Sun Java System Federation Manager 7.0 User's Guide

Supported Standards and Components

Federation Manager installs as a single web archive (WAR), making it easy to deploy and integrate. It runs on a simple web container and requires no complex integration with data stores or application server environments. Federation Manager extends an identity provider federation framework to partners with ease, leveraging open standards and existing IT investments to help you efficiently secure your service oriented architectures. Federation Manager can also be used to create infinitely reusable application security mechanisms as it is also a Java software development kit (SDK) for Liberty and SAML—based application development.

Supported Standards

Sun Java System Federation Manager was developed using the specifications defined by these standards bodies:

It supports:

The following sections contain background information regarding these bodies and the specifications they have developed.

The Liberty Alliance Project Specifications

The goal of the Liberty Alliance Project is to define standards for developing interoperable, identity-based infrastructures, software, and web services, and to promote adoption of these standards. It does not deliver products or services. The standards provide a solution for enforcing authorized access to network services and resources. They integrate access control, identity management and service management to simplify the administration of users and organizations with regards to federation and its associated web services. A federation is defined as ”an association formed by merging several groups or parties.” The Liberty ID-FF describes more about federation and how it can be implemented. The Liberty ID-WSF describes related web services that can be implemented for use within a federated model. Among other services, Federation Manager has implemented a discovery service and a SOAP binding service.

Note –

For more information on the Liberty Alliance Project, go to

In terms of the Liberty Alliance Project specifications, federation encompasses both identity federation and provider federation as detailed in the following sections.

Identity Federation

The concept of federation (as it has evolved with regards to the World Wide Web) begins with the notion of identity. Sending and receiving email, logging in to a news portal, checking bank balances, finalizing travel arrangements, bidding on auction items, accessing utility accounts, and shopping are all possible online services for which you might define a identity. Each time you want to access one of these services, you identify yourself by logging in to the service provider. If you use all of the mentioned services, you've configured a multitude of separate accounts to which you must log in and log out. This virtual circumstance offers the opportunity to fashion a system for computer users to correlate (or federate) their disparate service provider identities. This concept of identity federation allows the user to link, connect or bind the local identities that they have created for multiple service providers. The linked local identities, referred to as a federated identity, allow the user to log in to one service provider site and click through to an affiliated service provider without having to re-authenticate or re-establish their identity.

Provider Federation

The concept of federation as defined by the Liberty Alliance Project begins with the notion of a circle of trust. A circle of trust (referred to as an authentication domain in the Federation Manager Console) is a group of service providers (with at least one identity provider) who agree to join together to exchange user authentication information using Liberty-based technologies. Once a group of providers has been federated within a circle of trust, authentication accomplished by the identity provider in that circle is honored by all affiliated service providers. Thus, single sign-on can be enabled amongst all membered providers as well as identity federation among users.

The OASIS Security Services and SAML

SAML is an XML-based standard for communicating authentication, authorization and attribute information among online partners. SAML allows organizations to securely send assertions between partnered organizations regarding the identity and entitlements of a principal. The OASIS Security Services Technical Committee is in charge of defining, enhancing, and maintaining the specifications that define SAML. They incorporate XML protocols such as SOAP, XML Signature (XMLSIG), and XML Encryption (XMLENC) to define a single sign-on framework that can be used between domains. For more information on SAML, visit the OASIS web site.

Data Stores

Federation Manager configuration data, user authentication data and user federation data can be managed and retrieved from a database of the following type:

Note –

Federation Manager does not come with a user administration system.

Platforms and Operating Systems

You can install Federation Manager on the following platforms running the applicable operating systems.

Table 1–1 Operating Systems


Operating System 




8 / 9 / 10 



9 / 10 



  • Windows 2000 Advanced Server SP4 or above

  • Windows 2000 Server SP4 or above

  • Windows 2000 Professional Edition SP4 or above

  • Windows XP Professional Edition SP2

  • Windows 2003 Enterprise Server

Note –

Federation Manager was only tested on Windows 2003 Enterprise Server.



Red Hat™ Enterprise Linux 2.1, 3.0, and 4.0 

Shared Components

Federation Manager supports the following shared components.

Note –

If you are running the Sun Java Enterprise System some of these components may already be installed.

Table 1–2 Shared Components


Package Name 


Java Development Kit 



Java Activation Framework 



Java Studio Enterprise Web Application Framework 



Java Architecture for XML Binding 



Java API for XML Processing 



Sun Java System LDAP Java Development Kit 



Common libraries for web service components 



Java API for XML-based RPC 



SOAP with Attachments API for Java  



Message Queue Java API for XML Messaging (JAXM) 



JavaHelp packages 



Supported Web Containers

Federation Manager can be deployed in the following web containers. CPU and memory requirements are based on the needs of the web container.

Table 1–3 Supported Web Containers

Web Container 

Minimum Version 

Sun Java System Web Server 


Sun Java System Application Server 


BEA WebLogic® Server


WebSphere® Application Server


Supported Policy Agents

Federation Manager supports the use of Sun Java System Access Manager Policy Agents 2.2. For example, with 2.2 agents, user profile attributes asserted by an identity provider and SAML producer are made available as HTTP headers and for cookies. With 2.2 J2EE agents, J2EE declarative policies can map to user roles asserted by a remote identity provider and SAML producer. For more information on Federation Manager and policy agents, see Configuring Federation Manager for Sun Java System Policy Agents. For more information on available policy agents, see Sun Java System Access Manager Policy Agent 2.2 User’s Guide.