| Sun ONE Identity Server 6.1 Product Brief |
Chapter 1
Overview of Identity ServerSun™ ONE Identity Server is an identity management solution designed to meet the needs of rapidly expanding enterprises. Identity Server enables you to get identities for your employees, your partners and suppliers into one online directory. Then it provides a means for establishing policies and permissions regarding who has access to which information in your enterprise. Identity Server is the key to all your data, your services, and who has access to what—it’s the key to all your internal and external business relationships.
This chapter provides an overview Identity Server and how its components work together to form an identity management paradigm.
An Identity Management ParadigmThink of all the different types of information a company must store and be able to make available through its enterprise. Now consider the various enterprise users who must make use of that information in order for the company’s business to run smoothly. For example, the following are routine information transactions that occur every day in a typical company:
- A rank-and-file employee looks up a colleague’s phone number in the corporate phone directory.
- A managing employee looks up the salary histories of all her reports to help determine an individual’s merit raise.
- An administrative assistant adds a new hire to the corporate database, which triggers the company’s health insurance provider to add the new hire to its enrollment.
- An engineer sends an internal URL for a specification document to another engineer who works for a partner company.
- A customer logs into the company’s website and looks for a product in the company’s online catalog.
- A vendor submits an online invoice to the company’s accounting department.
In each of these examples, the company must determine who is allowed to view its information or use its applications. Some information such as the company’s product descriptions and advertising can be made available to everyone, even the public at large, in the company’s online catalog. Other information such as accounting and human resources information must be restricted to only employee use. And some internal information is appropriate to share with partners and suppliers, but not with customers.
The Problem
Many enterprises grant access to information on a per-application basis. For example, an employee might have to set up a user name and password to access the company’s health benefits administration website, and a separate user name and password to access the accounting department online forms. A customer sets up a user name and password to access the “Customers” branch of the company website. For each website or service, there is an administrator who converts the enterprise user’s input into a data format that the service can recognize. Each service added to the enterprise must be provisioned and maintained separately.
The Solution
Identity Server reduces the administrative costs and eliminates the redundant user information associated with per-application solutions. Identity Server creates a single record or directory entry for each enterprise user, and enables an administrator to assign specific rules or policies governing which information or services each user can access. Policy agents can be deployed on application or web servers to enforce the policies. Together, a user’s directory entry and its associated access policies comprise the user’s enterprise identity. Identity Server makes it possible for a user to access many resources in the enterprise with just one identity.
How Identity Server WorksWhen an enterprise user or an external application tries to access content stored on a company’s web server, the policy agent intercepts the request and directs it to Identity Server. Identity Server asks the user to present credentials such as a username and password. If the credentials match those stored in the central Directory Server, Identity Server verifies that the user is who he says he is. Next, Identity Server evaluates the policies associated with the user’s identity, and then determines whether the user is allowed to view the requested information.
Finally, Identity Server either grants or denies the user access to the information. Figure 1-1 illustrates one way Identity Server can be configured to act as the gatekeeper to a company’s information resources.
Figure 1-1 Identity Server is the gatekeeper to a company’s enterprise resources.
Identity Server consolidates four major features into a single product that can be viewed in a single administration console:
Identity Administration
Identity Server provides an identity framework for creating and managing directory objects such as organizations, groups, roles, and userIDs. When you use Identity Server to create or modify user objects, you update the entries stored in Directory Server. Identity Server schema includes pre-defined administrator userIDs and associated access control instructions (ACIs). This makes it possible to delegate user management tasks to various administrators—and to non-administrators as well—in the enterprise.
Access Management
Identity Server implements authentication service and policy administration to regulate access to a company’s information and applications. These features make it possible to verify that a user is who he says he is, and that the user is authorized to access web or application servers deployed within the enterprise.
Service Management
Identity Server provides a service management SDK that gives application developers the interfaces necessary to register and un-register services as well as to manage schema and configuration information. It also provides a number of services that it uses for authentication and for its own administration.
Federation Management
Identity federation allows a user to link the many local identities he has configured among multiple service providers. With one federated identity, the individual can log in at one service provider’s site and move to an affiliated service provider site without having to re-authenticate or re-establish his identity.
Identity Server ArchitectureIdentity Server uses a Java technology-based architecture for scalability, performance, and ease of development. It leverages industry standards including the following:
Figure 1-2 illustrates how Identity Server integrates all of these technologies and connects to Directory Server. The Identity Server common identity infrastructure is built upon Directory Server which uses the LDAP protocol.
Figure 1-2 Identity Server Architecture.
Sun ONE Directory Server
In an Identity Server deployment, Directory Server acts as the centralized repository for user identities. Identities are stored as directory entries using the LDAP protocol and Directory Services Markup Language (DSML). LDAP is the “lightweight” version of the Directory Access Protocol (DAP) used by the ISO X.500 standard. DSML enables you to represent directory entries and commands in XML. This makes it possible for XML-based applications using HTTP to take advantage of directory services while making full use of the existing web infrastructure.
Identity Server Components
Identity Server functions are delivered as a collection of Java servlets, JavaBeans components, and JSP modules. Authentication Service, Policy Service, and an Administration Console are examples of such functions. These run inside the Java virtual machine of a J2EE container such as Sun ONE Web Server or Sun ONE Application Server.
Identity Server includes APIs for Single Sign-On, Logging, Identity, Federated Identity, Policy, SAML, and more. These public Java APIs provide an interface that external applications can use to implement either default or customized behavior.
Policy agents are an integral part of the identity management solution. Installed on web servers or web proxy servers in the enterprise, policy agents protect individual servers from unauthorized intrusions.
