Understanding Identity Manager Components

Identity Manager is a Java 2 Platform, Enterprise Edition (J2EE^TM platform) web application. The J2EE platform consists of a set of industry-standard services, APIs, and protocols that provide the functionality for developing multitiered, web-based, enterprise applications.

The Identity Manager system architecture is distributed across four logical tiers:

• The user tier

• The application tier

• The database tier

• The managed resources tier

Each tier is discussed in the following sections, starting with the application tier.

Figure 2–1 Identity Manager System Architecture

Understanding the Application Tier

Identity Manager (also known as the Identity Manager server) is installed in a J2EE web container inside an application server. Identity Manager server consists of JSP^TM files, HTML, images, and Java^TM classes. Adapters and connectors, which interface with other IT systems (also known as resources), are also located in Identity Manager on the application server.

See Application Servers in Sun Identity Manager 8.1 Release Notes for a list of supported application servers.

Because Identity Manager is a web application, the user interface resides on the application server and pages are served to the user tier on a request-by-request basis.

Installing Identity Manager on the application server is straightforward: A graphical, wizard-based installer is provided, and, on UNIX® systems, a command-line installer is also available. The application server must have a bundled or installed Java Development Kit (JDK^TM) to run the Java classes that perform actions within Identity Manager.

Understanding the Database Tier

Identity Manager stores all of its provisioning and state information in the Identity Manager repository. The repository is comprised of tables that store all the configuration data about Identity Manager. It is a single point for Identity Manager to look up data and lock objects. The repository also contains an audit log, which is a history of actions taken in Identity Manager. Identity Manager data is stored as XML. The repository can reside in local files or a relational database, although in production, a relational database is required.

See Repository Database Servers in Sun Identity Manager 8.1 Release Notes for a list of supported database servers.

Note that, beyond a minimal amount of identity information about individual users, user data is not kept in Identity Manager. Instead, only those attributes that are needed to identify and differentiate users within Identity Manager (for example, name and email address) are saved in the repository.

Identity Manager can connect to the repository over a direct JDBC connection, or it can use data source functionality made available by your application server.

The Identity Manager Service Provider feature requires an additional LDAP repository for storing user information. See Understanding Identity Manager Service Provider System Architecture for details.

Understanding the Managed Resource Tier

The managed resource tier consists of the applications and IT systems to which you provision and deprovision user accounts. It includes the Identity Manager Gateway, which is a helper application that allows Identity Manager to interact with certain resources.

Adapters and connectors provide user management functions, including creating, updating, deleting, and reading user accounts, and performing password change management functionality. Adapters and connectors can also extract account information from a remote system.

In most cases, Identity Manager manages user data on the remote system and does not maintain it in its own data store.

Some common resources that require the use of the Sun Identity Manager Gateway include Microsoft Exchange, Windows Active Directory, Novell eDirectory (formerly Netware Directory Services), Lotus Domino, and several others. (See Sun Identity Manager Gateway in Sun Identity Manager 8.1 Release Notes for a complete list.) The Gateway installs as a service in Windows and communicates with Identity Manager using TCP port 9278. Communication is initiated from Identity Manager using a proprietary encrypted protocol. The Gateway then interfaces with managed resources using the resources native protocols.

From an installation perspective, there are two type of adapters and connectors: Identity Manager adapters and connectors and custom adapters and connectors. Identity Manager adapters and connectors are pre-installed in Identity Manager. Custom adapters and connectors, however, need to be copied to a designated directory in the Identity Manager installation directory located on the application server.

Custom adapters are easy to create using the Identity Manager Resource Extension Facility (REF) kit. The REF kit provides the API and a number of template adapters that companies can use to jump start the development process. Simple resource functionality can be achieved by implementing only eight Java methods.

Understanding the User Tier

The user tier consists of administrators and end users who interact with Identity Manager through one of the user interfaces. The main user interface for the product is a web browser, which communicates with Identity Manager over HTTPS. The two browser-based UIs, the administrator user interface and the end-user interface, primarily consist of HTML pages, although some features may use Java applets.

For clarity, only the administrator user interface and the end-user user interface are shown in figure Figure 2–1. Other user interfaces, however, are also located in the user tier. These include the IVR telephone interface, the Identity Manager IDE, the SPML web services interface, and the Identity Manager console.