Sun Java System Access Manager 7 2005Q4 Technical Overview

The Circle of Trust

The goal of the Liberty Alliance Project is to enable individuals and organizations to easily conduct network transactions while protecting the individual’s identity. This goal can be achieved only when commercial and non-commercial organizations join together into a circle of trust. In a circle of trust, service providers agree to join together in order to exchange user authentication information using Liberty web service technologies. This circle of trust must contain at least one identity provider, a service that maintains and manages identity information. The circle of trust also includes service providers that offer web-based services to users. Once a Circle Of Trust is established, single sign-on is enabled between all the providers.

In Access Manager, the circle of trust is known as an authentication domain although it is not a DNS domain. In Access Manger, an authentication domain describes entities that are grouped together for the purpose of identity federation.

A travel portal is a good example of an authentication domain. Typically, a travel portal is a website designed to help you find an access various travel service providers from one Internet location. The travel portal service forms a partnership with each hotel, airline, and car rental agency displayed on its website. The user logs into the travel portal and looks for a suitable hotel. When finished making hotel reservations, the user moves to the airline part of the travel portal to look for a suitable airline flight. This time, because of the partner agreement with the travel portal, the airline website shares the authentication information obtained earlier in the user's online session. The user moves from the hotel reservations website to the airline reservations website without having to re-authenticate. All of this is transparent to the user. The following figure illustrates the Circle of Trust formed among the travel portal, which acts as the Identity Provider, and each of the related business partners.

Figure 5–1 The Circle of Trust

This is figure illustrates how a user's identity can be shared
among many businesses such as airlines, car rental agencies, and hotels.

Account federation occurs when a user chooses to unite distinct service accounts and identity provider accounts. The user retains individual account information with each provider in the circle. At the same time, the user establishes a link that allows the exchange of authentication information between them. Users can choose to federate any or all identities they might have with the service providers that have joined this circle. When a user successfully authenticates with one service provider, she can access any of the her accounts within the circle of trust in a single session without having to reauthenticate.