Sun ONE logo     Previous     Contents     Index     Next     
Sun ONE Identity Server Administration Guide



Chapter 1   Product Overview


This chapter provides an overview of the features of Sun ONE Identity Server. It contains the following sections:



Sun ONE Identity Server

Sun ONE Identity Server technology is part of the Sun Open Net Environment (Sun ONE) Platform for Network Identity. Identity Server is a set of tools used to leverage the management and security potential of Sun ONE Directory Server, the Lightweight Directory Access Protocol-based (LDAP) data store. Identity Server integrates Directory Server with a user authentication and single sign-on function which increases data security. It also allows administrators to initiate user entry management based on roles, an entry grouping mechanism which appears as an attribute in a user entry. Lastly, developers can define and manage the configuration parameters of a multitude of default and custom-made services. All three of these functions are accessed through a customizable graphical user interface, the web-based Identity Server console.



Features of Identity Server


Identity Server is built on top of an installation of Directory Server. The concept is to give directory administrators a more consistent and intuitive interface to work from as well as features used to extend the capabilities of Directory Server.


Service Configuration

Configuration parameters for default and custom-made business services can be specified with Identity Server service management component. Using XML and the DTD defined within the Identity Server framework, service developers can define the parameters of a corporate service (such as a mail service, a billing service or a logging service) and manage the service's parameters or attributes. In addition, Identity Server allows service administrators to define the value of these attributes.


Policy Management

Identity Server also provides a method to define, modify or remove the rules that control access to business resources. Collectively, these rules are referred to as policy.


SAML

Identity Server uses the Security Assertion Markup Language (SAML) for exchanging security information. SAML defines an eXtensible Markup Language (XML) framework to achieve inter-operability across different vendor platforms that provide this type of information. The SAML framework is described in the Sun One Identity Server Programmer's Guide.


Federation Management

Identity Server has integrated a Federation Management module to make use of the open standards for federated network identity being developed by the Liberty Alliance Project.


Authentication

Identity Server provides a plug-in solution for user authentication. The criteria needed to authenticate a particular user is based on the authentication service configured for each organization in the Identity Server enterprise. Before being allowed access to a Identity Server session, a user must pass through authentication successfully.


Single Sign-On

Once the user is authenticated, Identity Server's API for Single Sign-On (SSO) takes over. Each time the authenticated user tries to access a protected page, the SSO API determines whether the user has the permissions required based on their authentication credentials. If the user is valid, access to the page is given without additional authentication. If not, the user will be prompted to authenticate again.


URL Policy Agents

The URL Policy Agents are installed onto a Web Server. It is a specific instance of the Identity Server policy component. This agent serves as an additional authentication step when a user sends a request for a web resource that lives on the protected web server. This authentication is in addition to any user authentication check which the resource must do. The agent protects the web server; the resource is protected by the authentication plug-in.


Identity Management

The Identity Management component allows for the creation and management of identity-related objects. User, role, group, policies, organization, suborganization and container objects can be defined, modified or deleted using either the Identity Server console or the command line interface. The console has default administrators with varying degrees of privileges used to create and manage the organizations, groups, containers, users, services, and policies. (Additional administrators can be created based on roles.) The administrators are defined within the Directory Server when installed with Identity Server. These administrators are:

  • Top-level Administrator with read and write access to all entries within the Identity Server enterprise.

  • top-level Help Desk Administrator with read access to all entries within the Identity Server enterprise.

  • Organization Administrator with read and write access to all entries within its organization.

  • Organization Help Desk Administrator with read access to all entries within its organization.

  • Container Administrator with read and write access to all Group Administrator with read and write access to all members of its group.


Identity Server Console

This HTML-based console provides a graphical user interface for businesses to manage the Identity Server enterprise.



Installing Identity Server


The goal of Identity Server is to provide an interface for managing user objects, policies and services for organizations using Directory Server. When the Identity Server installer is run, an instance of Directory Server may be installed, but Identity Server typically runs with a remote instance of Directory Server. This instance serves as the data store for Identity Server. In addition, three modules are integrated into the Directory Server: the Policy module, the Management module, and the URL Policy Agent module.

The policy service consists of the Authentication, Naming, Session, Policy, and Logging services. The Management module provides policy, user and service management functions through either the Identity Server console or the command line interface. The Policy Agent validates a user's SSO and web resource access. All of these functions can be accessed through a web browser using the Identity Server console.


Note The Identity Server installer can install the three Identity Server modules to expand upon the capabilities of Directory Server. For information on how this is done, please see the Sun™ One Identity Server Installation and Configuration Guide.




The Identity Server Console


The Identity Server console is divided into three sections: the location pane, the navigation pane and the data pane. By using all three panes, the administrator is able to navigate the directory, perform user and service configurations and create policies.

Figure 1-1    The Identity Server Console
The Identity Server Console. Top frame - Location Pane, Left Frame - Navigation Pane, Right Frame - Data Pane


Location Pane

The Location pane runs along the top of the console. The uppermost View menu allows the administrator to switch between the different management module views:

  • Identity Management module - allows for the creation and management of identity-related objects.

  • Service Configuration module - allows for the configuration of Identity Server's default services.

  • Current Sessions module - allows administrators to view current session information, as well as terminating any session.

  • Federation Management module - allows for the utilization of the open standards for federated network identity being developed by the Liberty Alliance Project.

The Location field provides a trail to the administrator's position in the directory tree. This path is used for navigational purposes.

The Welcome In field displays the name of the user that is currently running the console with a link to their user profile.

The Search link displays an interface that allows the user to search for entries of a specific Identity Server object type. Use the pull-down menu to select the object type and enter the search string.The Results are returned in the search table. Wildcards are accepted.

The Help link opens a browser window containing information on Identity Management, Current Sessions, Federation Management and Part 3 of this documentation, the Attribute Reference Guide.

The Logout link allows the user to log out of the Identity Server.


Navigation Pane

The Navigation pane is the left portion of the Identity Server console. The Directory Object portion (within the grey box) displays the name of the directory object that is currently open and its Properties link. (Most objects displayed in the Navigation pane will have a corresponding Properties link. Selecting this link will render the object's attributes in the Data frame to the right.) The View menu lists the directories under the selected directory object. Depending on the number of sub-directories, a paging mechanism is provided.


Data Pane

The Data pane is the right portion of the console. This is where all object attributes and their values are displayed and configured and where entries are selected for their respective group, role or organization.


Tip You can select or deselect all of the items in a list by clicking the Select All, or Deselect All icons
Select and Deselct all icons
.



Previous     Contents     Index     Next     
Copyright 2002   Sun Microsystems, Inc. All rights reserved.

Last Updated December 04, 2002