Sun Java System Federation Manager delivers a solution to establish and share trusted information for single sign-on. The ability to form these trust relationships across security domains allows an organization to:
Engage in relationships with cooperating business partners offering a variety of complementary services.
Integrate applications offered by different departments and divisions within an enterprise.
There are many products available today, including Sun Java System Access Manager, that can be deployed for these purposes. Federation Manager is one of them: a lightweight server application that helps companies to quickly build interoperable, federated identity and authentication services. These services will work with and complement existing or newly deployed federation technologies, such as web access management solutions and authentication authorities. By leveraging these capabilities, Federation Manager can be used to build a reusable, standards-based framework to exchange security assertions, user attributes, and policies across a distributed network of partners.
This User's Guide assumes familiarity with the Liberty Alliance Project and Security Assertions Markup Language (SAML) specifications. For an introduction, see the Sun Java System Access Manager 7 2005Q4 Federation and SAML Administration Guide. For more detailed information, see the Liberty Alliance Project web site or the Organization for the Advancement of Structured Information Standards (OASIS) web site.
Federation Manager provides support for heterogeneous IT environments and can integrate with all common identity repositories, application servers, and critical enterprise applications as well as with existing identity management infrastructures. Federation Manager adheres to accepted industry-standard federated identity protocols, such as Security Assertions Markup Language (SAML) and the Liberty Alliance Project specifications. It can be adapted to work with proprietary federation mechanisms and deploys easily because it leverages the core capabilities of an existing identity provider. It can also be deployed on a partner site as a single web archive (WAR), reducing the complexity and time for configuring a typical scenario.
Federation Manager creates a comprehensive security and identity management framework optimized to work with and extend an identity provider's existing security infrastructure. The following list describes some key features of Federation Manager:
Lightweight web archive (WAR) accelerates deployment of Federation Manager for service providers.
Lightweight WAR also allows for flexibility in customizing your deployment.
Exchange of credentials and security tokens across authentication domain partners for purposes of authentication and single sign-on.
Automatic federation of user accounts across multiple security domains.
Session management across authentication domains to determine when user interactions must be terminated (single logout).
Import or export the data required to establish basic federated communication between hubs and spokes.
Manages and links providers that are available to participate in an authentication domain.
Searches for available end points and identifies each provider's federation capabilities.
Exchanges SAML security assertions among providers in the authentication domain.
Provides the tools and APIs to quickly develop, register, and enable web services on the consumer and provider sides.
Data management choices include a proprietary flat file format (by default), and an LDAPv3 directory (Sun Java System Directory Server or Microsoft™ Active Directory).
Separate service configuration and user data stores.
Included service provider interfaces (SPIs) to allow customized logic during the federation process.
Support for bulk federation and auto federation.
Option to preload included samples.
Sun Java System Policy Agents 2.2 can be used in SSO mode.
Federation Manager with Sun Java System Access Manager can provide a hub and spoke model of federation. Access Manager would typically be the hub, an identity provider trusted by many instances of Federation Manager acting as service providers. The following figure illustrates this hub and spoke model of federation.
Generally speaking, spoke service providers trust one hub identity provider. Within one organization, the hub identity provider might be administered by a human resources department using Access Manager. The spoke service providers might include other departments (legal, accounting, and the like) that need to communicate identity and session information with the hub Access Manager. Federation Manager allows the spoke service provider to enable this communication quickly and efficiently.
The hub and spoke is one model of federation. Other models that can be established using Federation Manager include a transitive trust model or a point—to—point model. The transitive trust model assumes that because A trusts C and B trusts C, A will trust B. The point-to-point model assumes one point as an aggregation of services, service providers, or identity providers.
It is not necessary to install Sun Java System Access Manager in order to use Federation Manager. Federation Manager is a standalone product that can work with any Liberty or SAML-compliant product.