Sun Java System Federation Manager 7.0 User's Guide

Chapter 1 Introducing Federation Manager

Sun™ Java System Federation Manager is a server product that helps companies to quickly build federated identity and authentication services that work with existing federation hub technologies. The following sections contain overview material about Federation Manager: why the product is needed, the standards on which it is based, and how it can be used.

This chapter covers the following topics:

Sun Java System Federation Manager

Sun Java System Federation Manager delivers a solution to establish and share trusted information for single sign-on. The ability to form these trust relationships across security domains allows an organization to:

There are many products available today, including Sun Java System Access Manager, that can be deployed for these purposes. Federation Manager is one of them: a lightweight server application that helps companies to quickly build interoperable, federated identity and authentication services. These services will work with and complement existing or newly deployed federation technologies, such as web access management solutions and authentication authorities. By leveraging these capabilities, Federation Manager can be used to build a reusable, standards-based framework to exchange security assertions, user attributes, and policies across a distributed network of partners.

Note –

This User's Guide assumes familiarity with the Liberty Alliance Project and Security Assertions Markup Language (SAML) specifications. For an introduction, see the Sun Java System Access Manager 7 2005Q4 Federation and SAML Administration Guide. For more detailed information, see the Liberty Alliance Project web site or the Organization for the Advancement of Structured Information Standards (OASIS) web site.

Federation Manager provides support for heterogeneous IT environments and can integrate with all common identity repositories, application servers, and critical enterprise applications as well as with existing identity management infrastructures. Federation Manager adheres to accepted industry-standard federated identity protocols, such as Security Assertions Markup Language (SAML) and the Liberty Alliance Project specifications. It can be adapted to work with proprietary federation mechanisms and deploys easily because it leverages the core capabilities of an existing identity provider. It can also be deployed on a partner site as a single web archive (WAR), reducing the complexity and time for configuring a typical scenario.

Key Features

Federation Manager creates a comprehensive security and identity management framework optimized to work with and extend an identity provider's existing security infrastructure. The following list describes some key features of Federation Manager:

Federated Models

Federation Manager with Sun Java System Access Manager can provide a hub and spoke model of federation. Access Manager would typically be the hub, an identity provider trusted by many instances of Federation Manager acting as service providers. The following figure illustrates this hub and spoke model of federation.

Figure 1–1 Hub and Spoke Model of Federation

Figure illustrating the hub and spoke model of

Generally speaking, spoke service providers trust one hub identity provider. Within one organization, the hub identity provider might be administered by a human resources department using Access Manager. The spoke service providers might include other departments (legal, accounting, and the like) that need to communicate identity and session information with the hub Access Manager. Federation Manager allows the spoke service provider to enable this communication quickly and efficiently.

The hub and spoke is one model of federation. Other models that can be established using Federation Manager include a transitive trust model or a point—to—point model. The transitive trust model assumes that because A trusts C and B trusts C, A will trust B. The point-to-point model assumes one point as an aggregation of services, service providers, or identity providers.

Federation Manager and Sun Java System Access Manager

It is not necessary to install Sun Java System Access Manager in order to use Federation Manager. Federation Manager is a standalone product that can work with any Liberty or SAML-compliant product.

Supported Standards and Components

Federation Manager installs as a single web archive (WAR), making it easy to deploy and integrate. It runs on a simple web container and requires no complex integration with data stores or application server environments. Federation Manager extends an identity provider federation framework to partners with ease, leveraging open standards and existing IT investments to help you efficiently secure your service oriented architectures. Federation Manager can also be used to create infinitely reusable application security mechanisms as it is also a Java software development kit (SDK) for Liberty and SAML—based application development.

Supported Standards

Sun Java System Federation Manager was developed using the specifications defined by these standards bodies:

It supports:

The following sections contain background information regarding these bodies and the specifications they have developed.

The Liberty Alliance Project Specifications

The goal of the Liberty Alliance Project is to define standards for developing interoperable, identity-based infrastructures, software, and web services, and to promote adoption of these standards. It does not deliver products or services. The standards provide a solution for enforcing authorized access to network services and resources. They integrate access control, identity management and service management to simplify the administration of users and organizations with regards to federation and its associated web services. A federation is defined as ”an association formed by merging several groups or parties.” The Liberty ID-FF describes more about federation and how it can be implemented. The Liberty ID-WSF describes related web services that can be implemented for use within a federated model. Among other services, Federation Manager has implemented a discovery service and a SOAP binding service.

Note –

For more information on the Liberty Alliance Project, go to

In terms of the Liberty Alliance Project specifications, federation encompasses both identity federation and provider federation as detailed in the following sections.

Identity Federation

The concept of federation (as it has evolved with regards to the World Wide Web) begins with the notion of identity. Sending and receiving email, logging in to a news portal, checking bank balances, finalizing travel arrangements, bidding on auction items, accessing utility accounts, and shopping are all possible online services for which you might define a identity. Each time you want to access one of these services, you identify yourself by logging in to the service provider. If you use all of the mentioned services, you've configured a multitude of separate accounts to which you must log in and log out. This virtual circumstance offers the opportunity to fashion a system for computer users to correlate (or federate) their disparate service provider identities. This concept of identity federation allows the user to link, connect or bind the local identities that they have created for multiple service providers. The linked local identities, referred to as a federated identity, allow the user to log in to one service provider site and click through to an affiliated service provider without having to re-authenticate or re-establish their identity.

Provider Federation

The concept of federation as defined by the Liberty Alliance Project begins with the notion of a circle of trust. A circle of trust (referred to as an authentication domain in the Federation Manager Console) is a group of service providers (with at least one identity provider) who agree to join together to exchange user authentication information using Liberty-based technologies. Once a group of providers has been federated within a circle of trust, authentication accomplished by the identity provider in that circle is honored by all affiliated service providers. Thus, single sign-on can be enabled amongst all membered providers as well as identity federation among users.

The OASIS Security Services and SAML

SAML is an XML-based standard for communicating authentication, authorization and attribute information among online partners. SAML allows organizations to securely send assertions between partnered organizations regarding the identity and entitlements of a principal. The OASIS Security Services Technical Committee is in charge of defining, enhancing, and maintaining the specifications that define SAML. They incorporate XML protocols such as SOAP, XML Signature (XMLSIG), and XML Encryption (XMLENC) to define a single sign-on framework that can be used between domains. For more information on SAML, visit the OASIS web site.

Data Stores

Federation Manager configuration data, user authentication data and user federation data can be managed and retrieved from a database of the following type:

Note –

Federation Manager does not come with a user administration system.

Platforms and Operating Systems

You can install Federation Manager on the following platforms running the applicable operating systems.

Table 1–1 Operating Systems


Operating System 




8 / 9 / 10 



9 / 10 



  • Windows 2000 Advanced Server SP4 or above

  • Windows 2000 Server SP4 or above

  • Windows 2000 Professional Edition SP4 or above

  • Windows XP Professional Edition SP2

  • Windows 2003 Enterprise Server

Note –

Federation Manager was only tested on Windows 2003 Enterprise Server.



Red Hat™ Enterprise Linux 2.1, 3.0, and 4.0 

Shared Components

Federation Manager supports the following shared components.

Note –

If you are running the Sun Java Enterprise System some of these components may already be installed.

Table 1–2 Shared Components


Package Name 


Java Development Kit 



Java Activation Framework 



Java Studio Enterprise Web Application Framework 



Java Architecture for XML Binding 



Java API for XML Processing 



Sun Java System LDAP Java Development Kit 



Common libraries for web service components 



Java API for XML-based RPC 



SOAP with Attachments API for Java  



Message Queue Java API for XML Messaging (JAXM) 



JavaHelp packages 



Supported Web Containers

Federation Manager can be deployed in the following web containers. CPU and memory requirements are based on the needs of the web container.

Table 1–3 Supported Web Containers

Web Container 

Minimum Version 

Sun Java System Web Server 


Sun Java System Application Server 


BEA WebLogic® Server


WebSphere® Application Server


Supported Policy Agents

Federation Manager supports the use of Sun Java System Access Manager Policy Agents 2.2. For example, with 2.2 agents, user profile attributes asserted by an identity provider and SAML producer are made available as HTTP headers and for cookies. With 2.2 J2EE agents, J2EE declarative policies can map to user roles asserted by a remote identity provider and SAML producer. For more information on Federation Manager and policy agents, see Configuring Federation Manager for Sun Java System Policy Agents. For more information on available policy agents, see Sun Java System Access Manager Policy Agent 2.2 User’s Guide.

Federation Manager Architecture

Federation Manager consists of web-based services [using SOAP, XML over HTTP(S) or HTML over HTTP(S)], and Java—based application provider interfaces (APIs) and service provider interfaces (SPIs). The figure below illustrates this architecture. Additionally, the figure shows an agent embedded into a web container. This agent enables the service provider applications to participate in the SAML or Liberty-based protocols. The darker boxes are components provided by Federation Manager.

Figure 1–2 Architecture of Federation Manager

This figure illustrates the architecture of Federation Manager.

The Federation Manager components include:

Federation Manager Console

A web interface for managing authentication domains, provider meta data, and authentication.


Federation Manager provides SAML related services including artifact and POST profile support, and assertion query support.

Federation and associated web services

Federation Manager provides services based on the Liberty ID-FF and the Liberty ID-WSF specifications. Federation features include federation and single sign-on, single logout, federation termination, name registration, and support for the Common Domain. Implemented web services include a SOAP binding service, a discovery service, a personal profile service, and an authentication service.


Federation Manager provides a JAAS-based authentication framework.


Federation Manager provides session management for service provider applications.


Federation Manager provides a logging service. It also provides activity logs for auditing. Audit logs can be stored in flat files or JDBC-compliant databases.


Federation Manager allows service provider applications to participate in the federation protocol.


Federation Manager includes a set of APIs for interaction between the SSO, logging, SAML, Liberty ID-FF, and authentication components. Also included are APIs to build web services (Liberty ID-WSF) for clients and provider.


Federation Manager includes a set of Service Provider Interfaces (SPIs) into which applications can insert their custom logic. For instance, there is an SPI to do post federation processing, and an SPI for post processing after a successful single logout.