Sun™ Java System Federation Manager is a server product that helps companies to quickly build federated identity and authentication services that work with existing federation hub technologies. The following sections contain overview material about Federation Manager: why the product is needed, the standards on which it is based, and how it can be used.
This chapter covers the following topics:
Sun Java System Federation Manager delivers a solution to establish and share trusted information for single sign-on. The ability to form these trust relationships across security domains allows an organization to:
Engage in relationships with cooperating business partners offering a variety of complementary services.
Integrate applications offered by different departments and divisions within an enterprise.
There are many products available today, including Sun Java System Access Manager, that can be deployed for these purposes. Federation Manager is one of them: a lightweight server application that helps companies to quickly build interoperable, federated identity and authentication services. These services will work with and complement existing or newly deployed federation technologies, such as web access management solutions and authentication authorities. By leveraging these capabilities, Federation Manager can be used to build a reusable, standards-based framework to exchange security assertions, user attributes, and policies across a distributed network of partners.
This User's Guide assumes familiarity with the Liberty Alliance Project and Security Assertions Markup Language (SAML) specifications. For an introduction, see the Sun Java System Access Manager 7 2005Q4 Federation and SAML Administration Guide. For more detailed information, see the Liberty Alliance Project web site or the Organization for the Advancement of Structured Information Standards (OASIS) web site.
Federation Manager provides support for heterogeneous IT environments and can integrate with all common identity repositories, application servers, and critical enterprise applications as well as with existing identity management infrastructures. Federation Manager adheres to accepted industry-standard federated identity protocols, such as Security Assertions Markup Language (SAML) and the Liberty Alliance Project specifications. It can be adapted to work with proprietary federation mechanisms and deploys easily because it leverages the core capabilities of an existing identity provider. It can also be deployed on a partner site as a single web archive (WAR), reducing the complexity and time for configuring a typical scenario.
Federation Manager creates a comprehensive security and identity management framework optimized to work with and extend an identity provider's existing security infrastructure. The following list describes some key features of Federation Manager:
Lightweight web archive (WAR) accelerates deployment of Federation Manager for service providers.
Lightweight WAR also allows for flexibility in customizing your deployment.
Exchange of credentials and security tokens across authentication domain partners for purposes of authentication and single sign-on.
Automatic federation of user accounts across multiple security domains.
Session management across authentication domains to determine when user interactions must be terminated (single logout).
Import or export the data required to establish basic federated communication between hubs and spokes.
Manages and links providers that are available to participate in an authentication domain.
Searches for available end points and identifies each provider's federation capabilities.
Exchanges SAML security assertions among providers in the authentication domain.
Provides the tools and APIs to quickly develop, register, and enable web services on the consumer and provider sides.
Data management choices include a proprietary flat file format (by default), and an LDAPv3 directory (Sun Java System Directory Server or Microsoft™ Active Directory).
Separate service configuration and user data stores.
Included service provider interfaces (SPIs) to allow customized logic during the federation process.
Support for bulk federation and auto federation.
Option to preload included samples.
Sun Java System Policy Agents 2.2 can be used in SSO mode.
Federation Manager with Sun Java System Access Manager can provide a hub and spoke model of federation. Access Manager would typically be the hub, an identity provider trusted by many instances of Federation Manager acting as service providers. The following figure illustrates this hub and spoke model of federation.
Generally speaking, spoke service providers trust one hub identity provider. Within one organization, the hub identity provider might be administered by a human resources department using Access Manager. The spoke service providers might include other departments (legal, accounting, and the like) that need to communicate identity and session information with the hub Access Manager. Federation Manager allows the spoke service provider to enable this communication quickly and efficiently.
The hub and spoke is one model of federation. Other models that can be established using Federation Manager include a transitive trust model or a point—to—point model. The transitive trust model assumes that because A trusts C and B trusts C, A will trust B. The point-to-point model assumes one point as an aggregation of services, service providers, or identity providers.
It is not necessary to install Sun Java System Access Manager in order to use Federation Manager. Federation Manager is a standalone product that can work with any Liberty or SAML-compliant product.
Federation Manager installs as a single web archive (WAR), making it easy to deploy and integrate. It runs on a simple web container and requires no complex integration with data stores or application server environments. Federation Manager extends an identity provider federation framework to partners with ease, leveraging open standards and existing IT investments to help you efficiently secure your service oriented architectures. Federation Manager can also be used to create infinitely reusable application security mechanisms as it is also a Java software development kit (SDK) for Liberty and SAML—based application development.
Sun Java System Federation Manager was developed using the specifications defined by these standards bodies:
Liberty Alliance Project
Organization for the Advancement of Structured Information Standards (OASIS) Security Services Technical Committee
It supports:
Security Assertion Markup Language (SAML) 1.0/1.1
Liberty Identity Federation Framework (Liberty ID-FF) 1.1/1.2
Liberty Identity Web Services Framework (Liberty ID-WSF) 1.0
The following sections contain background information regarding these bodies and the specifications they have developed.
The goal of the Liberty Alliance Project is to define standards for developing interoperable, identity-based infrastructures, software, and web services, and to promote adoption of these standards. It does not deliver products or services. The standards provide a solution for enforcing authorized access to network services and resources. They integrate access control, identity management and service management to simplify the administration of users and organizations with regards to federation and its associated web services. A federation is defined as ”an association formed by merging several groups or parties.” The Liberty ID-FF describes more about federation and how it can be implemented. The Liberty ID-WSF describes related web services that can be implemented for use within a federated model. Among other services, Federation Manager has implemented a discovery service and a SOAP binding service.
For more information on the Liberty Alliance Project, go to http://www.projectliberty.org.
In terms of the Liberty Alliance Project specifications, federation encompasses both identity federation and provider federation as detailed in the following sections.
The concept of federation (as it has evolved with regards to the World Wide Web) begins with the notion of identity. Sending and receiving email, logging in to a news portal, checking bank balances, finalizing travel arrangements, bidding on auction items, accessing utility accounts, and shopping are all possible online services for which you might define a identity. Each time you want to access one of these services, you identify yourself by logging in to the service provider. If you use all of the mentioned services, you've configured a multitude of separate accounts to which you must log in and log out. This virtual circumstance offers the opportunity to fashion a system for computer users to correlate (or federate) their disparate service provider identities. This concept of identity federation allows the user to link, connect or bind the local identities that they have created for multiple service providers. The linked local identities, referred to as a federated identity, allow the user to log in to one service provider site and click through to an affiliated service provider without having to re-authenticate or re-establish their identity.
The concept of federation as defined by the Liberty Alliance Project begins with the notion of a circle of trust. A circle of trust (referred to as an authentication domain in the Federation Manager Console) is a group of service providers (with at least one identity provider) who agree to join together to exchange user authentication information using Liberty-based technologies. Once a group of providers has been federated within a circle of trust, authentication accomplished by the identity provider in that circle is honored by all affiliated service providers. Thus, single sign-on can be enabled amongst all membered providers as well as identity federation among users.
SAML is an XML-based standard for communicating authentication, authorization and attribute information among online partners. SAML allows organizations to securely send assertions between partnered organizations regarding the identity and entitlements of a principal. The OASIS Security Services Technical Committee is in charge of defining, enhancing, and maintaining the specifications that define SAML. They incorporate XML protocols such as SOAP, XML Signature (XMLSIG), and XML Encryption (XMLENC) to define a single sign-on framework that can be used between domains. For more information on SAML, visit the OASIS web site.
Federation Manager configuration data, user authentication data and user federation data can be managed and retrieved from a database of the following type:
Lightweight Directory Access Protocol (LDAP) version 3 compliant directories (for example, Sun Java System Directory Server or Microsoft® Active Directory)
Relational Database Management Systems (through customer plug-in implementations only)
Flat files (default text file format for configuration data)
Federation Manager does not come with a user administration system.
You can install Federation Manager on the following platforms running the applicable operating systems.
Table 1–1 Operating Systems
Federation Manager supports the following shared components.
If you are running the Sun Java Enterprise System some of these components may already be installed.
Component |
Package Name |
Version |
---|---|---|
Java Development Kit |
N/A |
1.4.2/1.5.0 |
Java Activation Framework |
SUNWjaf |
1.0.3 |
Java Studio Enterprise Web Application Framework |
SUNWjato |
2.1.4 |
Java Architecture for XML Binding |
SUNWjaxb |
1.0.3 |
Java API for XML Processing |
SUNWjaxp |
1.2.6 |
Sun Java System LDAP Java Development Kit |
SUNWljdk |
1.0 |
Common libraries for web service components |
SUNWwscl |
1.0 |
Java API for XML-based RPC |
SUNWxrpcrt |
1.1.2 |
SOAP with Attachments API for Java |
SUNWxsrt |
1.2.1 |
Message Queue Java API for XML Messaging (JAXM) |
SUNWiqjx |
3.0.1 |
JavaHelp packages |
SUNWjhrt |
1.1.3 |
Federation Manager can be deployed in the following web containers. CPU and memory requirements are based on the needs of the web container.
Table 1–3 Supported Web Containers
Web Container |
Minimum Version |
---|---|
Sun Java System Web Server |
6.1sp4 |
Sun Java System Application Server |
8.1 |
BEA WebLogic® Server |
8.1 |
WebSphere® Application Server |
5.1 |
Federation Manager supports the use of Sun Java System Access Manager Policy Agents 2.2. For example, with 2.2 agents, user profile attributes asserted by an identity provider and SAML producer are made available as HTTP headers and for cookies. With 2.2 J2EE agents, J2EE declarative policies can map to user roles asserted by a remote identity provider and SAML producer. For more information on Federation Manager and policy agents, see Configuring Federation Manager for Sun Java System Policy Agents. For more information on available policy agents, see Sun Java System Access Manager Policy Agent 2.2 User’s Guide.
Federation Manager consists of web-based services [using SOAP, XML over HTTP(S) or HTML over HTTP(S)], and Java—based application provider interfaces (APIs) and service provider interfaces (SPIs). The figure below illustrates this architecture. Additionally, the figure shows an agent embedded into a web container. This agent enables the service provider applications to participate in the SAML or Liberty-based protocols. The darker boxes are components provided by Federation Manager.
The Federation Manager components include:
A web interface for managing authentication domains, provider meta data, and authentication.
Federation Manager provides SAML related services including artifact and POST profile support, and assertion query support.
Federation Manager provides services based on the Liberty ID-FF and the Liberty ID-WSF specifications. Federation features include federation and single sign-on, single logout, federation termination, name registration, and support for the Common Domain. Implemented web services include a SOAP binding service, a discovery service, a personal profile service, and an authentication service.
Federation Manager provides a JAAS-based authentication framework.
Federation Manager provides session management for service provider applications.
Federation Manager provides a logging service. It also provides activity logs for auditing. Audit logs can be stored in flat files or JDBC-compliant databases.
Federation Manager allows service provider applications to participate in the federation protocol.
Federation Manager includes a set of APIs for interaction between the SSO, logging, SAML, Liberty ID-FF, and authentication components. Also included are APIs to build web services (Liberty ID-WSF) for clients and provider.
Federation Manager includes a set of Service Provider Interfaces (SPIs) into which applications can insert their custom logic. For instance, there is an SPI to do post federation processing, and an SPI for post processing after a successful single logout.