Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java[TM] System Identity Manager 7.1 Resources Reference 

Sun Java System Access Manager Realm

Identity Manager provides the Sun Java System Access Manager Realm resource adapter to support Sun™ Java System Access Manager 7 2005Q4 running in Realm mode.

This adapter is defined in the com.waveset.adapter.SunAccessManagerRealmResourceAdapter class.

Note

  • Sun ONE Identity Server was renamed to Sun Java™ System Access Manager.
  • Use the Sun Access Manager Realm resource adapter for resources running in Realm mode.
  • Use the Sun Access Manager resource adapter for resources running in Legacy mode. See Sun Java System Access Manager for information about this adapter.

Resource Configuration Notes

You can configure only one Access Manager server (whether in Realm mode or in Legacy mode). You can define multiple resources if you provision to different realms.

The Identity Server Policy Agent 2.2 is an optional module that you can use to enable single sign-on (SSO). You can obtain this Policy Agent from the following location:

http://www.sun.com/download/index.jsp?cat=Identity%20Management&tab=
3&subcat=Access%20Manager

Note

Do not attempt to follow the Policy Agent installation or configuration procedures if this product is not being used in your environment.

For more information about Policy Agents, see:

http://docs.sun.com/db?p=doc%2F816-6772-10

You must install the Identity Server Policy Agent 2.2 on the same server where Identity Manager is installed.

To install the Policy Agent, follow the installation instructions provided with the Policy Agent, and then perform the following tasks:

  1. Edit the AMAgent.properties file.
  2. Create a policy in Sun Java System Access Manager.

Editing the AMAgent.properties File

You must modify the AMAgent.properties file to protect Identity Manager. This file is located in the AgentInstallDir/config directory.

  1. Add or edit the following lines:

    2. com.sun.identity.agents.config.profile.attribute.fetch.mode = HTTP_HEADER

    com.sun.identity.agents.config.profile.attribute.mapping[uid] = sois_user

  2. You must restart the web server for your changes to take effect.

Creating a Policy in Sun Java System Access Manager

  1. From within the Sun Java System Access Manager application, create a new policy named IDMGR (or something similar) with the following rules:

    2. Service Type

    Resource Name

    Actions

    URL Policy Agent

    http://server:port/idm

    Allow GET and POST actions

    URL Policy Agent

    http://server:port/idm/*

    Allow GET and POST actions

  2. Assign one or more subjects to the IDMGR policy.

Identity Manager Installation Notes

This section provides installation and configuration notes for the Sun Java System Access Manager Realm resource adapter and the Policy Agent.

Sun Java System Access Manager Realm Resource Adapter

To install and configure the resource adapter

  1. Follow the instructions provided in the Sun Java™ System Access Manager 7 2005Q4 Developer's Guide to build the client SDK from the Sun Access Manager installation.
  2. Extract the AMConfig.properties and amclientsdk.jar files from the war file that is produced.
  3. Put a copy of the AMConfig.properties in the following directory:

    4. InstallDir/WEB-INF/classes

  4. Place a copy of amclientsdk.jar in the following directory:

    5. InstallDir/WEB-INF/lib

  5. After copying the files, you must add the Sun Java System Access Manager Realm resource to the Identity Manager resources list. Add the following value in the Custom Resources section of the Configure Managed Resources page.

    6. com.waveset.adapter.SunAccessManagerRealmResourceAdapter

Policy Agent

You must modify the administrator and user login modules so the Sun Java System Access Manager login modules will be listed first.

Note

You must first configure a Sun Java System Access Manager realm resource before performing the following procedure.

  1. From the Identity Manager Administrator Interface menu bar, select Configure.
  2. Click Login.
  3. Click the Administrator Interface link.
  4. Click the Manage Login Module Groups button, located at the bottom of the page.
  5. Select the Login Module to modify from the drop-down list.

    6. For example, select Default Identity System ID/Pwd Login Module Group.

  6. In the Assign Login Module select box, select Sun Access Manager Realm.
  7. When a new Select option displays next to the Assign Login Module option, select the resource that you created earlier.
  8. When the Modify Login Module page displays, edit the displayed fields as needed, and then click Save.
  9. Specify Sun Access Manager Realm as the first resource in the list, and then click Save.
  10. Save your changes and repeat these steps for the User Interface.

Security Notes

This section provides information about supported connections and authorization requirements needed to perform basic tasks.

Supported Connections

Identity Manager uses SSL to communicate with this adapter.

Required Administrative Privileges

The user name that connects to the Sun Java System Access Manager must be assigned permissions to add or modify user accounts.

Provisioning Notes

The following table summarizes the provisioning capabilities of the adapter.

Feature

Supported?

Enable/disable account

Yes

Rename account

No

Pass-through authentication

Yes. Through the Policy Agent.

Before/after actions

No

Data loading methods

  • Import directly from resource
  • Reconcile with resource

Account Attributes

The following table lists the Sun Java System Access Manager user account attributes supported by default. All attributes are optional, unless noted in the description.

Resource User Attribute

Resource Attribute Type

Description

uid

String

Required. Unique user ID for the user.

cn

String

Required. User's full name

givenname

String

User's first name

sn

String

User's last name

mail

Email

User's email address

employeeNumber

Number

User's employee number

telephoneNumber

String

User's telephone number

postalAddress

String

User's home address

iplanet-am-user-account-life

Date

Date and time the user's account expires

iplanet-am-user-alias-list

String

List of aliases for the user

iplanet-am-user-success-url

String

URL the user is redirected to when authentication is successful

iplanet-am-user-failure-url

String

URL the user is redirected to when authentication is unsuccessful

roleMemberships

String

List of roles to which user is subscribed

groupMemberships

String

List of groups to which user is subscribed

Resource Object Management

Identity Manager supports the following Sun Java System Access Manager objects:

Resource Object

Features Supported

Attributes Managed

Groups

list, create, update, delete

name, user members

Roles

list, create, update, delete

name, user members

Filtered Roles

list, create, update, delete

name, nsrolefilter

Identity Template

The default identity template is $accountId$.

Sample Forms

This section lists the sample forms that are built-in and available for the Sun Java System Access Manager Realm resource adapter.

Built-In

Also Available

SunAMRealmUserForm.xml

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following class:

com.waveset.adapter.SunAccessManagerRealmResourceAdapter



Previous      Contents      Index      Next     

.   Copyright 2007 Sun Microsystems, Inc. All rights reserved.