Sun OpenSSO Enterprise 8.0 Technical Overview

The Federation Framework Architecture

OpenSSO Enterprise consists of web-based services [using SOAP, XML over HTTP(S) or HTML over HTTP(S)], and Java—based application provider interfaces (APIs) and service provider interfaces (SPIs). The figure below illustrates this architecture. Additionally, the figure shows an agent embedded into a web container. This agent enables the service provider applications to participate in the SAML or Liberty-based protocols. The darker boxes are components provided by OpenSSO Enterprise.

Figure 10–3 Federation Framework Architecture

This figure illustrates the federation framework

The components include:

SAML Service

Provides SAML related services (versions 1.x and 2.0) including artifact and POST profile support, and assertion query support.

Liberty Identity Federation Framework (Liberty ID-FF)

Provides services based on the Liberty ID-FF specifications. Features include federation and single sign-on, single logout, federation termination, name registration, and support for the Common Domain. Implemented web services include a SOAP binding service, a discovery service, a personal profile service, and an authentication service.


Provides services based on the WS-Federation specifications.


OpenSSO Enterprise provides a JAAS-based authentication framework.


OpenSSO Enterprise provides session management for service provider applications.


OpenSSO Enterprise provides a logging service. It also provides activity logs for auditing. Audit logs can be stored in flat files or JDBC-compliant databases.


Includes a set of APIs for interaction between the SSO, logging, SAML, federation, and authentication components. Also included are APIs to build web services for clients and providers.


Includes a set of Service Provider Interfaces (SPIs) into which applications can insert their custom logic. For instance, there is an SPI to do post federation processing, and an SPI for post processing after a successful single logout.