| Sun ONE Identity Server 6.1 Administration Guide |
Chapter 3
Service ConfigurationThis chapter describes the service management features of Sun™ ONE Identity Server. The Service Configuration interface provides a way to view, manage and configure all Identity Server services and their values (both default and customized) in addition to configuring Identity Server console display settings. This chapter contains the following sections:
Definition of a ServiceA service is a group of attributes defined under a common name. The attributes define the parameters that the service provides to an organization. For instance, in developing a payroll service, a developer might decide to include attributes that define an employee name, an hourly rate and a tax exemption. When the service is registered to an organization, that organization can use these attributes in the configuration of its entries.
Identity Server defines services using Extensible Markup Language (XML). The Service Management Services Document Type Definition (sms.dtd) defines the structure of a service XML file. This file can be found in the following directory:
IdentityServer_base/SUNWam/dtd/
For more information on defining a Identity Server service, see the Sun ONE Identity Server Customization and API Guide.
Identity Server ServicesThe default services provided with Identity Server are defined by XML files located in the following directory:
IdentityServer_base/SUNWamconfig/xml
Some of these services, when configured through the Service Configuration interface, define values for the Identity Server application. Others are registered to a specific organization configured within Identity Server and are used to define default values for the organization.
Administration Service
The Administration service allows for the configuration of the console at both the application level (similar to a Preferences or Options menu for the Identity Server application) as well as at a configured organization level (Preferences or Options specific to a configured organization).
Authentication Service
There are ten authentication modules, including a base module. This allows the administrator the opportunity to choose the method with which each defined organization can verify the user’s authorization.
Anonymous
This module allows for log in without specifying a user name and password. Anonymous connections have limited access to the server and are customized by the administrator.
Certificate-based
This module allows login through a personal digital certificate (PDC).
Note
The Certificate authentication service is not supported for Application Server deployments for the 6.1 release.
Core
This module is the general configuration base for the Identity Server authentication services. It must be registered and configured to use any of the specific services. It allows the administrator to define default values that will be picked up for those not specifically set in the Anonymous, Certificate-based, HTTPBasic, LDAP, Membership, NT, RADIUS, SafeWord, SecurID and Unix services.
HTTP Basic
This module uses basic authentication, which is the HTTP protocol’s built-in authentication support.
LDAP
This module allows for authentication using LDAP bind, an operation which associates a password with a particular LDAP entry.
Membership (Self-Registration)
This module allows a new user to self-register for authentication with a login and password.
NT
This module allows for authenticating users using an Windows NT™/2000™ server. In order to actualize the NT Authentication module, Samba Client (smbclient) 2.2.2 must be downloaded and installed.
RADIUS
This module allows for authenticating users using an external Remote Authentication Dial-In User Service (RADIUS) server.
In order for the RADUIS Authentication service to work correctly with Sun ONE Application Server, you must configure Application Server’s service.policy file. Instructions for this can be found in "Authentication Options".
SafeWord
This module allows for authenticating users using Secure Computing’s SafeWord™ or SafeWord PremierAccess™ authentication servers.
In order for the SafeWord Authentication service to work correctly with Sun ONE Application Server, you must configure Application Server’s service.policy file. Instructions for this can be found in "Authentication Options".
SecurID
This module allows for authenticating users using RSA ACE/Server® authentication software and SecurID® authenticators. This service is not supported on Solaris x86.
Unix
This module allows for authenticating users using a Unix® server, using a user’s UNIX identification and password.
Authentication Configuration Service
The Authentication Configuration service allows you to configure authentication for roles, users and services and organizations to set the rules determining the precedence of the authentication modules.
Client Detection Service
The Client Detection service allows Identity Server to detect the client type of an accessing browser and allows the administrator to add and configure devices based on the client type.
Globalization Settings Service
The Globalization Settings contain properties to configure Identity Server for different character sets.
Logging Service
The Logging service is where the administrator configures values for the Identity Server application logging function. Examples include log file size and log file location.
Naming Service
The Naming service is used to get and set URLs, plug-ins and configurations as well as request notifications for various other Identity Server services such as session, authentication and logging.
Password Reset Service
The Password Reset service allows users to receive a forgotten password or reset their password for access to a given service or application protected by Identity Server.The Password Reset service attributes, defined by the top-level administrator, control user validation credentials (in the form of “secret questions”), control the mechanism for new or existing password notification, and sets possible lockout intervals for incorrect user validation.
Platform Service
The Platform service is where additional servers can be added to the Identity Server configuration as well as other options applied at the top level of the Identity Server application.
Policy Configuration Service
The Policy Configuration service defines values to be used by Policy framework during policy management and policy evaluation.
SAML Service
The Security Assertion Markup Language (SAML) service defines a framework for exchanging security assertions among security authorities to achieve interoperability across different platforms, which provide authentication and authorization services.
Session Service
The Session service defines values for an authenticated user session such as maximum session time and maximum idle time.
User Service
Default user preferences are defined through the user service. (These include time zone, locale and DN starting view).
Attribute TypesThe attributes that make up an Identity Server service are classified as one of the following types: Dynamic, Policy, User, Organization or Global. Using these types to subdivide the attributes in each service allows for a more consistent arrangement of the service schema and easier management of the service parameters.
Dynamic Attributes
A dynamic attribute can be assigned to an Identity Server configured role or organization. When the role is assigned to a user or a user is created in an organization, the dynamic attribute then becomes a characteristic of the user. For example, a role is created for an organization’s employees. This role might contain the organization’s address and a fax number, two things that remain static for all employees. When the role is assigned to each employee, these dynamic attributes are inherited by each employee.
User Attributes
These attributes are assigned directly to each user. They are not inherited from a role or an organization and, typically, are different for each user. Examples of user attributes include userid, employee number and password. User attributes can be added or removed from the User service by modifying the amUser.xml file. For more information, see the Sun ONE Identity Server Customization and API Guide.
Organization Attributes
Organization attributes are only assigned to organizations. In that respect, they work as dynamic attributes, yet they differ from dynamic attributes, as they are not inherited by entries in the subtrees. Additionally, no object classes are associated with organization attributes. Attributes listed in the authentication services are defined as organization attributes because authentication is done at the organization level rather than at a subtree or user level.
Global Attributes
Global attributes are applied across the Identity Server configuration. They can not be applied to users, roles or organizations as the goal of global attributes is to customize the Identity Server application. There is only one instance of a global attribute in the Identity Server configuration. There are no object classes associated with global attributes. Examples of global attributes include log file size, log file location, port number or a server URL that Identity Server can use to access data.
Policy Attributes
Policy attributes specify the access control actions (or privileges) associated with a service. They become a part of the rules when rules are added to a policy.
Service Configuration InterfaceServices are configured and managed through the Service Configuration module. Organization-specific services which are not covered by the Identity Server default service packages can be written using XML (based on the Identity Server services document type definition or DTD) and added into the interface under the Other Configuration heading. Instructions on how this is done can be found in Part 3, "Attribute Reference Guide" which describes the default services and the definitions of their corresponding attributes.
The Service Configuration module is for displaying service configurations on a global level. In other words, it is a view of the default configurations of all available services in Identity Server, whether registered or not. When a service is registered and activated by an organization, the initial default data assigned to the service is displayed under the service’s Service Configuration page. Figure 3-1 is a screenshot of the graphical user interface.
Figure 3-1 Service Configuration View
Access the Service Configuration view by choosing the Service Configuration module. The Navigation frame will display a list of all defined Identity Server services. To set the global default values for a service, select the Properties arrow next to the name of the service. The attributes for the service will be displayed in the Data frame.
