Sun Java System Access Manager 7 2005Q4 Technical Overview

The Liberty Alliance Project

In 2001 Sun Microsystems joined with other major companies to form the Liberty Alliance Project, the premier open standards organization for federated identity and identity-based services. The members of the Liberty Alliance Project represent some of the world's most recognized brand names and service providers. Liberty Alliance Project members drive products, services and partnerships across a spectrum of consumer and industrial products, financial services, travel, retailing, telecommunications and technology.

Access Manager implements two important sets of standards adopted by the Liberty Alliance Project: the Liberty Alliance Project frameworks, and the Security Assertions Markup Language (SAML) specifications. These implementations enable business partners to form a Circle of Trust.

Liberty Alliance Frameworks

The Access Manager Federation Management feature is built upon Liberty Alliance frameworks. The Liberty Alliance Project developed the following specifications and guidelines for implementing complete network identity infrastructures and for deploying identity-based web services:

For more information these specifications, and listings of Liberty web service products, case studies, and white papers, see the Liberty Alliance Project website:

The Circle of Trust

The goal of the Liberty Alliance Project is to enable individuals and organizations to easily conduct network transactions while protecting the individual’s identity. This goal can be achieved only when commercial and non-commercial organizations join together into a circle of trust. In a circle of trust, service providers agree to join together in order to exchange user authentication information using Liberty web service technologies. This circle of trust must contain at least one identity provider, a service that maintains and manages identity information. The circle of trust also includes service providers that offer web-based services to users. Once a Circle Of Trust is established, single sign-on is enabled between all the providers.

In Access Manager, the circle of trust is known as an authentication domain although it is not a DNS domain. In Access Manger, an authentication domain describes entities that are grouped together for the purpose of identity federation.

A travel portal is a good example of an authentication domain. Typically, a travel portal is a website designed to help you find an access various travel service providers from one Internet location. The travel portal service forms a partnership with each hotel, airline, and car rental agency displayed on its website. The user logs into the travel portal and looks for a suitable hotel. When finished making hotel reservations, the user moves to the airline part of the travel portal to look for a suitable airline flight. This time, because of the partner agreement with the travel portal, the airline website shares the authentication information obtained earlier in the user's online session. The user moves from the hotel reservations website to the airline reservations website without having to re-authenticate. All of this is transparent to the user. The following figure illustrates the Circle of Trust formed among the travel portal, which acts as the Identity Provider, and each of the related business partners.

Figure 5–1 The Circle of Trust

This is figure illustrates how a user's identity can be shared
among many businesses such as airlines, car rental agencies, and hotels.

Account federation occurs when a user chooses to unite distinct service accounts and identity provider accounts. The user retains individual account information with each provider in the circle. At the same time, the user establishes a link that allows the exchange of authentication information between them. Users can choose to federate any or all identities they might have with the service providers that have joined this circle. When a user successfully authenticates with one service provider, she can access any of the her accounts within the circle of trust in a single session without having to reauthenticate.