| Sun ONE Identity Server 6.0 Installation and Configuration Guide |
Chapter 1
Introducing Identity ServerIdentity Server is an enterprise infrastructure solution. It's the key to your business relationships, your services, your data, and who has access to what. Identity Server enables you to get your customers, employees, partners and suppliers into one online directory. It also provides a means for establishing policies and permissions regarding who has access to which information in your enterprise. Identity Server is designed to meet the challenges of rapidly expanding extranets or hosting services. This chapter provides an introduction to Identity Server solution.
Topics in this chapter include:
Identity Server SolutionIdentity Server is composed of Sun ONE servers, services, and agents. It extends the basic functionality of Sun ONE Directory Server to consolidate user data, services data, and access policies so that all of these can be managed efficiently under one console. You can use Identity Server to define and enforce roles and policies that control access to web resources in your enterprise. These roles and policies also provide the means for delegating user account management—to administrators as well as non-administrators. The Identity Server plug-in architecture makes it relatively easy to add new services and to customize their configuration for users and policies.
When you purchase Identity Server, you receive a full complement of Sun ONE servers and services, which together form the Identity Server solution:
Web agents that work with Identity Server are available as separate components. For more information about Identity Server web agents, see "Policies and Policy Agents".
Sun ONE Directory Server
Sun ONE Directory Server is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). In an Identity Server deployment, Directory Server is the central repository for user data, services data, and access policies. This allows a variety of servers and applications to share a consistent set of data.
Identity Server Policy Service
The Policy service is made up of four smaller, specialized services: Authentication, Single Sign-On, Logging, and Session. Together, these services provide the means for enforcing access rules. Access rules combine to form the policies, which allow or deny a user to log in to an application.
Authentication
The Authentication service verifies the identities of users trying to access applications. Authentication is implemented through a number of plug-in modules that validate a user’s credentials at login.
Single Sign-On
The Single Sign-On (SSO) service uses tokens for storing and transporting user information between applications. This makes it possible for users to log in to the enterprise once, and access multiple web-based applications without having to re-authenticate for each application. The service provides Java APIs for validating SSO tokens and agents for enforcing access rules and policies that are set on specific pages stored on the server.
Logging
The Logging service writes log information to log files or to a log database. The log data is used by Authentication modules and by the Identity Server console.
Session
The Session service maintains user session information and validity periods. The session information is used to validate Single Sign-On tokens.
Figure 1-1 Identity Server Architecture.
Identity Server Management Service
The Management service is made up of three smaller services: Policy Management, Identity Management, and Service Management. These three services are consolidated in the Identity Server console, providing a single point for enterprise management. When you use Management service to make changes, the changes are automatically made in Directory Server.
Policy Management
The Policy Management service provides a means for creating, modifying, and deleting access rules and policies for organizations and sub-organizations.
Identity Management
The Identity Management service is also referred to as User Management service. It provides the means for creating and managing users, roles, groups, people containers, organizations, organization units, and sub-organizations.
Service Management
The Service Management service provides the means for registering and de-registering services, and for managing service attributes assigned to objects in the directory.
Identity Server Console
Identity Server Console is a graphical interface that consolidates Identity, Service, and Policy management. It allows users—administrators as well as non-administrators—to create and manage users accounts, service attributes, and access rules in Directory Server using one interface and without having to know LDAP.
Cross-Domain Single Sign-On
The Cross Domain Single Sign-On feature makes it possible for users to authenticate once in a DNS domain in your enterprise, and then access Identity Server services running on other domains. This service is implemented through the use of a controller plus any number of Cross-Domain Single Sign-On (CDSSO) components that you install on the participating domains.
Cross-Domain Controller
The Cross-Domain Controller (CDC) component is automatically installed when you install Identity Services. The controller is responsible for appropriately directing authentication requests. If a request contains no Single Sign-On (SSO) information, the controller directs the request to the Authentication service. If a request contains SSO information the request is directed to the appropriate CDSSO component with the SSO information appended to the query string.
Cross-Domain Single Sign-On Component
The Cross-Domain Single Sign-On (CDSSO) component is primarily responsible for handling cookie-setting for the domain in which cross-domain single sign-on is deployed. The CDSSO component is installed separately on all participating DNS domains.
Web Server
Sun ONE Web Server, although not included in the product CD as a stand-alone product, is an integral part of the Identity Server solution. It is automatically installed and configured when you install the Policy and Management services. Working behind the scenes, this dedicated instance of Web Server provides the engine for policy enforcement, identity management, and service management. It also serves the graphical user interface.
Common Domain Services
Common Domain Services enable machines hosting a common domain to read and write cookies based on parameters passed within redirect URLs. When a user authenticates with an Identity Service Provider (IDP), the IDP would redirect the user’s browser to the common domain with a parameter indicating that the user is using that IDP. The server in the common domain writes a cookie that identifies this IDP as the preferred IDP and redirects the user’s browser back to the IDP.
Key Features and BenefitsAs a business grows, its networking needs change. Efficiency, extensibility, rapid deployment of services, and maintained security become key factors in keeping its enterprise running smoothly and with minimum down-time. Identity Server offers the following features to meet the challenges of growing enterprises.
Administration Console
A graphical interface that consolidates Identity, Service, and Policy management. The Administration console allows users—administrators as well as non-administrators—to create and manage users accounts, service attributes, and access rules in Directory Server using one interface and without having to know LDAP.
Policy Management
A means for creating and enforcing access rules. Grants or denies users’ access to resources based on their credentials and based on the rules and policies you create.
Service Management
A means for registering services and service attributes. Allows you to assign service attributes to organizations, groups, or individual users from the same console that you use to perform user management.
Identity Management
A framework that supports several pre-defined administrator roles. Provides a means for creating, modifying, or deleting organizations, groups, and users. Automatically creates appropriate administrator entries, roles, and access control instructions (ACIs) each time you create a new organization or managed group.
Authentication
A framework and a number of modules for verifying user identities. Provides security by requiring users to present credentials in order to log in to applications in the enterprise. The plug-in architecture makes it possible for Sun ONE customers to write and use their own modules with Identity Server. The following Authentication modules come with Identity Server:
Web-based Single Sign-On
A mechanism that uses tokens to store and transport user information between applications. Enables a user to access multiple web-based applications during a single session without having to re-authenticate for each application.
Policy Agent
A mechanism that enforces access rules and policies that protect web resources. Provides security by requiring additional identification from users who attempt to access protected files or pages in a web server.
Secure Socket Layer (SSL)
A transport protocol that encrypts and secures communications over a network. SSL ensures that communications over the network cannot be viewed by unauthorized individuals.
Directory Replication Support
Identity Server works with multi-master replication of Directory Server to provide a highly available directory service for both read and write operations.
Roles and Class of Service Support
Identity Server works with Directory Server to provide a flexible mechanism for grouping and sharing attributes among entries. Allows you to dynamically change a large number of user, group, or organization entries by making a single change to a role or attribute.
Load-Balancer Support
Identity Server works with load-balancers such as Sun ONE Directory Access Router, to provide high availability and firewall-like security.
What’s New in Identity Server 6.0Identity Server 6.0 incorporates the following new features:
Support to Liberty Specifications
The shreds of our identity are scattered across banks, credit card companies, brokerage firms, the department of motor vehicles, insurance companies, the Social Security Administration, department stores, gas stations, telephone companies; the list seems endless. The Internet, now the prime vehicle for business, community and personal interactions is fragmenting our identity even further. Information about us is doled out across the many computer systems and networks used by our employers, ISPs, bulletin boards, instant messaging systems, and on-line businesses, all with little coordination, interaction or control on our part.
Creating a federated identity infrastructure is the key to correcting this situation. The existence of such an infrastructure opens up new business opportunities, including providing economies of scale that lower business costs and expedite the growth of the Internet and e-commerce. For the consumer, it promises new levels of personalization, security, and control over their identity information. Making this happen is what the Liberty Alliance Project is all about.
SAML Support
Security Assertion Markup Language (SAML) defines an XML framework for exchanging security assertions among security authorities, with the key objective of achieving interoperability across different vendor platforms that provide authentication and authorization services.
Here are some use scenarios where SAML comes to play:
- Enables Single-Sign-On among trusted partners. User authenticates against a source web site, then is allowed to access web resources hosted by different vendors without having to re-authenticate.
- Enables application to grant access based on user’s authentication reference.
- Enables two parties in different security domain to validate each other, thus the business transactions between the two sides could proceed.
- Enables user session sharing between two applications.
For detailed information on SAML and how it is used within Identity Server, you can see Chapter 8, Using SAML, in the Programmer’s Guide.
