Differences Between Identity Manager and Service Provider (Sun Identity Manager Service Provider 8.1 Deployment)

Sun Identity Manager Service Provider 8.1 Deployment

Differences Between Identity Manager and Service Provider

Service Provider does not use many of the features present in Identity Manager, because they are less useful in large-scale “service provider” environments. Concepts not used in Service Provider include:

Reconciliation and loading from resources
Risk analysis
Compliance

Some concepts are applicable to both products, including the following:

Resource and Active Sync adapters
Forms
Delegated administration
Roles and rules
SPML
Infrastructure code, such as tracing and utilities

The following sections describe some of the differences in detail.

IDMXUser View

The IDMXUser view is similar to the Identity Manager User View. Both views allow the caller to create or check out a view, make changes to the view, and check in the results. However, the attributes within the two views differ greatly.

The IDMXUser view is much narrower in scope than the Identity Manager User view. For example, the IDMXUser view does not contain the global or password top-level attributes. The waveset attribute is not supported in IDMXUser, but some of its sub-attributes are supported through other attributes in IDMXUser. The IDMXUser view does not return resource-specific attributes unless specifically requested.

For a full description of the IDMXUser view and a comparison between the IDMXUser view and the Identity Manager User view, see Chapter 4, IDMXUser View.

Repository

Service Provider bypasses the Identity Manager repository in the following ways:

User accounts are not loaded into the repository. Instead, all account information is stored in an LDAP directory. Information that would be in the account index in Identity Manager is stored in a configurable LDAP attribute. Alternatively, an auxiliary object class may be created to identify the existing and to-be-provisioned users. However, if there are existing users in the master directory store, then this new auxiliary object class must be retroactively added to these users.
Transaction information is written to a separate database.

Workflows and Approvals

Workflows are powerful tools for provisioning users and establishing approvals in Identity Manager. However, because workflows often result in complex transactions involving human interaction, they are not ideally suited for environments in which simple provisioning actions need to be performed on millions of users.

As a result, Service Provider does not use workflows. Instead, Service Provider uses a transaction manager to carry out transactions, such as resource operations and updates to LDAP meta-data. The transaction manager persists all transactions into a database and ensures that any transaction failures caused by a resource or the Service Provider server are completed.

See Workflow Callouts for information about how callouts provide some of the functionality handled by workflows.

Authentication and Authorization

Service Provider does not require authentication or authorization when performing provisioning actions through the LighthouseContext API. A portal or an access management application can perform these services. Communications between the portal and Service Provider (if using SPML) must be secured by using SSL or similar technology.

Authentication and authorization are performed by Identity Manager. Service Provider administrators can be Identity Manager or Service Provider users that are assigned Service Provider-specific capabilities and are able to control organizations. The organizations are created in Identity Manager, but the administrators that belong in each organization are defined by the customers. These administrators can be determined by searching for specific values on LDAP attributes, or by enabling external authorization. External authorization on Service Provider Users can be enabled for the Service Provider End User interface or Identity Manager Administrator interface.

When enabled, viewing, creating, updating, and deleting can be controlled by one or more Service Provider User AdminRoles assigned to the user (Service Provider or Identity Manager) making the request. Whether the user is allowed to do the action is controlled the evaluation of Rules assigned one or more AdminRoles assigned to the user, which use external resource data to determine whether to grant access or not.

Data Loading Mechanisms

Service Provider does not load LDAP user account information into the repository. Instead, it uses the information already in place in the directory. As a result, there is no need to configure the resource adapter to perform reconciliation; nor is it necessary to perform a load from resource or a load from file operation to populate the account index with end user accounts.

However, if administrator accounts are not already defined within Identity Manager, you might need to populate administrator accounts into the repository. Any data loading mechanism can be used to accomplish this task. See Business Administrator's Guide for more information.

User Interface

Service Provider provides a set of sample end-user pages that can be used as the starting point of your own user interface. The sample end-user pages are implemented using the Apache Struts Tiles Framework. This allows you to easily customize the default pages.