An Service Provider deployment adds the following to Identity Manager:
A user view that is specific to Service Provider users. The user view provides a data model for describing the provisioning operations to be performed, including attribute modifications, password resets, and account disables.
Transaction manager. Provides a mechanism for executing provisioning requests and ensures all resource operations are performed, including those that need to be retried due to resource or server failure. Transactions are logged in a separate database from the Identity Manager repository.
Enhanced reporting capabilities. Service Provider tracks system events, such as concurrent users and administrators, resource operations, and operation failures. Administrators can use the dashboard graph feature on the Identity Manager Administrator interface to quickly assess the current system and spot abnormalities, and to understand historical trends (such as concurrent users or resource operations over a time period.) For more information about this feature, see Business Administrator's Guide.
Service Provider also provides the following features:
Delegated administration. Administrators can view and edit only users that they control. This is enforced by assigning organizations and Service Provider-specific capabilities to administrators, or dynamically by rules granting finer grained capabilities and rights.
Service Provider does not have its own Administrator Interface. All administration tasks, such as system configuration and viewing dashboard graphs are performed from the Identity Manager Administration Interface. Service Provider provides a set of sample User pages that illustrate how the product can be implemented, but customizations are required for these pages.
Service Provider does not use many of the features present in Identity Manager, because they are less useful in large-scale “service provider” environments. Concepts not used in Service Provider include:
Reconciliation and loading from resources
Some concepts are applicable to both products, including the following:
Resource and Active Sync adapters
Roles and rules
Infrastructure code, such as tracing and utilities
The following sections describe some of the differences in detail.
The IDMXUser view is similar to the Identity Manager User View. Both views allow the caller to create or check out a view, make changes to the view, and check in the results. However, the attributes within the two views differ greatly.
The IDMXUser view is much narrower in scope than the Identity Manager User view. For example, the IDMXUser view does not contain the global or password top-level attributes. The waveset attribute is not supported in IDMXUser, but some of its sub-attributes are supported through other attributes in IDMXUser. The IDMXUser view does not return resource-specific attributes unless specifically requested.
For a full description of the IDMXUser view and a comparison between the IDMXUser view and the Identity Manager User view, see Chapter 4, IDMXUser View.
Service Provider bypasses the Identity Manager repository in the following ways:
User accounts are not loaded into the repository. Instead, all account information is stored in an LDAP directory. Information that would be in the account index in Identity Manager is stored in a configurable LDAP attribute. Alternatively, an auxiliary object class may be created to identify the existing and to-be-provisioned users. However, if there are existing users in the master directory store, then this new auxiliary object class must be retroactively added to these users.
Transaction information is written to a separate database.
Workflows are powerful tools for provisioning users and establishing approvals in Identity Manager. However, because workflows often result in complex transactions involving human interaction, they are not ideally suited for environments in which simple provisioning actions need to be performed on millions of users.
As a result, Service Provider does not use workflows. Instead, Service Provider uses a transaction manager to carry out transactions, such as resource operations and updates to LDAP meta-data. The transaction manager persists all transactions into a database and ensures that any transaction failures caused by a resource or the Service Provider server are completed.
See Workflow Callouts for information about how callouts provide some of the functionality handled by workflows.
Service Provider does not require authentication or authorization when performing provisioning actions through the LighthouseContext API. A portal or an access management application can perform these services. Communications between the portal and Service Provider (if using SPML) must be secured by using SSL or similar technology.
Authentication and authorization are performed by Identity Manager. Service Provider administrators can be Identity Manager or Service Provider users that are assigned Service Provider-specific capabilities and are able to control organizations. The organizations are created in Identity Manager, but the administrators that belong in each organization are defined by the customers. These administrators can be determined by searching for specific values on LDAP attributes, or by enabling external authorization. External authorization on Service Provider Users can be enabled for the Service Provider End User interface or Identity Manager Administrator interface.
When enabled, viewing, creating, updating, and deleting can be controlled by one or more Service Provider User AdminRoles assigned to the user (Service Provider or Identity Manager) making the request. Whether the user is allowed to do the action is controlled the evaluation of Rules assigned one or more AdminRoles assigned to the user, which use external resource data to determine whether to grant access or not.
Service Provider does not load LDAP user account information into the repository. Instead, it uses the information already in place in the directory. As a result, there is no need to configure the resource adapter to perform reconciliation; nor is it necessary to perform a load from resource or a load from file operation to populate the account index with end user accounts.
However, if administrator accounts are not already defined within Identity Manager, you might need to populate administrator accounts into the repository. Any data loading mechanism can be used to accomplish this task. See Business Administrator's Guide for more information.
Service Provider provides a set of sample end-user pages that can be used as the starting point of your own user interface. The sample end-user pages are implemented using the Apache Struts Tiles Framework. This allows you to easily customize the default pages.