as well as other options applied at the top level of the Identity Server application.

Policy Configuration

Policy Configuration defines user privileges to web resources, allowing an administrator to allow or deny access to http and https-based URLs.

SAML

The Security Assertion Markup Language (SAML) service defines a framework for exchanging security assertions among security authorities to achieve interoperability across different platforms, which provide authentication and authorization services.

Session

The Session service defines values for an authenticated user session such as maximum session time and maximum idle time.

User

Default user preferences are defined through the user service. (These include time zone, locale and DN starting view).

Identity Server Security Service

The Identity Server Security Service is automatically loaded after installation. Through the console, administrators and users can use this service to receive security certificates.

In order to enable the Identity Server Security Service, you must:

1. Install Sun ONE Certificate Server 4.7 SP1. For installation instructions, see the Certificate Server 4.7 SPI release notes at http://docs.sun.com/db/prod/s1certsrv#hic.

2. Configure the Certificate Server to enable the Identity Server Security Service. For configuration instructions, see the "Support for Identity Server Single Sign-on (SSO)" section in the Sun One Certificate Server 4.7 SP1 release notes.

3. Define the Identity Server Security Service attributes described in "Identity Server Security Service Attributes".

Identity Server and Certificate Server are integrated using a Single Sign-On (SSO) based token, which is issued by the Identity Server and sent to the Certificate Server. Users that have logged into Identity Server can receive certificates from the Certificate Server by clicking the Get My Certificate button in the User Profile page. The certificate issued to the user allows the user to authenticate with the Certificate-based authentication service.

Attribute Types

---

The attributes that make up an Identity Server service are classified as one of the following types: Dynamic, Policy, User, Organization or Global. Using these types to subdivide the attributes in each service allows for a more consistent arrangement of the service schema and easier management of the service parameters.

Dynamic Attributes

A dynamic attribute can be assigned to an Identity Server configured role or organization. When the role is assigned to a user or a user is created in an organization, the dynamic attribute then becomes a characteristic of the user. For example, a role is created for an organization's employees. This role might contain the organization's address and a fax number, two things that remain static for all employees. When the role is assigned to each employee, these dynamic attributes are inherited by each employee.

User Attributes

These attributes are assigned directly to each user. They are not inherited from a role or an organization and, typically, are different for each user. Examples of user attributes include userid, employee number and password. User attributes can be added or removed from the User service by modifying the dpUser.xml file. For more information, see the Sun One Identity Server Programmer's Guide.

Organization Attributes

Organization attributes are only assigned to organizations. In that respect, they work as dynamic attributes, yet they differ from dynamic attributes, as they are not inherited by entries in the subtrees. Additionally, no object classes are associated with organization attributes. Attributes listed in the authentication services are defined as organization attributes because authentication is done at the organization level rather than at a subtree or user level.

Global Attributes

Global attributes are applied across the Identity Server configuration. They can not be applied to users, roles or organizations as the goal of global attributes is to customize the Identity Server application. There is only one instance of a global attribute in the Identity Server configuration. There are no object classes associated with global attributes. Examples of global attributes include log file size, log file location, port number or a server URL that Identity Server can use to access data.

Policy Attributes

Policy attributes are privilege attributes. Policy attributes are configured through the Identity Management interface as discussed in Chapter 6 "Policy Management. Once a policy is configured, it may be assigned to roles or organizations. That is the only difference between dynamic and policy attributes; dynamic attributes are assigned directly to a role or an organization and policy attributes are used to configure policies and then applied to a role or an organization.

Service Configuration Interface

---

Services are configured and managed through the Service Configuration module. Organization-specific services which are not covered by the Identity Server default service packages can be written using XML (based on the Identity Server services document type definition or DTD) and added into the interface under the Other Configuration heading. Instructions on how this is done can be found in Part 3, "Attribute Reference Guide" which describes the default services and the definitions of their corresponding attributes.

The Service Configuration module is for displaying service configurations on a global level. In other words, it is a view of the default configurations of all available services in Identity Server, whether registered or not. When a service is registered and activated by an organization, the initial default data assigned to the service is displayed under the service's Service Configuration page. Figure 3-1 is a screenshot of the graphical user interface.

Figure 3-1    Service Configuration View

Access the Service Configuration view by choosing the Service Configuration module. The navigation pane will display a list of all defined Identity Server services. To set the global default values for a service, select the Properties arrow next to the name of the service. The attributes for the service will be displayed in the Data pane.