Federation Manager installs as a single web archive (WAR), making it easy to deploy and integrate. It runs on a simple web container and requires no complex integration with data stores or application server environments. Federation Manager extends an identity provider federation framework to partners with ease, leveraging open standards and existing IT investments to help you efficiently secure your service oriented architectures. Federation Manager can also be used to create infinitely reusable application security mechanisms as it is also a Java software development kit (SDK) for Liberty and SAML—based application development.
Sun Java System Federation Manager was developed using the specifications defined by these standards bodies:
Liberty Alliance Project
Organization for the Advancement of Structured Information Standards (OASIS) Security Services Technical Committee
It supports:
Security Assertion Markup Language (SAML) 1.0/1.1
Liberty Identity Federation Framework (Liberty ID-FF) 1.1/1.2
Liberty Identity Web Services Framework (Liberty ID-WSF) 1.0
The following sections contain background information regarding these bodies and the specifications they have developed.
The goal of the Liberty Alliance Project is to define standards for developing interoperable, identity-based infrastructures, software, and web services, and to promote adoption of these standards. It does not deliver products or services. The standards provide a solution for enforcing authorized access to network services and resources. They integrate access control, identity management and service management to simplify the administration of users and organizations with regards to federation and its associated web services. A federation is defined as ”an association formed by merging several groups or parties.” The Liberty ID-FF describes more about federation and how it can be implemented. The Liberty ID-WSF describes related web services that can be implemented for use within a federated model. Among other services, Federation Manager has implemented a discovery service and a SOAP binding service.
For more information on the Liberty Alliance Project, go to http://www.projectliberty.org.
In terms of the Liberty Alliance Project specifications, federation encompasses both identity federation and provider federation as detailed in the following sections.
The concept of federation (as it has evolved with regards to the World Wide Web) begins with the notion of identity. Sending and receiving email, logging in to a news portal, checking bank balances, finalizing travel arrangements, bidding on auction items, accessing utility accounts, and shopping are all possible online services for which you might define a identity. Each time you want to access one of these services, you identify yourself by logging in to the service provider. If you use all of the mentioned services, you've configured a multitude of separate accounts to which you must log in and log out. This virtual circumstance offers the opportunity to fashion a system for computer users to correlate (or federate) their disparate service provider identities. This concept of identity federation allows the user to link, connect or bind the local identities that they have created for multiple service providers. The linked local identities, referred to as a federated identity, allow the user to log in to one service provider site and click through to an affiliated service provider without having to re-authenticate or re-establish their identity.
The concept of federation as defined by the Liberty Alliance Project begins with the notion of a circle of trust. A circle of trust (referred to as an authentication domain in the Federation Manager Console) is a group of service providers (with at least one identity provider) who agree to join together to exchange user authentication information using Liberty-based technologies. Once a group of providers has been federated within a circle of trust, authentication accomplished by the identity provider in that circle is honored by all affiliated service providers. Thus, single sign-on can be enabled amongst all membered providers as well as identity federation among users.
SAML is an XML-based standard for communicating authentication, authorization and attribute information among online partners. SAML allows organizations to securely send assertions between partnered organizations regarding the identity and entitlements of a principal. The OASIS Security Services Technical Committee is in charge of defining, enhancing, and maintaining the specifications that define SAML. They incorporate XML protocols such as SOAP, XML Signature (XMLSIG), and XML Encryption (XMLENC) to define a single sign-on framework that can be used between domains. For more information on SAML, visit the OASIS web site.
Federation Manager configuration data, user authentication data and user federation data can be managed and retrieved from a database of the following type:
Lightweight Directory Access Protocol (LDAP) version 3 compliant directories (for example, Sun Java System Directory Server or Microsoft® Active Directory)
Relational Database Management Systems (through customer plug-in implementations only)
Flat files (default text file format for configuration data)
Federation Manager does not come with a user administration system.
You can install Federation Manager on the following platforms running the applicable operating systems.
Table 1–1 Operating Systems
Federation Manager supports the following shared components.
If you are running the Sun Java Enterprise System some of these components may already be installed.
Component |
Package Name |
Version |
---|---|---|
Java Development Kit |
N/A |
1.4.2/1.5.0 |
Java Activation Framework |
SUNWjaf |
1.0.3 |
Java Studio Enterprise Web Application Framework |
SUNWjato |
2.1.4 |
Java Architecture for XML Binding |
SUNWjaxb |
1.0.3 |
Java API for XML Processing |
SUNWjaxp |
1.2.6 |
Sun Java System LDAP Java Development Kit |
SUNWljdk |
1.0 |
Common libraries for web service components |
SUNWwscl |
1.0 |
Java API for XML-based RPC |
SUNWxrpcrt |
1.1.2 |
SOAP with Attachments API for Java |
SUNWxsrt |
1.2.1 |
Message Queue Java API for XML Messaging (JAXM) |
SUNWiqjx |
3.0.1 |
JavaHelp packages |
SUNWjhrt |
1.1.3 |
Federation Manager can be deployed in the following web containers. CPU and memory requirements are based on the needs of the web container.
Table 1–3 Supported Web Containers
Web Container |
Minimum Version |
---|---|
Sun Java System Web Server |
6.1sp4 |
Sun Java System Application Server |
8.1 |
BEA WebLogic® Server |
8.1 |
WebSphere® Application Server |
5.1 |
Federation Manager supports the use of Sun Java System Access Manager Policy Agents 2.2. For example, with 2.2 agents, user profile attributes asserted by an identity provider and SAML producer are made available as HTTP headers and for cookies. With 2.2 J2EE agents, J2EE declarative policies can map to user roles asserted by a remote identity provider and SAML producer. For more information on Federation Manager and policy agents, see Configuring Federation Manager for Sun Java System Policy Agents. For more information on available policy agents, see Sun Java System Access Manager Policy Agent 2.2 User’s Guide.