Sun Java System Access Manager 6 2005Q1 Developer's Guide |
Chapter 1
IntroductionThe Sun Java System Access Manager 6 2005Q1 Developer’s Guide describes the programmatic and customization details of Access Manager. It includes instructions on how to augment the application with new services using the eXtensible Markup Language (XML) files for configuration, the public Java application programming interfaces (APIs) for integration and the JavaServer Pages (JSP) for customization. This introductory chapter contains the following sections:
Access Manager OverviewSun Java System Access Manager integrates identity management with the ability to create and enforce authentication processes and access to directory data and corporate resources. These capabilities enable organizations to deploy a comprehensive system that helps to secure and protect their assets and information, as well as deliver their web-based applications. Towards this end, Access Manager contains components and application management utilities or services.
Data Management Components
Access Manager provides the following components to simplify the administration of identities and the management of data:
- Service Configuration—provides a solution for customizing and registering configuration parameters or attributes into a service; the service can then be integrated into, and managed using, Access Manager. The solution includes a Document Type Definition (DTD) that defines the structure for creating a service’s XML file, Java APIs that are used to integrate the XML file into the deployment and the Access Manager console which is used to manage the service.
- Identity Management—provides a solution for managing identities. It includes an API for creating, modifying and removing Identity-related Objects (users, roles, groups, containers, organizations, sub-organizations, etc.) as well as an XML template that defines each object’s Lightweight Directory Access Protocol (LDAP) attributes. This template allows for the object’s storage in the Sun Java System Directory Server, the data store for Access Manager.
- Policy Management—provides a solution for defining and retrieving access privilege settings (or policy) to protect an enterprise’s resources. It includes an API that applications can use to retrieve an identity’s policy. The policy is then used to determine an identity’s right to access the requested resource.
- Federation Management—provides a solution for defining authentication domains, service providers and identity providers in order to give users the functionality of federation. Federation allows a user to aggregate multiple digital identities allowing single sign-on to affiliated sites. This module is based on the Liberty Alliance Project’s Version 1.1 specifications.
- Current Sessions—provides a solution for an Access Manager administrator to view and manage user session information. It keeps track of session times as well as allowing the administrator to terminate a session.
- Sun Java System Directory Server—provides the storage facility in an Access Manager deployment. It holds all identity data as well as configured policies. The majority of the data is stored in the Directory Server using LDAP; certain of it is stored as XML.
Access Manager Management Services
When Access Manager is installed, a number of utilities (or services) are installed to help manage the deployment. A service is actually a grouping of configuration parameters (or attributes). The attributes can be randomly grouped together for easy management or specifically grouped together for one purpose. Additional information on services can be found in Chapter 8, "Service Management," in this manual and the Sun Java System Access Manager Administration Guide. The current installed services include:
- Administration Service—provides properties for the configuration of the Access Manager as well as attributes to customize the application specific to each configured organization. Information on the Administration Service attributes can be found in the Administration Service attributes chapter of the Sun Java System Access Manager Administration Guide.
- Authentication Service—provides an interface for gathering user credentials and issuing single sign-on (session) tokens. It also contains an SDK to write plug-ins in order to integrate token validation and authentication credential storage functionality for proprietary authentication servers. For information on this service, see Chapter 5, "Authentication Service" of this manual and the chapter on the Authentication Service attributes in the Sun Java System Access Manager Administration Guide.
- Client Detection Service—allows Access Manager to detect the client type of an accessing browser. Information on this service can be found in Chapter 13, "Client Detection Service," in this manual and the chapter on the Client Detection Service attributes in the Sun Java System Access Manager Administration Guide.
- Globalization Settings—contains properties to configure Access Manager for different character sets. More information on this service, see the chapter on the Globalization Settings attributes in the Sun Java System Access Manager Administration Guide.
- Auditing Features—provides a record-keeping functionality. Both file-based logs and logs stored in a relational database are supported. Information on this service can be found in Chapter 12, "Auditing Features," in this manual and the chapter on the Logging Service attributes in the Sun Java System Access Manager Administration Guide.
- Naming Service—allows client browsers to locate the URL for services in a deployment that is running more than one Access Manager ensuring that the URL returned for the service is the one for the host on which the user session was created. More information on this service can be found in the Naming Service attributes chapter of the Sun Java System Access Manager Administration Guide.
- Password Reset Service—contains properties that can be configured per organization to implement the Password Reset Service. For information on this service, see the chapter on the Password Reset Service attributes in the Sun Java System Access Manager Administration Guide.
- Platform Service—provides configurable attributes for the Access Manager deployment. For information on this service, see the chapter on the Platform Service attributes in the Sun Java System Access Manager Administration Guide.
- Policy Configuration Service—provides properties for configuring the policy function as well as attributes to configure the Policy Service for each configured organization. For information on this service, see Chapter 9, "Policy Management," in this manual and the chapter on the Policy Configuration Service attributes in the Sun Java System Access Manager Administration Guide.
- Security Assertion Markup Language (SAML) Service—provides an interface integrating SAML service, Simple Object Access Protocol (SOAP) and https for sending and receiving security information. This service encrypts data passed between different security entities. An API is provided to this end. For information on this service, see Chapter 11, "SAML Service," in this manual and the chapter on the SAML Service attributes in the Sun Java System Access Manager Administration Guide.
- Session Service—provides attributes to configure session properties for all authorized sessions in each configured organization. For information on this service, see Chapter 4, "Single Sign-On And Sessions," in this manual and the chapter on the Session Service attributes in the Sun Java System Access Manager Administration Guide.
- User Service—provides attributes to configure the user properties for all users in each configured organization. For information on this service, see Chapter 7, "Identity Management," in this manual or the chapter on the User Service attributes in the Sun Java System Access Manager Administration Guide.
In addition to its configured services, Access Manager provides a graphical user interface that allows the application user to manage identity objects, services and policy information via a web browser. This console is built using the Sun Java System Application Framework and can be called by all users, from top level administrator to end users. The console can be customized for each configured organization by modifying and integrating a set of JSP and related files. Information on console customization can be found in Chapter 3, "The Access Manager Console," in this manual. Access Manager also offers data backup, restoration and other software utilities. Information on these functionalities can be found in Chapter 14, "Access Manager Utilities," in this manual. Information on command-line executables can be found in the Sun Java System Access Manager Administration Guide.
Managing Access
Access Manager can manage access to its protected resources in either of two ways: an user can authenticate and access Access Manager via a web browser or, an external application can access Access Manager directly, requesting user authentication information through the use of integrated Access Manager API.
Web Access
When a user requests access to a secure application or page using a web browser, they must first be authenticated. The request is directed to the Authentication Service which determines the type of authentication to initiate based on the method associated with the requestor’s profile. For instance, if the user’s profile is associated with LDAP authentication, the Authentication Service would send an HTML form to their web browser asking for an LDAP user name and password. (More complex types of authentication might include requesting information for multiple.) Having obtained the user’s credentials, the Authentication Service calls the respective provider to verify the credentials. (The provider in the LDAP example would be the Directory Server.) Once verified, the service calls the SSO API to generate a Single Sign-On (SSO) or session token which holds the user’s identity. The API also generates a token ID, a random identification string associated with the session token. The session token is then sent back to the requesting browser in the form of a cookie while the authentication component directs the user to the requested secure application or page. Additional information on the Authentication Service can be found in Chapter 5, "Authentication Service," in this manual.
Application Access
External applications can access Access Manager to request user information using the Access Manager SDK. For example, a mail service might store its users’ mailbox size information in Access Manager and the SDK can be used to retrieve this information. To process the request, the system running the application must have the Access Manager SDK installed. Additional information on both the C and Java APIs can be found throughout this manual in the respective chapters.
Extending Access ManagerOne of the architectural goals of Access Manager is to provide an extensible interface. This interface is defined by the following functions:
Service Definition With XML
Access Manager contains a number of management services. All Access Manager services are written using the XML. Administrators or service developers can modify the internal XML service files installed with Access Manager or configure new XML service files to customize the application based on their need. More information on services and how they are integrated into the Access Manager deployment can be found in Chapter 8, "Service Management," of this manual.
Console Customization
The Access Manager console is used for managing and monitoring identities, services and protected resources throughout the Access Manager deployment. The framework uses XML files, JSP templates and Cascading Style Sheets (CSS) to control the look and feel of the console screens. These files can be duplicated and then modified to make changes to the design for each configured organization; for instance, an organization’s logo can be added in place of the Sun logo. The entire template can also be replaced with an organization’s custom HTML page. Additional information on customizing the Access Manager console can be found in Chapter 3, "The Access Manager Console," of this manual.
Access Manager SDK
The Access Manager SDK contains public interfaces to implement the behavior of Access Manager’s default or customized services. Both Java and C interfaces are provided. The packages include:
Identity Management SDK
Access Manager provides the framework to create and manage users, roles, groups, containers, organizations, organizational units, and sub-organizations. The Java package name is com.iplanet.am.sdk. There are currently no comparable C interfaces.
Service Management SDK
The service management interfaces can be used by developers to register services and applications, and manage their configuration data. The Java package name is com.sun.identity.sm. There are currently no comparable C interfaces.
Authentication Programming Interfaces
Access Manager provides interfaces to extend the functionality of the Authentication Service in two ways. The API provides interfaces that can be used remotely by either Java or C applications to utilize the authentication features of Access Manager. The SPI can be used to plug new authentication modules, written in Java, into the Access Manager authentication framework.
Utility API
This API provides a number of Java classes that can be used to manage system resources. It includes thread management and debug data formatting. The Java package name is com.iplanet.am.util. There are currently no comparable C interfaces.
Logging API And Logging SPI
The Logging Service records, among other things, access approvals, access denials and user activity. The Logging API can be used to enable logging for external Java applications. The package names begin with com.sun.identity.log. The Logging SPI are Java packages that can be used to develop plug-ins for customized features. The package names begin with com.sun.identity.log.spi. There are currently no comparable C interfaces.
Client Detection API
Access Manager can detect the type of client browser that is attempting to access its resources and respond with the appropriately formatted pages. The Java package used for this purpose is com.iplanet.services.cdm. There are currently no comparable C interfaces.
SSO API
Access Manager provides Java interfaces for validating and managing SSO tokens, and for maintaining the user’s authentication credentials. All applications wishing to participate in the SSO solution can use this API. The Java package name is com.iplanet.sso. The Session Service also includes an API for C applications.
Policy SDK
The Policy API can be used to evaluate and manage Access Manager policies as well as provide additional functionality for the Policy Service. The Java package names begin with com.sun.identity.policy. The Policy Service also includes an API for C applications.
SAML SDK
Access Manager uses the SAML API to exchange acts of authentication, authorization decisions and attribute information. The Java package names begin with com.sun.identity.saml. There are currently no comparable C interfaces.
Federation Management API
Access Manager uses the Federation Management API to add functionality based on the Liberty Alliance Project specifications. The Java package name is com.sun.liberty. There are currently no comparable C interfaces.
Access Manager File SystemAccess Manager installs its packages and files in a directory named SUNWam. The complete file system layout for Access Manager can be found in the Sun Java System Access Manager Deployment Guide.
Client Browser SupportAccess Manager 2005Q1 is supported on the following client browsers: