Sun ONE logo      Previous      Contents      Index      Next     

Sun ONE Identity Server Customization and API Guide

Chapter 1

The Sun ONE Identity Server Customization and API Guide describes the programmatic and customization details of Identity Server. It includes instructions on how to augment the application with new services using the eXtensible Markup Language (XML) files for configuration, the public Java™ application programming interfaces (APIs) for integration and the JavaServer Pages™ (JSP) for customization. This introductory chapter contains the following sections:

Identity Server Overview

Sun ONE Identity Server integrates identity management with the ability to create and enforce authentication processes and access to directory data and corporate resources. These capabilities enable organizations to deploy a comprehensive system that helps to secure and protect their assets and information, as well as deliver their web-based applications. Towards this end, Identity Server contains components and application management utilities or services.


An identity is a representation of an object used in a network environment. The identity, which can be internal (an employee, a printer) or external (a customer, a vendor), contains a set of attributes that uniquely identifies it. The simplest identity might contain user name (or object identifier) and password attributes. More complex identities might contain attributes for a phone number, social security number, building location, or address.

Data Management Components

Identity Server provides the following components to simplify the administration of identities and the management of data:

Identity Server Management Services

When Identity Server is installed, a number of utilities (or services) are installed to help manage the deployment. A service is actually a grouping of configuration parameters (or attributes). The attributes can be randomly grouped together for easy management or specifically grouped together for one purpose. Additional information on services can be found in Chapter 6, "Service Management," in this manual and the Sun ONE Identity Server Administration Guide. The current installed services include:

In addition to its configured services, Identity Server provides a graphical user interface that allows the application user to manage identity objects, services and policy information via a web browser. This console is built using the Sun ONE Application Framework and can be called by all users, from top level administrator to end users. The console can be customized for each configured organization by modifying and integrating a set of JSP and related files. Information on console customization can be found in Chapter 2, "The Identity Server Console," in this manual. Identity Server also offers data backup, restoration and other software utilities. Information on these functionalities can be found in Chapter 12, "Identity Server Utilities," in this manual. Information on command-line executables can be found in the Sun ONE Identity Server Administration Guide.

Managing Access

Identity Server can manage access to its protected resources in either of two ways: an user can authenticate and access Identity Server via a web browser or, an external application can access Identity Server directly, requesting user authentication information through the use of integrated Identity Server API.

Web Access

When a user requests access to a secure application or page using a web browser, they must first be authenticated. The request is directed to the Authentication Service which determines the type of authentication to initiate based on the method associated with the requestor’s profile. For instance, if the user’s profile is associated with LDAP authentication, the Authentication Service would send an HTML form to their web browser asking for an LDAP user name and password. (More complex types of authentication might include requesting information for multiple authentication types.) Having obtained the user’s credentials, the Authentication Service calls the respective provider to verify the credentials. (The provider in the LDAP example would be the Directory Server.) Once verified, the service calls the SSO API to generate a Single Sign-On (SSO) or session token which holds the user’s identity. The API also generates a token ID, a random identification string associated with the session token. The session token is then sent back to the requesting browser in the form of a cookie while the authentication component directs the user to the requested secure application or page. Additional information on the Authentication Service can be found in Chapter 3, "Authentication Service," in this manual.


Web access might also include an additional security measure to evaluate a user’s access privileges. This includes installed policy agents. Additional information can be found in the Sun ONE Identity Server Web Policy Agents Guide and J2EE Policy Agents Guide.

Application Access

External applications can access Identity Server to request user information using the Identity Server SDK. For example, a mail service might store its users’ mailbox size information in Identity Server and the SDK can be used to retrieve this information. To process the request, the system running the application must have the Identity Server SDK installed. Additional information on both the C and Java APIs can be found throughout this manual in the respective chapters.

Extending Identity Server

One of the architectural goals of Identity Server is to provide an extensible interface. This interface is defined by the following functions:

  1. Custom services can be defined for the deployment using XML.
  2. Console templates can be modified and/or customized for each organization using JSP.
  3. Default services can be implemented using a set of Java API.

Service Definition With XML

As discussed in "Identity Server Overview", the application contains a number of management services. All Identity Server services are written using the XML. Administrators or service developers can modify the internal XML service files installed with Identity Server or configure new XML service files to customize the application based on their need. More information on services and how they are integrated into the Identity Server deployment can be found in Chapter 6, "Service Management," of this manual.


Identity Server services only manage attribute values that are stored in Sun ONE Directory Server. They do not implement their behavior or dynamically generate code to interpret them. It is up to an external application to interpret or utilize these values.

Console Customization

The Identity Server console is used for managing and monitoring identities, services and protected resources throughout the Identity Server deployment. The framework uses XML files, JSP templates and Cascading Style Sheets (CSS) to control the look and feel of the console screens. These files can be duplicated and then modified to make changes to the design for each configured organization; for instance, an organization’s logo can be added in place of the Sun logo. The entire template can also be replaced with an organization’s custom HTML page. Additional information on customizing the Identity Server console can be found in Chapter 2, "The Identity Server Console," of this manual.

Identity Server SDK

The Identity Server SDK contains public interfaces to implement the behavior of Identity Server’s default or customized services. Both Java and C interfaces are provided. The packages include:

Identity Management SDK

Identity Server provides the framework to create and manage users, roles, groups, containers, organizations, organizational units, and sub-organizations. The Java package name is There are currently no comparable C interfaces.

Service Management SDK

The service management interfaces can be used by developers to register services and applications, and manage their configuration data. The Java package name is There are currently no comparable C interfaces.

Authentication Programming Interfaces

Identity Server provides interfaces to extend the functionality of the Authentication Service in two ways. The API provides interfaces that can be used remotely by either Java or C applications to utilize the authentication features of Identity Server. The SPI can be used to plug new authentication modules, written in Java, into the Identity Server authentication framework.

Utility API

This API provides a number of Java classes that can be used to manage system resources. It includes thread management and debug data formatting. The Java package name is There are currently no comparable C interfaces.

Logging API And Logging SPI

The Logging Service records, among other things, access approvals, access denials and user activity. The Logging API can be used to enable logging for external Java applications. The package names begin with com.sun.identity.log. The Logging SPI are Java packages that can be used to develop plug-ins for customized features. The package names begin with com.sun.identity.log.spi. There are currently no comparable C interfaces.

Client Detection API

Identity Server can detect the type of client browser that is attempting to access its resources and respond with the appropriately formatted pages. The Java package used for this purpose is There are currently no comparable C interfaces.


Identity Server provides Java interfaces for validating and managing SSO tokens, and for maintaining the user’s authentication credentials. All applications wishing to participate in the SSO solution can use this API. The Java package name is com.iplanet.sso. The Session Service also includes an API for C applications.

Policy SDK

The Policy API can be used to evaluate and manage Identity Server policies as well as provide additional functionality for the Policy Service. The Java package names begin with com.sun.identity.policy. The Policy Service also includes an API for C applications.


Identity Server uses the SAML API to exchange acts of authentication, authorization decisions and attribute information. The Java package names begin with com.sun.identity.saml. There are currently no comparable C interfaces.

Federation Management API

Identity Server uses the Federation Management API to add functionality based on the Liberty Alliance Project specifications. The Java package name is com.sun.liberty. There are currently no comparable C interfaces.

Identity Server File System

Identity Server installs its packages and files in a directory named SUNWam. The complete file system layout for Identity Server can be found in the Sun ONE Identity Server Deployment Guide.

Client Browser Support

Identity Server 6.1 is supported on the following client browsers:

Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.