|
| |
| Sun Java System Identity Server 2004Q2 Administration Guide | |
Chapter 5
Service ConfigurationThis chapter describes the service management features of Sun Java™ System Identity Server 2004Q2. The Service Configuration interface provides a way to view, manage and configure all Identity Server services and their values (both default and customized) in addition to configuring Identity Server console display settings. This chapter contains the following sections:
Definition of a ServiceA service is a group of attributes defined under a common name. The attributes define the parameters that the service provides to an organization. For instance, in developing a payroll service, a developer might decide to include attributes that define an employee name, an hourly rate and a tax exemption. When the service is registered to an organization, that organization can use these attributes in the configuration of its entries.
Identity Server defines services using Extensible Markup Language (XML). The Service Management Services Document Type Definition (sms.dtd) defines the structure of a service XML file. This file can be found in the following directories:
IdentityServer_base/SUNWam/dtd/ (Solaris)
IdentityServer_base/identity/dtd (Linux)
Note
Throughout the rest of this chapter, only the Solaris directory information will be given. Please note that the directory structure for Linux is different.For more information, please see About This Guide.
For more information on defining a Identity Server service, see the Identity Server Developer’s Guide.
Identity Server ServicesThe default services provided with Identity Server are defined by XML files located in the following directory:
etc/opt/SUNWam/config/xml
Some of these services, when configured through the Service Configuration interface, define values for the Identity Server application. Others are registered to a specific organization configured within Identity Server and are used to define default values for the organization.
Administration Service
The Administration service allows for the configuration of the console at both the application level (similar to a Preferences or Options menu for the Identity Server application) as well as at a configured organization level (Preferences or Options specific to a configured organization).
Authentication Service
There are multiple authentication modules, including a base module. This allows the administrator the opportunity to choose the method with which each defined organization can verify the user’s authorization.
Anonymous
This authentication service allows for log in without specifying a user name and password. Anonymous connections have limited access to the server and are customized by the administrator.
Certificate-based
This authentication service allows login through a personal digital certificate (PDC).
Core
This authentication service is the general configuration base for the Identity Server authentication services. It must be registered and configured to use any of the specific services. It allows the administrator to define default values.
HTTP Basic
This authentication service uses basic authentication, which is the HTTP protocol’s built-in authentication support. In order to use this service, the LDAP authentication services needs to be registered. This will not work from the C API.
LDAP
This authentication service allows for authentication using LDAP bind, an operation which associates a password with a particular LDAP entry.
Membership (Self-Registration)
This authentication service allows a new user to self-register for authentication with a login and password. For self-registration, no authentication is required.
NT
This authentication service allows for authenticating users using an Windows NT™/2000™ server. In order to actualize the NT Authentication module, Samba Client (smbclient) 2.2.2 must be downloaded and installed (for Linux, you can use the Samba Client that ships with the operating system).
RADIUS
This authentication service allows for authenticating users using an external Remote Authentication Dial-In User Service (RADIUS) server.
In order for the RADUIS Authentication service to work correctly with Sun Java System Application Server, you must configure Application Server’s server.policy file. Instructions for this can be found in “Authentication Options” on page 139.
SafeWord
This authentication service allows for authenticating users using Secure Computing’s SafeWord™ or SafeWord PremierAccess™ authentication servers.
In order for the SafeWord Authentication service to work correctly with Sun Java System Application Server, you must configure Application Server’s server.policy file. Instructions for this can be found in “Authentication Options” on page 139.
SecurID
This authentication service allows for authenticating users using RSA ACE/Server® authentication software and SecurID® authenticators. This service is not supported on Solaris x86.
Note
In this version of Identity Server, the SecurID Authentication service is not supported for the Linux operating system.
Unix
This authentication service allows for authenticating users using a Unix® server, using a user’s UNIX identification and password.
Windows Desktop SSO
This authentication service allows a user who has already authenticated to a Kerberos Distribution Center (KDC) to authenticate to Identity Sever without re-submitting the login criteria (Single Sign-on).
Authentication Configuration Service
The Authentication Configuration service allows you to configure authentication for roles, users and services and organizations to set the rules determining the precedence of the authentication modules. You can also configure service-based authentication through this service.
Client Detection Service
The Client Detection service allows Identity Server to detect the client type of an accessing browser and allows the administrator to add and configure devices based on the client type.
Globalization Settings Service
The Globalization Settings contain properties to configure Identity Server for different character sets.
Discovery Service
This service is used by Identity Server’s Federation Management module. For more information on this service, please see the Identity Server Federation Management Guide.
Liberty Personal Profile Service
This service is used by Identity Server’s Federation Management module. For more information on this service, please see the Identity Server Federation Management Guide.
Logging Service
The Logging service is where the administrator configures values for the Identity Server application logging function. Examples include log file size and log file location.
Naming Service
The Naming service is used to get and set URLs, plug-ins and configurations as well as request notifications for various other Identity Server services such as session, authentication and logging.
Password Reset Service
The Password Reset service allows users to receive a forgotten password or reset their password for access to a given service or application protected by Identity Server.The Password Reset service attributes, defined by the top-level administrator, control user validation credentials (in the form of “secret questions”), control the mechanism for new or existing password notification, and sets possible lockout intervals for incorrect user validation.
Platform Service
The Platform service is where additional servers can be added to the Identity Server configuration as well as other options applied at the top level of the Identity Server application.
Policy Configuration Service
The Policy Configuration service defines values to be used by Policy framework during policy management and policy evaluation.
SAML Service
The Security Assertion Markup Language (SAML) service defines a framework for exchanging security assertions among security authorities to achieve interoperability across different platforms, which provide authentication and authorization services.
Session Service
The Session service defines values for an authenticated user session such as maximum session time and maximum idle time.
SOAP Binding Service
This service is used by Identity Server’s Federation Management module. For more information on this service, please see the Identity Server Federation Management Guide.
User Service
Default user preferences are defined through the user service. (These include time zone, locale and DN starting view).
Attribute TypesThe attributes that make up an Identity Server service are classified as one of the following types: Dynamic, Policy, User, Organization or Global. Using these types to subdivide the attributes in each service allows for a more consistent arrangement of the service schema and easier management of the service parameters.
Dynamic Attributes
A dynamic attribute can be assigned to an Identity Server configured role or organization. When the role is assigned to a user or a user is created in an organization, the dynamic attribute then becomes a characteristic of the user. For example, a role is created for an organization’s employees. This role might contain the organization’s address and a fax number, two things that remain static for all employees. When the role is assigned to each employee, these dynamic attributes are inherited by each employee.
User Attributes
These attributes are assigned directly to each user. They are not inherited from a role or an organization and, typically, are different for each user. Examples of user attributes include userid, employee number and password. User attributes can be added or removed from the User service by modifying the amUser.xml file. For more information, see the Identity Server Developer’s Guide.
Organization Attributes
Organization attributes are only assigned to organizations. In that respect, they work as dynamic attributes, yet they differ from dynamic attributes, as they are not inherited by entries in the subtrees. Additionally, no object classes are associated with organization attributes. Attributes listed in the authentication services are defined as organization attributes because authentication is done at the organization level rather than at a subtree or user level.
Global Attributes
Global attributes are applied across the Identity Server configuration. They can not be applied to users, roles or organizations as the goal of global attributes is to customize the Identity Server application. There is only one instance of a global attribute in the Identity Server configuration. There are no object classes associated with global attributes. Examples of global attributes include log file size, log file location, port number or a server URL that Identity Server can use to access data.
Policy Attributes
Policy attributes specify the access control actions (or privileges) associated with a service. They become a part of the rules when rules are added to a policy. Policy attributes are required in the service schema if you would like to manage access control of the service using Identity Server policies.
Service Configuration InterfaceServices are configured and managed through the Service Configuration module. Organization-specific services which are not covered by the Identity Server default service packages can be written using XML (based on the Identity Server services document type definition or DTD) and added into the interface under the Other Configuration heading. Instructions on how this is done can be found in Part IV, "Attribute Reference" which describes the default services and the definitions of their corresponding attributes.
The Service Configuration module is for displaying service configurations on a global level. In other words, it is a view of the default configurations of all available services in Identity Server, whether registered or not. When a service is registered and activated by an organization, the initial default data assigned to the service is displayed under the service’s Service Configuration page. Figure 5-1 is a screenshot of the graphical user interface.
Figure 5-1 Service Configuration View
Access the Service Configuration view by choosing the Service Configuration module. The Navigation frame will display a list of all defined Identity Server services. To set the global default values for a service, select the Properties arrow next to the name of the service. The attributes for the service will be displayed in the Data frame.
