test

Sun Java System Access Manager 7 2005Q4 Federation and SAML Administration Guide

com.sun.identity.saml.plugins Package

Access Manager provides service provider interfaces (SPIs), three of which have default implementations. The default implementations of these SPIs can be altered, or brand new ones written, based on the specifications of a particular customized service. The implementations are then used to integrate SAML into the custom service. Currently, the package includes the following interfaces:

AccountMapper and PartnerAccountMapper Interfaces

AccountMapper and PartnerAccountMapper are interfaces that need to be implemented by each partner site. The implemented class maps the partner site's user accounts to user accounts configured in Access Manager for purposes of single sign-on. For example, if single sign-on is configured from site A to site B, a site-specific account mapper can be developed and defined in the Trusted Partners subattribute of site B's Trusted Partners profile. When site B processes the assertion received, it locates the corresponding account mapper by retrieving the source ID of the originating site. Either SPI can be implemented although PartnerAccountMapper has one benefit over AccountMapper: it takes the whole assertion as a parameter, enabling the partner to define user account mapping based on attributes inside the assertion. The AccountMapper interface uses only the subject of the assertion as a parameter. The default implementation is com.sun.identity.saml.plugin.DefaultAccountMapper. If a site-specific account mapper is not configured, this default mapper is used.

Note –

Turning on the Debug Service in the AMConfig.properties file logs additional information about the account mapper, for example, the user name and organization to which the mapper has been mapped. For more information about the AMConfig.properties file, see the Sun Java System Access Manager 7 2005Q4 Developer’s Guide.

SiteAttributeMapper and PartnerSiteAttributeMapper Interfaces

SiteAttributeMapper and PartnerSiteAttributeMapper are interfaces that need to be implemented by each partner site. The implemented class defines a list of attributes to be returned as elements of the AttributeStatements in an authentication assertion. By default, when Access Manager creates an assertion and no mapper is specified, the authentication assertion only contains authentication statements. If a partner site wants to include attribute statements, it needs to implement one of these mappers. This class would be used to obtain attributes, create the attribute statement, and insert the statement inside the assertion. Either SPI can be implemented although PartnerSiteAttributeMapper has one benefit over SiteAttributeMapper: there is an additional targetURL parameter that enables the partner to include different sets of attributes to target different applications.

Note –

The default behavior is that no attribute statements are returned unless specified by the plug-in.

AttributeMapper Interface

AttributeMapper is an interface used in conjunction with an AttributeQuery class When a site receives an attribute query, this mapper obtains the SSOToken or an assertion (containing an authentication statement) from the query. The retrieved information is used to convert the attributes in the query to the corresponding Access Manager attributes. A default attribute mapper is provided if no other implementation is defined.

For more information, see AttributeQuery Class.

ActionMapper Interface

ActionMapper is an interface used to obtain single sign-on information and to map partner actions to Access Manager authorization decisions. A default action mapper is provided if no other implementation is defined.