Previous
Contents
Index
Next
|
| Sun ONE Identity Server Programmer's Guide |
Chapter 1 Introduction
The Sun™ One Identity Server Programmer's Guide describes the programmatic and back-end aspects of Identity Server. It includes instructions on how to augment the application with new services using the eXtensible Markup Language (XML) files for configuration, the public Java™ APIs for integration and the Java Server Pages (JSP) for customization. This guide also includes instructions on how to customize an Identity Server application for use by a specific organization. This introductory chapter contains the following sections:
Identity Server Overview
Identity Server Overview
An identity is a Lightweight Directory Access Protocol (LDAP) representation of a user or an object. The Sun ONE Identity Server integrates identity management with the capability to create and enforce authentication processes and access policies. These capabilities enable organizations to deploy a comprehensive system that helps to secure and protect their enterprise assets as well as deliver their web-based applications. Towards this end, Identity Server contains components and application management utilities or services.
Data Management Components
Identity Server provides the following components to simplify the administration of identities and the management of data:
Service Management—provides a solution for customizing and registering application management parameters. Configuration parameters or attributes are grouped into services which can then be managed using the Identity Server. The solution includes an Document Type Definition (DTD) that defines the structure for creating an XML service file as well as Java interfaces that are used to integrate and manage the service.
Identity Management—provides a solution for managing identities. It includes Java interfaces for creating, modifying and removing identity-related objects (users, roles, groups, people containers, organizations, organizational units and sub-organizations) as well as an XML template that defines an object's LDAP attributes.
Policy Management—provides a solution for defining and retrieving access privileges to an enterprise's secure resources. It includes Java interfaces that applications can use to obtain an identity's policy settings. The applications then use these settings to evaluate policy decisions when a user requests action on a secure resource.
Federation Management—provides a solution for defining authentication domains, service providers and identity providers in order to give users the functionality of federation. This module integrates the Liberty Alliance Project's Version 1.0 specifications.
Session Management—provides a solution for viewing user session information and managing same. It keeps track of various session times as well as allowing the administrator to terminate a session.
Sun ONE Directory Server—provides the storage facility in an Identity Server deployment. It holds all configured identity data as well as access policies. The majority of the data is stored in the Directory Server using LDAP; certain of it is stored as XML.
Sun ONE Web Server—provides the container in which the Identity Server is run. Because Identity Server uses Java and JSP technologies, the Web Server is needed to implement the Servlet API.
Application Management Services
When Identity Server is installed, a number of application management utilities or services are installed. A service is a grouping of an application's configuration parameters (also called attributes). The attributes can be randomly grouped together for easy management or specifically grouped together for one purpose. Additional information on services can be found in Chapter 6 "Service Management" and the Sun ONE Identity Server Administration Guide. The current installed services are:
Administration—provides properties for the configuration of the Identity Server application and attributes for the customization of the application specific to each organization.
Authentication—provides an interface for gathering user credentials and issuing single sign-on (SSO) session tokens that integrates HTML, XML and http/https. It contains an SDK for writing plug-ins for different authentication servers. It also contains a SSO SDK for integrating token validation and authentication credential storage into the plug-in.
Client Detection—provides an interface and configurable properties for detecting the client type of the browser attempting to access Identity Server.
Logging—provides Java interfaces for audit trail and logging ability. Both file-based logs and logs stored in a relational database are supported. On Solaris, Identity Server uses var/opt/SUNWam as the default directory for logs and debug files. On Windows® 2000, <identity_server_root> is the default.
Naming—provides configurable attributes that allow client browsers to find the correct URL for all services in a deployment that is running more than one Identity Server. This ensures that the URL returned for the service is the one for the host that the user session was created on.
Platform—provides configurable attributes for the entire Identity Server deployment.
Policy Configuration—provides properties for the configuration of the Identity Server application and attributes to configure the Policy Service specific to each organization.
Security Assertion Markup Language (SAML)—provides an interface integrating SAML, Simple Object Access Protocol (SOAP) and https for sending and receiving security information. This service encrypts data passed between different security entities. APIs are provided to this end.
Session—provides attributes to configure the session properties inherited by all identities for each organization.
User—provides attributes to configure the user properties inherited by all identities for each organization.
Security Service—provides a certificate authority service for users and components. For users, it issues and revokes certificates. For components, it issues user certificates for agents or server certificates for Sun ONE servers. In addition to its configured services, Identity Server provides a graphical user interface that allows the application user to manage identity objects, services and policy information via a web browser. This Identity Server console is built using the Sun ONE Application Framework and can be called by all users, from top level administrator to end users. (A policy defines the specific access privileges for each user.) The console can be customized for each configured organization by modifying and integrating a set of JSP and related files. For data backup and restoration, schema management and metadata integration, Identity Server offers command-line executables. Information on both of these topics can be found in Chapter 2 "The Identity Server Console."
Managing Access
Identity Server can manage access to its protected resources in either of two ways: an administrator can authenticate and access Identity Server via a web browser or, a Java application can access Identity Server directly, requesting user authentication information through the use of Identity Server APIs.
Web Access
When a user requests access to a secure application or page using a web browser, they must first be authenticated. The request is directed to the Authentication Service which determines the type of authentication process to initiate based on the method associated with the requestor's profile. For instance, if the user's profile is associated with LDAP authentication, the Authentication Service would send an HTML form to their web browser asking for an LDAP user name and password. (More complex types of authentication might include requesting information for multiple authentication types.) Having obtained the user's credentials, the Authentication Service calls the respective provider to perform the authentication. (The provider in the LDAP example would be the Directory Server.) Once verified, the service calls the SSO API to generate a Single Sign-On (SSO) token which holds the user's identity and then generate a token ID, a random string associated with the SSO token. This complete token is sent back to the requesting browser in the form of a cookie. The authentication component then directs the user to the requested secure application or page. Additional information on the Authentication Service can be found in Chapter 3 "Authentication Service."
Application Access
Java applications can access Identity Server directly, requesting user configuration information using the Identity Server APIs. For example, a mail service might store its users' mailbox size information in Identity Server and the Identity Server SDK can be used to retrieve this information. To process this request, the system running the application must have the Identity Server SDK installed. There must also be at least one instance of the Sun ONE Web Server running the Identity Server. Additional information on the Identity Server SDK can be found in Chapter 5 "Identity Management."
Note
Some services can also be accessed by C applications. Please see Chapter 3 "Authentication Service" and Chapter 7 "Policy Service" for further information on this functionality.
Extending Identity Server
One of the architectural goals of Identity Server is to provide an extensible interface. This extensible interface is defined by the following functions:
Custom services can be defined for the deployment using XML.
Console templates can be modified and/or customized for each organization using Java Server Pages (JSP).
Default services can be implemented using a set of Java APIs.
Service Definition With XML
As mentioned in the "Identity Server Overview", Identity Server contains a number of application management utilities or services. A service is a grouping of configuration parameters defined under one name. These attributes can be randomly grouped together for easy management or specifically grouped together for one purpose. (Identity Server ships with a number of internal services of the latter type. More information on these internal services can be found in the Sun ONE Identity Server Administration Guide.) All Identity Server services are written using the XML. Administrators or service developers can modify the internal XML service files or configure the custom XML service files based on their need. More information on services and how they are integrated into the Identity Server deployment can be found in Chapter 6 "Service Management."
Identity Server Console Customization
The Identity Server console is used for managing and monitoring identities, services and protected resources throughout the Identity Server deployment. It's framework uses XML files, JSP templates and Cascading Style Sheets (CSS) to control the look and feel of the screens that a user accesses. These files can be duplicated and modified to make changes to the design for each registered organization; for instance, an organization's logo can be added in place of the Sun logo. The entire template can also be replaced with an organization's custom HTML page. Additional information on customizing the Identity Server console can be found in Chapter 2 "The Identity Server Console."
Java Packages
The Identity Server packages provide public interfaces to implement the behavior of Identity Server's default or customized services. The packages are:
Identity Server SDK
Identity Server provides the framework to create and manage users, roles, groups, people containers, organizations, organization units, and sub-organizations. It also includes the functionality to create and modify service templates. This API is the core of the identity, service and policy management modules and provides Java classes that can be used to customize them. The API package name is com.iplanet.am.sdk.
Service Management SDK
The Identity Server provides Java APIs for service management. These interfaces can be used by developers to register services and applications, and manage their configuration data. The API package name is com.sun.identity.sm.
Utility API
This API provides a number of Java classes that can be used to manage system resources. This includes, among others, thread management and debug data formatting. The API package name is com.iplanet.am.util.
Logging API
The Logging service records, among other things, access approvals, access denials and user activity. The Logging API can be used to enable other Java applications to call it. The API package names begin with com.sun.identity.log.
Client Detection API
Identity Server can detect the type of client that is attempting to access its resources and respond with the appropriately formatted pages based on its type. The API package used for this purpose is com.iplanet.services.cdm.
SSO API
Identity Server provides Java interfaces for validating and managing the single sign-on (SSO) tokens, and for maintaining the user's authentication credentials. All applications wishing to participate in the SSO solution can use this API. The API package name is com.iplanet.sso.
Java SDK For Policy
The Policy API can be used to evaluate and manage Identity Server policies as well as provide additional functionality for the Policy Service. The API package names begin with com.sun.identity.policy.
SAML SDK
Identity Server uses the SAML API to exchange acts of authentication, authorization decisions and attribute information. The API package names begin with com.sun.identity.saml.
Federation Management API
Identity Server uses the Federation Management API to add functionality based on the Liberty Alliance Project specifications. The API package name is com.sun.liberty.
Identity Server File System
Identity Server installs its packages and files in a directory named SUNWam. The file system layout for a Solaris installation is as follows:
<identity_server_root>/SUNWam/
bin/ contains Identity Server executables such as amserver and amadmin in addition to LDAP command line applications.
capi/ contains the C API for integrating C applications with the Identity Server.
config/ contains Identity Server configuration files as well as the XML files which define Identity Server services.
docs/ contains Identity Server documentation.
dtd/ contains the defining XML DTDs used by Identity Server applications and services.
java/ contains the Java Development Kit.
ldaplib/ contains files needed to run the ldapmodify application.
ldif contains the Identity Server LDAP schema.
lib/ contains Identity Server jar files as well as platform specific C libraries.
locale/ contains the internationalization resource files.
migration/ contains tools for Sun ONE Directory Server data migration from earlier versions to version 5.1.
public_html/ contains pre-authentication HTML files used by Identity Server. This directory is also configured as the root of the Sun ONE Web Server therefore, copying the docs directory into it will allow accessibility to the product documentation through a web browser on a non-Solaris machine.
samples/ contains sample Java programs on how to use the Identity Server APIs.
servers/ contains the files and documentation for the deployed Sun ONE Web Server.
web-apps/ contains the WAR-based deployments and their associated files: Services (authentication, policy management, identity management, SSO, service management, etc.) and Applications (Identity Server console).
Previous Contents Index Next
Copyright 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated December 02, 2002