Adapter Details
This adapter is defined in the com.waveset.adapter.SunAccessManagerRealmResourceAdapter class.
Note –
-
Use the Sun Access Manager Realm resource adapter for resources running in Realm mode.
-
Use the Sun Access Manager resource adapter for resources running in Legacy mode. See Sun Java System Access Manager for information about this adapter.
Resource Configuration Notes
You can configure only one Access Manager server (whether in Realm mode or in Legacy mode). You can define multiple resources if you provision to different realms.
The Identity Server Policy Agent is an optional module that you can use to enable single sign-on (SSO). You can obtain this Policy Agent from the following location:
http://wwws.sun.com/software/download/inter_ecom.html#dirserv
Note –
Do not attempt to follow the Policy Agent installation or configuration procedures if this product is not being used in your environment.
For more information about Policy Agents, see:
http://docs.sun.com/app/docs/coll/1322.1
You must install the Identity Server Policy Agent on the same server where Identity Manager is installed.
To install the Policy Agent, follow the installation instructions provided with the Policy Agent, and then perform the following tasks:
Setting Up Policy Agent
Editing the AMAgent.properties File
You must modify the AMAgent.properties file to protect Identity Manager. This file is located in the AgentInstallDir/config directory.
To Edit the AMAgent.properties File
-
Locate the following lines in the AMAgent.properties file.
com.sun.identity.agents.config.cookie.reset.enable = false com.sun.identity.agents.config.cookie.reset.name[0] = com.sun.identity.agents.config.cookie.reset.domain[] = com.sun.identity.agents.config.cookie.reset.path[] =
Edit these lines as follows.
com.sun.identity.agents.config.cookie.reset.enable = true com.sun.identity.agents.config.cookie.reset.name[0] = AMAuthCookie com.sun.identity.agents.config.cookie.reset.domain[0] = .example.com com.sun.identity.agents.config.cookie.reset.path[0] = /
-
Add the following lines.
com.sun.identity.agents.config.cookie.reset.name[1] = iPlanetDirectoryPro com.sun.identity.agents.config.cookie.reset.domain[1] = .example.com com.sun.identity.agents.config.cookie.reset.path[1] = /
-
Locate the following lines.
com.sun.identity.agents.config.profile.attribute.fetch.mode = NONE com.sun.identity.agents.config.profile.attribute.mapping[] =
Edit these lines as follows
com.sun.identity.agents.config.profile.attribute.fetch.mode = HTTP_HEADER com.sun.identity.agents.config.profile.attribute.mapping[uid] = sois_user
-
You must restart the web server for your changes to take effect.
Creating a Policy in Sun Java System Access Manager
To Create a Policy
-
From within the Sun Java System Access Manager application, create a new policy named IDMGR (or something similar) with the following rules:
Service Type
Resource Name
Actions
URL Policy Agent
http://server:port/idm
URL Policy Agent
http://server:port/idm/*
Allow GET and POST actions
-
Assign one or more subjects to the IDMGR policy.
Identity Manager Installation Notes
This section provides installation and configuration notes for the Sun Java System Access Manager Realm resource adapter and the Policy Agent.
General Configuration
Use the following procedure to install and configure the resource adapter.
Installing and Configuring the Access Manager Realm
Resource Adapter
-
Follow the instructions provided in the appropriate version of the Sun JavaTM System Access Manager Developer’s Guide to build the client SDK from the Sun Access Manager installation.
-
Extract the AMConfig.properties and amclientsdk.jar files from the war file that is produced.
-
Put a copy of the AMConfig.properties in the following directory:
$WSHOME/WEB-INF/classes
-
Place a copy of amclientsdk.jar in the following directory:
$WSHOME/WEB-INF/lib
-
Add the amclientsdk.jar file to the server class path.
-
Restart the Identity Manager application server.
-
After copying the files, you must add the Sun Java System Access Manager Realm resource to the Identity Manager resources list. Add the following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.SunAccessManagerRealmResourceAdapter
Login Module
You must modify the administrator and user login modules so the Sun Java System Access Manager login modules will be listed first.
Note –
You must first configure a Sun Java System Access Manager realm resource before performing the following procedure.
Modifying the Administrator and User Login Modules
-
From the Identity Manager Administrator Interface menu bar, select Security.
-
Click the Login tab.
-
Click the Manage Login Module Groups button, located at the bottom of the page.
-
Select the Login Module to modify. For example, select Default Identity System ID/Pwd Login Module Group.
-
In the Assign Login Module select box, select Sun Access Manager Realm Login Module.
-
When a new Select option displays next to the Assign Login Module option, select the appropriate resource.
-
When the Modify Login Module page displays, edit the displayed fields as needed, and then click Save. The Modify Login Module Group is displayed again.
-
Specify Sun Access Manager Realm Login Module as the first resource in the module group, and then click Save.
-
Log out of Identity Manager
Security Notes
This section provides information about supported connections and authorization requirements needed to perform basic tasks.
Supported Connections
Identity Manager uses SSL to communicate with this adapter.
Required Administrative Privileges
The user name that connects to the Sun Java System Access Manager must be assigned permissions to add or modify user accounts.
Provisioning Notes
The following table summarizes the provisioning capabilities of the adapter.
Account Attributes
The following table lists the Sun Java System Access Manager user account attributes supported by default. All attributes are optional, unless noted in the description.
|
Resource User Attribute |
Resource Attribute Type |
Description |
|---|---|---|
|
uid |
String |
Required. Unique user ID for the user. |
|
cn |
String |
Required. User’s full name |
|
givenname |
String |
User’s first name |
|
sn |
String |
User’s last name |
|
|
|
User’s email address |
|
employeeNumber |
Number |
User’s employee number |
|
telephoneNumber |
String |
User’s telephone number |
|
postalAddress |
String |
User’s home address |
|
iplanet-am-user-account-life |
Date |
Date and time the user’s account expires |
|
iplanet-am-user-alias-list |
String |
List of aliases for the user |
|
iplanet-am-user-success-url |
String |
URL the user is redirected to when authentication is successful |
|
iplanet-am-user-failure-url |
String |
URL the user is redirected to when authentication is unsuccessful |
|
roleMemberships |
String |
List of roles to which user is subscribed |
|
groupMemberships |
String |
List of groups to which user is subscribed |
Resource Object Management
Identity Manager supports the following Sun Java System Access Manager objects:
|
Resource Object |
Features Supported |
Attributes Managed |
|---|---|---|
|
Groups |
list, create, update, delete |
name, user members |
|
Roles |
list, create, update, delete |
name, user members |
|
Filtered Roles |
list, create, update, delete |
name, nsrolefilter |
Identity Template
The default identity template is $accountId$.
Sample Forms
This section lists the sample forms that are built-in and available for the Sun Java System Access Manager Realm resource adapter.
Built-In
-
Sun Access Manager Realm Create Role Form
-
Sun Access Manager Realm Update Role Form
-
Sun Access Manager Realm Create Filtered Role Form
-
Sun Access Manager Realm Update Filtered Role Form
-
Sun Access Manager Realm Create Group Form
-
Sun Access Manager Realm Update Group Form
Also Available
SunAMRealmUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.SunAccessManagerRealmResourceAdapter
- © 2010, Oracle Corporation and/or its affiliates