| Sun ONE Identity Server Customization and API Guide |
Chapter 1
IntroductionThe Sun™ ONE Identity Server Customization and API Guide describes the programmatic and customization details of Identity Server. It includes instructions on how to augment the application with new services using the eXtensible Markup Language (XML) files for configuration, the public Java™ application programming interfaces (APIs) for integration and the JavaServer Pages™ (JSP) for customization. This introductory chapter contains the following sections:
Identity Server OverviewSun ONE Identity Server integrates identity management with the ability to create and enforce authentication processes and access to directory data and corporate resources. These capabilities enable organizations to deploy a comprehensive system that helps to secure and protect their assets and information, as well as deliver their web-based applications. Towards this end, Identity Server contains components and application management utilities or services.
Data Management Components
Identity Server provides the following components to simplify the administration of identities and the management of data:
- Service Configuration—provides a solution for customizing and registering configuration parameters or attributes into a service; the service can then be integrated into, and managed using, Identity Server. The solution includes a Document Type Definition (DTD) that defines the structure for creating a service’s XML file, Java APIs that are used to integrate the XML file into the deployment and the Identity Server console which is used to manage the service.
- Identity Management—provides a solution for managing identities. It includes an API for creating, modifying and removing Identity-related Objects (users, roles, groups, containers, organizations, sub-organizations, etc.) as well as an XML template that defines each object’s Lightweight Directory Access Protocol (LDAP) attributes. This template allows for the object’s storage in the Sun ONE Directory Server, the data store for Identity Server.
- Policy Management—provides a solution for defining and retrieving access privilege settings (or policy) to protect an enterprise’s resources. It includes an API that applications can use to retrieve an identity’s policy. The policy is then used to determine an identity’s right to access the requested resource.
- Federation Management—provides a solution for defining authentication domains, service providers and identity providers in order to give users the functionality of federation. Federation allows a user to aggregate multiple digital identities allowing single sign-on to affiliated sites. This module is based on the Liberty Alliance Project’s Version 1.1 specifications.
- Current Sessions—provides a solution for an Identity Server administrator to view and manage user session information. It keeps track of session times as well as allowing the administrator to terminate a session.
- Sun ONE Directory Server—provides the storage facility in an Identity Server deployment. It holds all identity data as well as configured policies. The majority of the data is stored in the Directory Server using LDAP; certain of it is stored as XML.
Identity Server Management Services
When Identity Server is installed, a number of utilities (or services) are installed to help manage the deployment. A service is actually a grouping of configuration parameters (or attributes). The attributes can be randomly grouped together for easy management or specifically grouped together for one purpose. Additional information on services can be found in Chapter 6, "Service Management," in this manual and the Sun ONE Identity Server Administration Guide. The current installed services include:
- Administration Service—provides properties for the configuration of the Identity Server as well as attributes to customize the application specific to each configured organization. Information on the Administration Service attributes can be found in the Administration Service attributes chapter of the Sun ONE Identity Server Administration Guide.
- Authentication Service—provides an interface for gathering user credentials and issuing single sign-on (session) tokens. It also contains an SDK to write plug-ins in order to integrate token validation and authentication credential storage functionality for proprietary authentication servers. For information on this service, see Chapter 3, "Authentication Service" of this manula and the chapter on the Authentication Service attributes in the Sun ONE Identity Server Administration Guide.
- Client Detection Service—allows Identity Server to detect the client type of an accessing browser. Information on this service can be found in Chapter 11, "Client Detection Service," in this manual and the chapter on the Client Detection Service attributes in the Sun ONE Identity Server Administration Guide.
- Globalization Settings—contains properties to configure Identity Server for different character sets. More information on this service, see the chapter on the Globalization Settings attributes in the Sun ONE Identity Server Administration Guide.
- Auditing Features—provides a record-keeping functionality. Both file-based logs and logs stored in a relational database are supported. Information on this service can be found in Chapter 10, "Auditing Features," in this manual and the chapter on the Logging Service attributes in the Sun ONE Identity Server Administration Guide.
- Naming Service—allows client browsers to locate the URL for services in a deployment that is running more than one Identity Server ensuring that the URL returned for the service is the one for the host on which the user session was created. More information on this service can be found in the Naming Service attributes chapter of the Sun ONE Identity Server Administration Guide.
- Password Reset Service—contains properties that can be configured per organization to implement the Password Reset Service. For information on this service, see the chapter on the Password Reset Service attributes in the Sun ONE Identity Server Administration Guide.
- Platform Service—provides configurable attributes for the Identity Server deployment. For information on this service, see the chapter on the Platform Service attributes in the Sun ONE Identity Server Administration Guide.
- Policy Configuration Service—provides properties for configuring the policy function as well as attributes to configure the Policy Service for each configured organization. For information on this service, see Chapter 7, "Policy Service," in this manual and the chapter on the Policy Configuration Service attributes in the Sun ONE Identity Server Administration Guide.
- Security Assertion Markup Language (SAML) Service—provides an interface integrating SAML Service, Simple Object Access Protocol (SOAP) and https for sending and receiving security information. This service encrypts data passed between different security entities. An API is provided to this end. For information on this service, see Chapter 8, "SAML Service," in this manual and the chapter on the SAML Service attributes in the Sun ONE Identity Server Administration Guide.
- Session Service—provides attributes to configure session properties for all authorized sessions in each configured organization. For information on this service, see Chapter 4, "Single Sign-On And Sessions," in this manual and the chapter on the Session Service attributes in the Sun ONE Identity Server Administration Guide.
- User Service—provides attributes to configure the user properties for all users in each configured organization. For information on this service, see Chapter 5, "Identity Management," in this manual or the chapter on the User Service attributes in the Sun ONE Identity Server Administration Guide.
In addition to its configured services, Identity Server provides a graphical user interface that allows the application user to manage identity objects, services and policy information via a web browser. This console is built using the Sun ONE Application Framework and can be called by all users, from top level administrator to end users. The console can be customized for each configured organization by modifying and integrating a set of JSP and related files. Information on console customization can be found in Chapter 2, "The Identity Server Console," in this manual. Identity Server also offers data backup, restoration and other software utilities. Information on these functionalities can be found in Chapter 12, "Identity Server Utilities," in this manual. Information on command-line executables can be found in the Sun ONE Identity Server Administration Guide.
Managing Access
Identity Server can manage access to its protected resources in either of two ways: an user can authenticate and access Identity Server via a web browser or, an external application can access Identity Server directly, requesting user authentication information through the use of integrated Identity Server API.
Web Access
When a user requests access to a secure application or page using a web browser, they must first be authenticated. The request is directed to the Authentication Service which determines the type of authentication to initiate based on the method associated with the requestor’s profile. For instance, if the user’s profile is associated with LDAP authentication, the Authentication Service would send an HTML form to their web browser asking for an LDAP user name and password. (More complex types of authentication might include requesting information for multiple authentication types.) Having obtained the user’s credentials, the Authentication Service calls the respective provider to verify the credentials. (The provider in the LDAP example would be the Directory Server.) Once verified, the service calls the SSO API to generate a Single Sign-On (SSO) or session token which holds the user’s identity. The API also generates a token ID, a random identification string associated with the session token. The session token is then sent back to the requesting browser in the form of a cookie while the authentication component directs the user to the requested secure application or page. Additional information on the Authentication Service can be found in Chapter 3, "Authentication Service," in this manual.
Note
Web access might also include an additional security measure to evaluate a user’s access privileges. This includes installed policy agents. Additional information can be found in the Sun ONE Identity Server Web Policy Agents Guide and J2EE Policy Agents Guide.
Application Access
External applications can access Identity Server to request user information using the Identity Server SDK. For example, a mail service might store its users’ mailbox size information in Identity Server and the SDK can be used to retrieve this information. To process the request, the system running the application must have the Identity Server SDK installed. Additional information on both the C and Java APIs can be found throughout this manual in the respective chapters.
Extending Identity ServerOne of the architectural goals of Identity Server is to provide an extensible interface. This interface is defined by the following functions:
Service Definition With XML
As discussed in "Identity Server Overview", the application contains a number of management services. All Identity Server services are written using the XML. Administrators or service developers can modify the internal XML service files installed with Identity Server or configure new XML service files to customize the application based on their need. More information on services and how they are integrated into the Identity Server deployment can be found in Chapter 6, "Service Management," of this manual.
Console Customization
The Identity Server console is used for managing and monitoring identities, services and protected resources throughout the Identity Server deployment. The framework uses XML files, JSP templates and Cascading Style Sheets (CSS) to control the look and feel of the console screens. These files can be duplicated and then modified to make changes to the design for each configured organization; for instance, an organization’s logo can be added in place of the Sun logo. The entire template can also be replaced with an organization’s custom HTML page. Additional information on customizing the Identity Server console can be found in Chapter 2, "The Identity Server Console," of this manual.
Identity Server SDK
The Identity Server SDK contains public interfaces to implement the behavior of Identity Server’s default or customized services. Both Java and C interfaces are provided. The packages include:
Identity Management SDK
Identity Server provides the framework to create and manage users, roles, groups, containers, organizations, organizational units, and sub-organizations. The Java package name is com.iplanet.am.sdk. There are currently no comparable C interfaces.
Service Management SDK
The service management interfaces can be used by developers to register services and applications, and manage their configuration data. The Java package name is com.sun.identity.sm. There are currently no comparable C interfaces.
Authentication Programming Interfaces
Identity Server provides interfaces to extend the functionality of the Authentication Service in two ways. The API provides interfaces that can be used remotely by either Java or C applications to utilize the authentication features of Identity Server. The SPI can be used to plug new authentication modules, written in Java, into the Identity Server authentication framework.
Utility API
This API provides a number of Java classes that can be used to manage system resources. It includes thread management and debug data formatting. The Java package name is com.iplanet.am.util. There are currently no comparable C interfaces.
Logging API And Logging SPI
The Logging Service records, among other things, access approvals, access denials and user activity. The Logging API can be used to enable logging for external Java applications. The package names begin with com.sun.identity.log. The Logging SPI are Java packages that can be used to develop plug-ins for customized features. The package names begin with com.sun.identity.log.spi. There are currently no comparable C interfaces.
Client Detection API
Identity Server can detect the type of client browser that is attempting to access its resources and respond with the appropriately formatted pages. The Java package used for this purpose is com.iplanet.services.cdm. There are currently no comparable C interfaces.
SSO API
Identity Server provides Java interfaces for validating and managing SSO tokens, and for maintaining the user’s authentication credentials. All applications wishing to participate in the SSO solution can use this API. The Java package name is com.iplanet.sso. The Session Service also includes an API for C applications.
Policy SDK
The Policy API can be used to evaluate and manage Identity Server policies as well as provide additional functionality for the Policy Service. The Java package names begin with com.sun.identity.policy. The Policy Service also includes an API for C applications.
SAML SDK
Identity Server uses the SAML API to exchange acts of authentication, authorization decisions and attribute information. The Java package names begin with com.sun.identity.saml. There are currently no comparable C interfaces.
Federation Management API
Identity Server uses the Federation Management API to add functionality based on the Liberty Alliance Project specifications. The Java package name is com.sun.liberty. There are currently no comparable C interfaces.
Identity Server File SystemIdentity Server installs its packages and files in a directory named SUNWam. The complete file system layout for Identity Server can be found in the Sun ONE Identity Server Deployment Guide.
Client Browser SupportIdentity Server 6.1 is supported on the following client browsers:
