Managing Configuration Data Within Realms

To manage configuration data stored within a realm, click the Realm Name under the Access Control tab in the OpenSSO Enterprise console. The following sections contain more information (or links to more information) regarding the configuration data.

• Managing Authentication

• Adding Services

• Plugging in Data Stores

• Delegating Administrator Privileges

• Configuring Policy

• Defining Subjects

• Creating Agent Profiles

Managing Authentication

Authentication properties and processes may be customized by realm. Default values for authentication are defined in the Core authentication module under the Configuration tab in the OpenSSO Enterprise console. These values will be inherited when a new realm is created but, you can modify a particular value per realm. For more information on configuring for authentication and managing authentication processes, see Chapter 3, Configuring Authentication.

Adding Services

A number of services can be added to a realm for more fine-grained configuration. These services may contain Global attributes (which are common to the OpenSSO Enterprise instance and inherited by all configured realms), Realm attributes (which can be customized per realm after the service has been added to it) and Dynamic attributes (which are inherited by users that belong to the realm in which the value is defined). Default values for all attributes in these services can be defined under the Configuration tab in the OpenSSO Enterprise console. The services that can be added to a realm include:

Administration

The Administration service is used to customize tasks performed by the OpenSSO Enterprise console. Default values for the Administration service are defined for the console under the Configuration tab in the OpenSSO Enterprise console. By adding the Administration service to a realm, the realm's administrator can customize these values per realm.

Discovery Service

An identity service is a web service that supports the query and modification of data regarding a principal. An identity service might host, for example, a principal's profile, such as name, address and phone number, or it might hold more sensitive information like a credit card number. The initial step in accessing the identity data a client is requesting is to determine in which identity service it is hosted. A resource offering defines the association between a piece of identity data and the identity service that provides access to it. A discovery service is a registry of resource offerings. By adding the Discovery Service to a realm, the realm's administrator can add resource offerings at the realm level as opposed to the user level.

---

Note –

This functionality is designed for business to business use cases.

---

Globalization Settings

The Globalization Settings service contains attributes to customize OpenSSO Enterprise for different locales and character sets. Default values for the Globalization Settings service are defined for the console under the Configuration tab in the OpenSSO Enterprise console. By adding the Globalization Settings service to a realm, the realm's administrator can customize these values per realm.

Password Reset

The Password Reset service allows users to reset their configured password or to receive an email message containing a new password. The Password Reset service does not need to be added to the realm in which a user resides to work. If the Password Reset service is not added to the realm in which the user resides, it will inherit the attribute values defined globally for the service under the Configuration tab in the OpenSSO Enterprise console. By adding the Password Reset service to a realm, the realm's administrator can customize these values per realm.

Policy Configuration

The Policy Configuration service is added to a realm, by default, when the realm is created. Default values for the Policy Configuration service are defined globally under the Configuration tab in the OpenSSO Enterprise console but the realm's administrator can customize them as needed. The service contains properties related to the Policy Service itself.

Session

The Session service defines values for properties that pertain to an authenticated user's session. This includes information such as maximum session time and maximum idle time. Default values for the Session service are defined globally under the Configuration tab in the OpenSSO Enterprise console. By adding the Session service to a realm, the realm's administrator can customize certain properties per realm.

User

Default user preferences for properties like time zone and locale are defined with the User service. Default values for the User service are defined globally under the Configuration tab in the OpenSSO Enterprise console. By adding the User service to a realm, the realm's administrator can customize certain properties per realm.

The following procedures pertain to adding and managing a realm's services.

• To Add a Service to a Realm

• To Modify the Attributes of a Realm's Added Services

To Add a Service to a Realm

Before You Begin

This procedure assumes you are logged into the OpenSSO console as the administrator, amAdmin.

1. Click the Access Control tab.

2. Click the name of the realm to which the service will be added.

3. Click the Services tab.

4. Click Add in the Services list.

5. Select the service you want to add.

6. Click Next.

7. Configure the service by defining values for the appropriate attributes.

8. Click Finish.

   The service will be listed under Services.

To Modify the Attributes of a Realm's Added Services

Before You Begin

This procedure assumes you are logged into the OpenSSO console as the administrator, amAdmin.

1. Click the Access Control tab.

2. Click the name of the realm that contains the service to be modified.

3. Click the Services tab.

4. Click the name of the service you are modifying.

5. Edit the appropriate values.

6. Click Save to save the new values.

Plugging in Data Stores

A data store is a database where you can store user attributes and user configuration data. OpenSSO Enterprise provides identity repository plug-ins that connect to an LDAPv3 identity repository framework. These plug-ins enable you to view and retrieve OpenSSO Enterprise user information without having to make changes in your existing user database. The OpenSSO Enterprise framework integrates data from the identity repository plug-in with data from other OpenSSO Enterprise plug-ins to form a virtual identity for each user. OpenSSO Enterprise can then use the universal identity in authentication and authorization processes among more than one identity repository. The virtual user identity is destroyed when the user's session ends.

An identity repository is a data store where information about users is stored. The data store might contain, for example, a user identifier and password, email address, application preferences and other forms of identity data. OpenSSO Enterprise provides an interface that enables a realm administrator to plug one or more identity data stores in to a realm. These plug-ins enable you to view and retrieve OpenSSO Enterprise user information without having to make changes in your existing user database. The OpenSSO Enterprise framework integrates data from the identity repository plug-in with data from other OpenSSO Enterprise plug-ins to form a virtual identity for each user. Because the plug-ins allow more than one identity data store to be configured per realm, OpenSSO Enterprise can access the many profiles of one identity across multiple identity repositories. This allows for the virtual identity for each user to be accessed for purposes of authentication and authorization. You can create a new data store instance using the following data store types:

Active Directory

This data store type uses the LDAP version 3 specification to write identity data to an instance of Microsoft Active Directory.

Generic LDAPv3

This data store type allows identity data to be written to any LDAPv3–compliant database.

---

Note –

If the LDAPv3 database you are using does not support Persistent Search, then you can not use the caching feature.

---

Sun Directory Server With OpenSSO Schema

This data store type resides in a Sun Directory Server instance and holds the OpenSSO Enterprise information tree. It differs from the OpenSSO Enterprise Repository Plug-in, in that more configuration attributes allow you to better customize the data store.

The following procedure documents how to configure a new data store.

To Create a New Data Store

Before You Begin

This procedure assumes you are logged into the OpenSSO console as the administrator, amAdmin.

1. Click the Access Control tab.

2. Click the name of the realm in which you want to add a new data store.

3. Click the Data Stores tab.

4. Click New from the Data Stores list.

5. Enter a name for the data store.

6. Select the type of data store you wish to create.

7. Click Next.

8. Configure the data store by entering the appropriate attribute values.

   See the Sun OpenSSO Enterprise 8.0 Administration Reference for attribute definitions.

9. Click Finish.

Delegating Administrator Privileges

OpenSSO Enterprise administrators are delegated responsibilities based on privileges assigned to groups. A privilege is an action that can be performed on a resource; for example, a READ operation on a log. Privileges can be dynamically assigned to users deemed administrators by creating a group, assigning to it the appropriate privilege, and adding the appropriate user as a member of the group.

For more information on groups, see Chapter 5, Creating Subjects.

Once a group is created, it appears under the realm's Privileges tab. To add privileges, click the group name and assign the appropriate operation. Members belonging to the group would then be able to perform the assigned operation(s). The following privileges can be delegated.

• Read and write access to all configured agents delegates read and write permissions for all configured agent profiles to an agent administrator.

• Read and write access to all log files delegates read and write permissions for all log records to a log administrator.

  ---

  Caution –

  OpenSSO Enterprise logging interfaces are public so it is possible that any authenticated user can read and write OpenSSO Enterprise log records. The log administrator privileges prevent this abuse. Policy agents, the main users of the logging interfaces, only require permission to write log records, and should not be delegated the permission to read them. Similarly, administrators who read log records should not be delegated the permission to write to them.

  ---

• Read access to all log files delegates read permission for all log records to a log administrator.

• Write access to all log files delegates write permission for all log records to a log administrator.

• Read and write access only for policy properties delegates read and write permissions for all policies and policy configurations to a policy administrator. Policy administrators can create, modify and delete policies which consists of Rules, Subjects, Conditions and Response Attributes.

  ---

  Caution –

  In order to manage the policies themselves (not policy configurations), a policy administrator needs permission to read the identity data store(s) and should be delegated the Read and write access to all realm and policy properties permission.

  ---

• Read and write access to all realm and policy properties delegates read and write permissions for all realm configurations data to a realm administrator. Realm administrators can create sub-realms, modify configurations for the realm's services and create, modify and delete Users, Groups, and Agents.

If you have upgraded Access Manager from version 7.0 to OpenSSO Enterprise, the privilege configuration differs from that of a fresh installation. To assign or modify privileges, click the name of the role or group you wish to edit and select from the following:

• Read only access to data stores defines read access privileges to data stores. This privilege definition is for use only with Read and write access only for policy properties to control delegation for policy administrators.

• Read and write access to all log files defines both read and write permission to log records for log administrators.

• Write access to all log files defines write permission to log records for log administrators.

• Read access to all log files defines only read permission to log records for log administrators.

• Read and write access only for policy properties defines read and write permission regarding policies and policy configurations for policy administrators.

• Read and write access to all realm and policy properties defines read and write permissions to all realm configurations data for realm administrators.

• Read only access to all properties and services defines read permission to all properties and services. This privilege definition is for use only with Read and write access only for policy properties to control delegation for policy administrators.

Configuring Policy

A policy defines rules that specify who is authorized to access an organization's resources, including applications and services. Policies control this access by defining who can do what to which resource, and when and how it can be done. In OpenSSO Enterprise resources are defined and policies are created at the realm (or sub realm) level. The Policy Service enables the top-level administrator or policy administrator to create, delete, modify and view policies for a specific resource within the realm. For more information on configuring policies, see Chapter 4, Managing Policies.

Defining Subjects

OpenSSO Enterprise offers a basic identity management functionality. Subjects can be defined within a realm: a user represents an individual identity and a group represents a collection of users with a common function, feature or interest. A subject can be used in the definition for a policy. For more information on defining subjects, see Chapter 5, Creating Subjects.

OpenSSO Enterprise is not a user provisioning product. This basic identity management functionality should only be used for demonstrations and proof of concepts. The user provisioning solution provided by Sun Identity Manager should be used in real deployments. For more information see Sun Identity Manager.

Creating Agent Profiles

Policy agents and web services security agents function based on properties. The configuration of these properties is centralized and managed using the OpenSSO Enterprise console or command line interface; the defined values are stored in the embedded configuration data store. Agent profiles are added to a realm and managed by the realm administrator. For more information on adding agent profiles, see Chapter 6, Storing Policy Agent and Web Services Security Agent Profiles.