Sun Java System Federation Manager 7.0 User's Guide

Sun Java System Federation Manager

Sun Java System Federation Manager delivers a solution to establish and share trusted information for single sign-on. The ability to form these trust relationships across security domains allows an organization to:

There are many products available today, including Sun Java System Access Manager, that can be deployed for these purposes. Federation Manager is one of them: a lightweight server application that helps companies to quickly build interoperable, federated identity and authentication services. These services will work with and complement existing or newly deployed federation technologies, such as web access management solutions and authentication authorities. By leveraging these capabilities, Federation Manager can be used to build a reusable, standards-based framework to exchange security assertions, user attributes, and policies across a distributed network of partners.

Note –

This User's Guide assumes familiarity with the Liberty Alliance Project and Security Assertions Markup Language (SAML) specifications. For an introduction, see the Sun Java System Access Manager 7 2005Q4 Federation and SAML Administration Guide. For more detailed information, see the Liberty Alliance Project web site or the Organization for the Advancement of Structured Information Standards (OASIS) web site.

Federation Manager provides support for heterogeneous IT environments and can integrate with all common identity repositories, application servers, and critical enterprise applications as well as with existing identity management infrastructures. Federation Manager adheres to accepted industry-standard federated identity protocols, such as Security Assertions Markup Language (SAML) and the Liberty Alliance Project specifications. It can be adapted to work with proprietary federation mechanisms and deploys easily because it leverages the core capabilities of an existing identity provider. It can also be deployed on a partner site as a single web archive (WAR), reducing the complexity and time for configuring a typical scenario.

Key Features

Federation Manager creates a comprehensive security and identity management framework optimized to work with and extend an identity provider's existing security infrastructure. The following list describes some key features of Federation Manager:

Federated Models

Federation Manager with Sun Java System Access Manager can provide a hub and spoke model of federation. Access Manager would typically be the hub, an identity provider trusted by many instances of Federation Manager acting as service providers. The following figure illustrates this hub and spoke model of federation.

Figure 1–1 Hub and Spoke Model of Federation

Figure illustrating the hub and spoke model of

Generally speaking, spoke service providers trust one hub identity provider. Within one organization, the hub identity provider might be administered by a human resources department using Access Manager. The spoke service providers might include other departments (legal, accounting, and the like) that need to communicate identity and session information with the hub Access Manager. Federation Manager allows the spoke service provider to enable this communication quickly and efficiently.

The hub and spoke is one model of federation. Other models that can be established using Federation Manager include a transitive trust model or a point—to—point model. The transitive trust model assumes that because A trusts C and B trusts C, A will trust B. The point-to-point model assumes one point as an aggregation of services, service providers, or identity providers.

Federation Manager and Sun Java System Access Manager

It is not necessary to install Sun Java System Access Manager in order to use Federation Manager. Federation Manager is a standalone product that can work with any Liberty or SAML-compliant product.