test

Sun Java System Federation Manager 7.0 User's Guide

Supported Standards

Sun Java System Federation Manager was developed using the specifications defined by these standards bodies:

It supports:

The following sections contain background information regarding these bodies and the specifications they have developed.

The Liberty Alliance Project Specifications

The goal of the Liberty Alliance Project is to define standards for developing interoperable, identity-based infrastructures, software, and web services, and to promote adoption of these standards. It does not deliver products or services. The standards provide a solution for enforcing authorized access to network services and resources. They integrate access control, identity management and service management to simplify the administration of users and organizations with regards to federation and its associated web services. A federation is defined as ”an association formed by merging several groups or parties.” The Liberty ID-FF describes more about federation and how it can be implemented. The Liberty ID-WSF describes related web services that can be implemented for use within a federated model. Among other services, Federation Manager has implemented a discovery service and a SOAP binding service.

Note –

For more information on the Liberty Alliance Project, go to http://www.projectliberty.org.

In terms of the Liberty Alliance Project specifications, federation encompasses both identity federation and provider federation as detailed in the following sections.

Identity Federation

The concept of federation (as it has evolved with regards to the World Wide Web) begins with the notion of identity. Sending and receiving email, logging in to a news portal, checking bank balances, finalizing travel arrangements, bidding on auction items, accessing utility accounts, and shopping are all possible online services for which you might define a identity. Each time you want to access one of these services, you identify yourself by logging in to the service provider. If you use all of the mentioned services, you've configured a multitude of separate accounts to which you must log in and log out. This virtual circumstance offers the opportunity to fashion a system for computer users to correlate (or federate) their disparate service provider identities. This concept of identity federation allows the user to link, connect or bind the local identities that they have created for multiple service providers. The linked local identities, referred to as a federated identity, allow the user to log in to one service provider site and click through to an affiliated service provider without having to re-authenticate or re-establish their identity.

Provider Federation

The concept of federation as defined by the Liberty Alliance Project begins with the notion of a circle of trust. A circle of trust (referred to as an authentication domain in the Federation Manager Console) is a group of service providers (with at least one identity provider) who agree to join together to exchange user authentication information using Liberty-based technologies. Once a group of providers has been federated within a circle of trust, authentication accomplished by the identity provider in that circle is honored by all affiliated service providers. Thus, single sign-on can be enabled amongst all membered providers as well as identity federation among users.

The OASIS Security Services and SAML

SAML is an XML-based standard for communicating authentication, authorization and attribute information among online partners. SAML allows organizations to securely send assertions between partnered organizations regarding the identity and entitlements of a principal. The OASIS Security Services Technical Committee is in charge of defining, enhancing, and maintaining the specifications that define SAML. They incorporate XML protocols such as SOAP, XML Signature (XMLSIG), and XML Encryption (XMLENC) to define a single sign-on framework that can be used between domains. For more information on SAML, visit the OASIS web site.