Sun JavaTM System Identity Solution
Stuart SimChief ArchitectGlobal Education & ResearchSun Microsystems
Sun Proprietary/Confidential: Internal Use Only
Agenda
• Business Drivers for Identity Management• Sun’s Identity Management Solution• Sun Java System Access Manager Overview
> Authentication Services> Federation Services> Auditing Services> SSO for non web apps
• Sun Java System Identity Server Overview> User Provisioning
• Sun Open Source Strategy for Identity
Sun Proprietary/Confidential: Internal Use Only
Sun's Identity Management Suite
• Comprehensive software solution that includes> Directory Services> Access Control, Single Sign-On,
Federation> Provisioning and Identity
Synchronization Services> Identity Auditing
• Open, Integrated, “Integrate-able” to reduce cost, complexityIdentity Manager
Directory ServerEnterprise Edition
Access Manager
Identity Auditor
Sun Proprietary/Confidential: Internal Use Only 513:40
Access Manager 6.3 Core✗ Auth (LDAP, Radius, AD, etc.)✗ SSO (CDSSO, SAML 1.1,
Liberty)✗ Authorization (Role Mgt,
Policy)
Liberty Alliance Compliant
✗ Phase 1 & 2 (ID-FF, ID-WSF)
✗ Discovery Service✗ Metadata Management✗ Bulk-federation✗ PAOS, LECP✗ Personal/Employee Profile✗ ResourceID Mapper✗ RoleID Mapper✗ Federation Manager
Sun Proprietary/Confidential: Internal Use Only
Access Management Today: Fragmented, Insecure, Costly
Employees
Customers
Partners
Web Services
Directories
Databases
Business Applications
Custom Systems
● Who has access to what resource?● What can users do with that access?● How much does secure access cost
me?● How do I quickly deploy new
services?● How do I how do I comply with laws
& regulations?
Sun Proprietary/Confidential: Internal Use Only 713:40
Sun JavaTM Enterprise System• Sun Java Enterprise Suites
• Application Platform Suite• Communication Suite• Availability Suite• Infrastructure Suite• Identity Management Suite
• Original « Business model »• Pricing per employee• Included license, service and support• RTU (employee, client)
• Multi-platforms• Solaris SPARC et x64, Linux RedHat AS 2.3• Windows 2003, HP-UX
NEW
Sun Proprietary/Confidential: Internal Use Only
Solution: Sun Java Access Manager● Increase enterprise-wide security
● Reduce complexity and operational costs
● Open access to customers, partners
● Provide a foundation for compliance
Employees
Customers
Web Services
Directories
Databases
Business Applications
Custom Systems
Employees
Customers
Partners
Web Services
Databases
Business Applications
Custom Systems
Access ManagerServices
Authentication
Policy
User Profile/Roles
Audit/Reports
Single Sign-On
Federation
Sun Proprietary/Confidential: Internal Use Only
Access Manager: Functional Overview• Single sign on to web, J2EE resources
• Centralize policy based authentication and authorization
• Enable distributed authentication and policy enforcement
• Audit and log all authentication events
• Platform for enabling identity based web services
Directories
Databases
Business Applications
Policy AgentsAccess Manager
Services
Authentication
Policy
User Profile/Roles
Audit/Reports
Single Sign-On
Federation
Sun Proprietary/Confidential: Internal Use Only
Centralized Authentication Services
• Leverage existing authentication mechanisms
• Centrally manage, establish user identity> Over 15 mechanisms out of the box - LDAP, Active Directory,
JDBC, SAML, others
• Adapt using custom modules as needed
Directories
Databases
Business Applications
Policy Agents
Access ManagerServices
Authentication
Policy
User Profile/Roles
Audit/Reports
Single Sign-On
Federation
LDAP
HTTP
Cert
Modules
JDBC
Firewall
Sun Proprietary/Confidential: Internal Use Only
Distributed Authentication Services• Flexible deployment model
> Deploy authN mechanisms in the DMZ or behind the firewall> Customize presentation, credential extraction
• Create high performance, secure AuthN
Access ManagerServices
Authentication
Policy
User Profile/Roles
Audit/Reports
Single Sign-On
Federation
Firewall
Distributed AuthN
DMZ
Sun Proprietary/Confidential: Internal Use Only
Centralized Policy Services• Flexible, comprehensive policy decision engine
> Centrally define, manage authorizations> Easily extend authorizations to new applications> Base access controls, authorizations on roles, user profiles
• Create a central point of control> Easier to audit usage> Easier to handle role/policy exceptions> Easier to make dynamic access decisions
• Define granular controls> Control access to specific end points> Systematic management of sessions
Sun Proprietary/Confidential: Internal Use Only
Centralized Policy Services
• Define Resource Realms> Create a virtual delegation hierarchy for managing
resources> Delegate policy administration based on realms
• Flexible policy deployment model> Decouple underlying directory structure from policy
implementation
Sun Proprietary/Confidential: Internal Use Only
Distributed Policy Services• Provide policy enforcement at the point of access
> Easily adapt centralized policy capabilities onto existing applications
> Provide deeper, fine grained enforcement of policy> Leverage system capabilities
• Provide centralized policy enforcement> Reverse Proxy solution expands flexibility, manageability
Sun Proprietary/Confidential: Internal Use Only
Centralized Audit Services
• Centrally track all AuthN, AuthZ events• Provide easy to manage proof points
> Who had access, who granted that access> What systems did they access> What functions did they perform> When did they perform those functions
• Standards-based implementation> Easy integration with existing auditing, reporting tools
Sun Proprietary/Confidential: Internal Use Only
Access Manager Architecture
FederationAccessManagement
Flexible AdministrationCentralized Audit
LoggingReportingCLI
AdministrationGUI
Administration
Access Manager ServicesAuthorization (Policy)
ExistingResources
ExistingApplications
ExistingData Stores
Authentication Single Sign-On
Auditing
Session
Sun Proprietary/Confidential: Internal Use Only
Access Manager Architecture• Open
> Unique J2EE architecture> Commitment to open standards and APIs - JAAS, JDK 1.4 Log
API, Liberty, SAML, etc.
• Integrated> Leverage the strengths of Sun's market leading Identity
Management platform> Reuse services, functionality
• Integrate-able> Deploys seamlessly into your existing environment> Data store independent> Modular, flexible deployment options> Faster time to deployment, lower TCO
Sun Proprietary/Confidential: Internal Use Only
Access Manager: Extended Integration
• Leveraging your existing network> Integration with smartcards, tokens, certificate providers> Reliable integration with enterprise applications> Superior integration with system management, monitoring> Out of the box support, easy customization
Sun Proprietary/Confidential: Internal Use Only 1913:40
Liberty Platform Requirements• Trust Relationships
• Infrastructure entities – Identity Provider (IDP) and Service Provider (SP)
• Trust Circle (PKI trust root/paths)• Confidentiality and Integrity
• Secure back-channel (TLS, SSL or VPN)• XML signatures
• Peer Authentication and Authorization• Server-side certificates
• Session State Management• Common domain cookie
Sun Proprietary/Confidential: Internal Use Only 2113:40
Liberty enable SMS GW
UserPrincipal
Discovery Server(DS)
Identity Provider(IDP)
3rd Party APContend Provider
Liberty ID-WSFLiberty ID-WSF SSOs Not Specified by Liberty
BA
K
TK CoTTK Security Affiliation zone Untrusted Security
D
F
G
CE
J
H
I
Web Service SSO Service FlowHow to Integrate Legacy application with SSO & WS
Sun Proprietary/Confidential: Internal Use Only 2213:40
Legacy & Web Service SSO serviceSMS to Web Service SSO
HTTP/SOAP
Non HTTP
CP
CP
FederationManager
PP GeoLoc(LES)L
DA
P
SMS GWContent Provider
Identity Provider Attribute Provider
SMS Gateway
DS
IDP
FederationManager
Access ManagerAccess Manager
Service Request
Content Delivery
Auth Req Discovery Request
Service Request
SMS
Sun Proprietary/Confidential: Internal Use Only 2313:40
Deployment EnvironmentTypical & Traditional Internet Architecture
25
Agenda
• What is Federated Identity?• Federation Business Drivers – The Virtual
Campus• Benefits of Identity Federation• Sun's Federated Identity Management• Sun Java SystemTM Federation Manager• Sun’s work in Federation
26
What is Federated Identity?
“The agreements, standards, and technologies that make identity and entitlements portable across autonomous domains.”
Burton Group, Identity and Privacy Strategies Research Report “Toward Federated Identity Management: The Journey Continues,” August 19, 2003.
27
Driving toward the Virtual Enterprise
• Reduce costs while increasing efficiency
• Increase quality of service for your users
• Increase security
• Open your business to new opportunities
• Enable regulatory compliance
29
Business Drivers for Federation
• Open Access without risk Externalize and integrate applications in order to tap into new,
larger user communities
• Improve Quality of Service Provide seamless, secure access to ensure user confidence and
aggressive adoption
• Increase revenue opportunity Provide business partners with new channels and enhanced
services drive revenue
30
Benefits of Federation
• Secure yet open access Easy integration within the enterprise and with partners Secure, reusable framework based on open standards
• Enhanced user experience Create more responsible users Tie the user experience to security
Sun Proprietary/Confidential: Internal Use Only
Sun's Work in Federation
• Catalyst for Liberty Alliance Project> Co-founder in Sept 2001> First to implement Liberty specifications in product> First to be have product certified as “Liberty Interoperable”
• Leader in development of SAML> OASIS SSTC Chair> Drove standards convergence of Liberty ID-FF 1.1 and
SAML> Demonstrating leadership through SAML interop events
• Development of Shibboleth Connectors for Edu Community
• Strong and ongoing investment and executive commitment throughout company
33
Unique Characteristics
• Broadly implementing Liberty, SAML, and web services standards ID-FF1.2, SAML 1.1, SAML 2.0, ID-WSF1.0 Focus on multi-protocol environments
• Focuses on enabling complex, multi-party federations Solves common, out of band issues Delivers common operational functionality
• Integrated with other suite components (Identity Manager SPE) to provide: Provisioning, Registration, Self-Service
34
Federated Identity Solution: Sun Java System Access Manager and Federation Manager
• Deploy at the identity provider or identity consumer site
• Link identity data across sites
• Share authentication via Liberty/SAML
• Create reusable authentication, authorization with partners
35
Trusted Domain
Sun Java System Access Manager
Authentication
Authorization
Single-sign-on
Federation
Logging
Session
Consistent Identity
Pervasive Trust
Reusable Security
Federated Session Mgt
AutomatedId Federation
ExtranetSingle-sign-on
Sun Java System Federation Manager
Identity Provider Service Provider
Web ServiceFramework
SAML
Sun Proprietary/Confidential: Internal Use Only 3713:40
Agenda
● Business Drivers for Identity Management● Sun’s Identity Management Solution● Sun Java System Identity Manager – Automated User Provisioning– Password Management– Identity Synchronization
● Why Sun, Why Identity Manager– Customer Successes– Integration Partners– Business Justification – What Sets Sun Apart
Sun Proprietary/Confidential: Internal Use Only
● User info entered in HR or user self-registers
● Accounts provisioned to enterprise systems, applications, directories
● Non-digital resources assigned and/or initiated
New Users
Dynamic Identity Life Cycle ● User info entered in HR
or user self-registers● Accounts provisioned
to enterprise systems, applications, directories
● Non-digital resources assigned and/or initiated
Change Events& User Support
● Job/role/status changes● Password changes and resets● Profile information changes● Additional requests for
accountaccess or non-digital resources
New Users
● User info entered in HR or user self-registers
● Accounts provisioned to enterprise systems, applications, directories
● Non-digital resources assigned and/or initiated
Change Events& User Support
● Job/role/status changes● Password changes and resets● Profile information changes● Additional requests for
accountaccess or non-digital resources
New Users
Users Leave
● Student status updated in SIS● Student contact changes● Admin closes account● Accounts disabled & removed● Non-digital resources retrieved
and/or cancelled
Sun Proprietary/Confidential: Internal Use Only
Sun Java System Identity Manager
● Automated user provisioning to improve operational efficiency and enhance security
● Secure, automated password management to improve service levels and lower costs
● User self-service and delegated administration to lower support costs
● Automated data synchronization to lower workloads associated with handling change
● Non-invasive, flexible architecture to speed deployment and ROI
● Comprehensive auditing and reporting to improve security compliance
A comprehensive solution for managing identity profiles and permissions throughout the entire identity lifecycle
● Enhanced security● Lowered costs● Improved productivity
Add
DeleteChange
Sun Proprietary/Confidential: Internal Use Only
Sun Java System Identity Manager
Agentless Adapters
EnterprisePackage
Applications
CustomApplications
Non-DigitalAssets
OperatingSystems
MainframesDatabasesDirectories
Self-ServiceInterfaces
Audit ReportingRole and PolicyManagement
DelegatedAdmin Views
RulesEngine
DynamicWorkflow
SPMLToolkit
Virtual IdentityManager
Auto-Discovery
AutomatedUser Provisioning
PasswordManagement
IdentitySynchronization
Unified Identity Console
Identity Platform Services
Sun Proprietary/Confidential: Internal Use Only
FormerStudents
Student ParentsTeachers
Provisioning Today: Fragmented, Manual and Insecure
Human ResourcesSystem
Call Center
Facilities/PurchasingHelp Desk
Other AssetsSiebel CRMOracle FinancialsExchange andActive Directory
Chargeable Assets● Mobile phone/service● Conference call account● Credit card
● Office space● Phone● Laptop
● Where are my risks?● Who has access?● What recurring charges am I still
paying for?● How much does all of this cost?
Sun Proprietary/Confidential: Internal Use Only
FormerStudents
Students ParentsTeachers
Provisioning with Sun: Streamlined, Automated and Secure
Other AssetsSiebel CRMOracle FinancialsExchange andActive Directory
Chargeable Assets● Mobile phone/service● Conference call account● Credit card
● Office space● Phone● Laptop
ApprovingManager
SIS Manager
● Reduced risk● Complete view
of user’s identity ● Efficient, automated
operations
Sun Proprietary/Confidential: Internal Use Only 4313:40
Identity Manager’s Automated Provisioning Highlights● Granular delegated administration● Web-based self-service – With automated change approval processes
● Robust audit and reporting● Role based access control● Rule-based provisioning– Business policy enforcement through automated rule evaluation
● Multi-step, complex provisioning● Authoritative feeds from HR applications and directories ● Agentless adapters– Out of the box for leading enterprise systems & applications– Ref Kit and samples for custom adapter development
● SPML Toolkit
Sun Proprietary/Confidential: Internal Use Only
Password Management Today:Costly, Labor-Intensive and Painful
Help Desk
Help Desk
TemporaryStudents
Students ParentsTeachers
Use
rsP
roce
ssE
nvi
ron
men
t
Oracle FinancialsExchange and Active Directory
PeopleSoft Human Resources System
Siebel CRM Unix RACF
● Expensive, manual process● Pattern of reset-request peaks● Users limited to service during
help desk hours● Users have to remember
multiple credentials
Sun Proprietary/Confidential: Internal Use Only
Password Management with Sun:Cost-Effective, Quick, and Convenient
Use
rs
VisitingStudents
Students ParentsTeachers
Interactive Voice Response (IVR)
Pro
cess
En
viro
nm
ent
● Automated process● Available to users anytime,
delivered how they work● Users only have 1 set of
credentials to remember
Oracle FinancialsExchange and Active Directory
PeopleSoft Human Resources System
Siebel CRM Unix RACF
Sun Proprietary/Confidential: Internal Use Only 4613:40
Identity Manager’s Password Management Highlights ● Self-service password reset & synchronization● Convenient access through– Web browser– IVR system– Network log-in (Windows)
● Automated password policy enforcement– Password history store– Password exclusion dictionary
● Help desk integration to track password-related activity● Agentless adapters– Out of the box for leading enterprise systems & applications– Ref Kit and samples for custom adapter development
● Reporting on self-service password resets
Sun Proprietary/Confidential: Internal Use Only 4713:40
Identity Synchronization Challenges
● Migration to a directory-based infrastructure
● Maintenance of identity data to ensure attributes are accurate and consistent with other applications – Profile management driven via self-service– Point-to-point, system-driven synchronization
Sun Proprietary/Confidential: Internal Use Only
● Today’s environment includes multiple identity data sources
● Trend toward simplification of IT environment with a directory-centric identity infrastructure– Strategic initiatives, like portals, rely on directory
infrastructure– Re-usable architecture offers investment protection
for new application development
Identity Synchronization:Why Migration?
RACF Windows NT
Oracle RDBMS Lotus Notes LDAPLDAPLDAP
Sun Proprietary/Confidential: Internal Use Only
Identity Synchronization:Migration with Sun
Active Directory Sun Java System Directory Server
Sun Java System Directory Server
RACF Windows NT
Oracle RDBMS Lotus Notes LDAPLDAPLDAP
● Provides complete, automated data migration into new directories from existing repositories– Discover & correlate for data cleansing
and establishing of virtual identity– Create directory containers & hierarchy– Bulk actions for populating directories
with user data● Provides complete management of both
old systems and new directories during migration period
Sun Proprietary/Confidential: Internal Use Only
Identity Synchronization:Profile Management with Sun
Self Service
HR Manager Approval
New Hire Application
Exchange and Active Directory
Siebel CRM Human Resources System
Oracle Financials Payroll Systems
PartnersPartners Executives SalesEmployees
Customers OperationsEmployees
MarketingEmployees
EmployeeGets marriedChanges nameChanges address
● Efficient, automatedoperations
● High quality of service● Top line benefit
Sun Proprietary/Confidential: Internal Use Only
Identity Synchronization:System-to-System Updates Today
Custom Application
Extranet Directory
Exchange andActive Directory
CRM Human Resources
System
ERP Payroll Systems
● Data silos independently owned and manually administered
● Manual updates, if occurring, are error-prone ● Inconsistent identity information across
the enterprise ● Inefficient business operations
Sun Proprietary/Confidential: Internal Use Only
Identity Synchronization:System-to-System Updates with Sun
Employee got promoted● New Title● New Job Code● New Pay Grade● New Department
Corporate LDAP
Exchange andActive Directory
Human Resources
System
ERP
Payroll System
● Update ERP with new Job Code
● Modify access privileges to ensure separation of duty
Update Pay Grade as it impacts salary
● Update AD with new Department, Title, Job Code
● Modify home directory and move location of network files for employee
● Modify message database account size for employee
Update LDAP with new Department, Job Code, Title for use by corporate white pages
53
Identity Manager’s Identity Synchronization Highlights ● Auto-Discovery to create a unified Virtual Identity ● Automated and scheduled detection of change● Synchronization between heterogeneous data sources ● Identity data transformation● Granular, flexible authority assignment● Web-based self-service – Delegation to end-users with automated change approval processes
● Resource adapters– Out of the box for leading enterprise systems & applications– Out of the box schema maps – Ref Kit and samples for custom adapter development
● Audit and Reporting
Sun Proprietary/Confidential: Internal Use Only
Identity Platform Service:Auto-Discovery
● Logical management of multiple disparate identities
● Reduces risk of “orphaned” privileges
Databases
Applications
Directories
jms
Virtual Identity
Joe Smith
Jsmith
smitty
Sun Proprietary/Confidential: Internal Use Only
Identity Platform Service:Virtual Identity Manager
● Minimizes deployment time● Eliminates operational challenges● Manage centrally, enforce locally
Virtual Identity Manager
Applications
Web Applications
Directories
Databases
Asset Databases/Directories
Sun Proprietary/Confidential: Internal Use Only
Identity Platform Service:Agent-less Adapters
Agent-less
Connector
Agent
Unix Systems
Custom Applications
RDBMS
Directories
Mainframe
Package Applications
CustomApplication
Resource Adapter Wizard
NT/ADS
● Minimizes agent deployment● Eliminates agent management● Eliminates operational challenges
Sun Proprietary/Confidential: Internal Use Only
Unified Identity Console
● Web-based interfaces for administrators and end-users– Smart Forms are interactive web-based forms with embedded logic
to assist the user navigation – Delegated administration views based on granular delegation for
scope, capabilities, data sources and data● Self-service for self management of accounts, assets,
passwords, and profile data● Administrators – Define and manage: role models, policies, delegation assignments– View and act on identities
● Comprehensive reporting ● End-to-end identity auditing capabilities
Sun Proprietary/Confidential: Internal Use Only
Identity Manager Physical Architecture
HelpDesk
HR
ExternalWorkflow
WSBPEL
AuthoritativeSource
JMAC/ABAP/JDBC
TROUBLE TICKETCREATION
Approving
ManagerAny WebBrowser
SMTPHTTPS
Any WebBrowser
HTTPS
End UserSelf-Service
Agent-less
Gateway
Agent
• Laptop Serial Number
• Office Number
• Mobile Service Plan
• Mobile Phone Model
• Conference Call Account
• Credit Card
Mainframe
Unix Systems
Directories
Custom Apps
Package Apps
RDBMS
NT/ADS
Asset Database/Directory
Partner Web App
Custom
JDBC
API/JDBC
SOAP/XMLRPC
ADSI
3270
JNDI
LDAP/JDBC
SSH
RDBMS
Virtual ID Store
JDBC/LDAP
J2EEApplication
Any App Server
Au
tho
rita
tive
So
urc
es
Custom
JDBC
API/JDBC
SOAP/XMLRPC
ADSI
3270
JNDI
LDAP/JDBC
SSH
Sun Proprietary/Confidential: Internal Use Only
Identity Manager Server Components
IVR InterfaceBusinessProcessEditor
Console SOAP/SPMLActiveSyncAdapters
Web GUIs
Session API
Authentication Authorization Audit/Reporting
Object Cache
Repository
Persistence Resource Adapters
Reconciliation
Provisioning
WorkflowReports
Task Engine
Sun Proprietary/Confidential: Internal Use Only
Identity Manager Resource Connectivity Diagram Agent-less
Gateway
Agent
• Laptop Serial Number
• Office Number
• Mobile Service Plan
• Mobile Phone Model
• Conference Call Account
• Credit Card
Mainframe
Unix Systems
Directories
Custom Apps
Package Apps
RDBMS
NT/ADS
Asset Database/Directory
Partner Web App
Custom
JDBC
API/JDBC
SOAP/XMLRPC
ADSI
3270
JNDI
LDAP/JDBC
SSH
J2EEApplication
Any App Server
Au
tho
rita
tive
So
urc
es
Sun Proprietary/Confidential: Internal Use Only 6213:40
Identity Manager Resource Adapter Types✗ Agentless connectivity✗ Easily integrated in existing environment
✗ Single maintenance point for upgrades✗ Eliminates most technical/political
objections✗ Gateways where appropriate✗ Crossing OS/AIP boundaries✗ Follows platform interface requirements✗ Provides compatibility over time using
recommended APIs✗ Custom Adapters✗ Unusual or proprietary resources✗ The RDK is a clean and efficient approach✗ Lots of custom skeletons to reuse
Sun Proprietary/Confidential: Internal Use Only 6313:40
Identity Manager Auditing and Reporting✗ Every action in Identity Manager is logged✗ Stored in the Identity Manager repository✗ Discrete entries for each activity
✗ Allows for aggregate queries✗ Extendable, i.e., signed logging
✗ Extended logging for compliance reporting✗ Uses the "Audit" option in resource
schema definitions
Sun Proprietary/Confidential: Internal Use Only 6413:40
Identity Manager Auditing & Reporting (cont.)✗ Reporting types
✗ User and administrator✗ Summary reports✗ Usage✗ Role ✗ Resource
✗ Report output options✗ Ad-hoc ✗ Scheduled✗ Visual✗ Formatted for export
✗ Risk analysis reports✗ Wizard to create new reports
Sun Proprietary/Confidential: Internal Use Only 6513:40
Identity Manager Interface Options✗ Zero footprint Web-based applications
✗ Administrator Interface✗ End user self-service
✗ SOAP/SPML✗ Provides standards-based interface✗ HTTP connectivity
✗ Java API for custom applications✗ Console
✗ Scriptable✗ Bulk processes
✗ IVR (legacy InnerVoice Bright)✗ Business Process Editor (Java Swing)
Sun Proprietary/Confidential: Internal Use Only 6613:40
Identity Manager Delegated Administration
✗ Capabilities✗ Discrete
✗ Can be assigned to a user that perform only one function
✗ N-level delegation✗ Can be assigned from one administrator to another providing true "n-level" delegation
✗ Administrators are created✗ Granular authority
✗ Any user can be an administrator✗ User's administration privileges may be limited✗ To a specific capability✗ In a specific organization
✗ Using the Web interface✗ Using rules, forms or workflow
Sun Proprietary/Confidential: Internal Use Only 6713:40
Identity Manager Objects and Containers✗ Users✗ Resources✗ Any external data managed by Identity
Manager✗ Roles and resource groups✗ Contain multiple resources✗ Control behavior✗ Apply rules and policy
✗ Organizations and Virtual Organizations✗ Virtual Organizations map to org
structures in remote directories✗ Relationships between objects and
containers
68
The “Identity Grid”
Administration ServicesProvisioning ServicesPassword ManagementUser AdministrationIdentity SynchronizationPolicy Management
Transaction ServicesData transport ServicesAuthentication ServicesAuthorization Services
Data RepositoriesDirectories DatabasesFlat Files
CRM
ERP
SCM
HR
eCommerce
Customers
IT Administrators
Employees
Partners
Ap
plic atio
n In
terfac eW
e b In
te rfa ceP
ortal In
terfac e
Product Categories
69
Sun Java System Directory Server • Most widely deployed LDAP-based
directory server – over 1.5 billion licenses sold
• Built-in security – prevents DoS attacks, controls access, intercepts unauthorized operations
• World-class performance and scalability – from entry-level to large-scale deployments
• Multi-master replication and failover for high availability
• Intuitive Web-based administration interface• Password synchronization with Active
Directory enhances security, improves service to users
• Open, standards based architecture reduces total cost of ownership
Secure, highly available, scalable and easy-to-manage directory services.
● Enhanced security● Lowered costs● Investment protection ● Reduced IT complexity
70
Identity Administration Services
Databases
Business Applications
DirectoriesDatabases
Operating Systems
MainframesBusiness
Applications
IdentitySynchronization
PasswordManagement
Provisioning
Profile Management
App Server
Identity administration services Provisioning Profile Management Password Management Identity Synchronization
Identity ManagerAdmi
n
Delegated Admin
End User Self-Service
71
Identity Repository Services
DirectoryServices
Identity Repository Services LDAP Directory Security proxy services Active Directory Sync services
ADSynch
ProxyService
s
Directory Server Enterprise Edition
72
Integrated, End-to-End Identity Management
IdentityManager
Synchronization Services
Password Management
User Provisioning
AccessManager
Federation
Access Control
Web Single-Sign-On
DirectoryServer EE
AD Synchronization
Security/Failover
Directory Services
Web-Based Administration
Audit & Reporting
Sun Microsystems, Inc. Proprietary & Confidential
Audits
Standards
Technology Challenges of the Virtual Enterprise
Partnerships and user
relationships are
constantly changing
Legislative mandates
Multi-platformsupport
Additional staff
Access to critical
applications
Additional resources
Sun Microsystems, Inc. Proprietary & Confidential
Identity Management: Technology Cornerstone of the Virtual Enterprise
Identity ManagementConsistent Delivery ofHigh Levels of Service
Fast access to information
InteroperabilityOpen standards with
cross platform supportStandards-based,
federated framework
Non-invasive
architectures
Ability to Scale and Flex Cost-Effectively
Rapid, automatedprocesses
Data consistency,accuracy and reliability
InclusionarySecurity
Logging, auditing, reporting for regulatory
compliance
Eliminate securityloopholes
Commonsecurity
architecture
Sun Microsystems, Inc. Proprietary and Confidential
Access Manager Architecture● Only vendor based on J2EE architecture– Java servlets deployed in web container JVM– Services can be distributed separately from others and are
modular– Customers to leverage their knowledge on running/developing
Java-based applications● Faster time to deployment, lower TCO
● Deeply customizable/extensible– Java, XML & C interfaces provide robust mechanisms for
integration and extensibility
● Highly reliable and scalable– Leverages multi-tier J2EE load-balancing and failover
● Built on and implements open standards and APIs– JAAS, JDK 1.4 Log API, Liberty, SAML, etc.
Sun Microsystems, Inc. Proprietary and Confidential
Authentication
● Standards-based, extensible authentication framework (JAAS: Java Authentication and Authorization Services)
● Supports multiple pluggable Authentication mechanisms
● LDAP, RADIUS, Certificate, SafeWord, RSA SecurID, Unix, Windows NT, Anonymous, Membership
● Custom authentication mechanisms using the SPI● Multi-factor Authentication (Chained authentication
mechanisms)● Levels-based Authentication● Levels assigned to authentication mechanisms● Resource-based Authentication
Sun Microsystems, Inc. Proprietary and Confidential
Authorization Governed by Policy● Policy = Rules + Subjects +
Conditions– Rules
● Resource being protected – URL, access method, allow/deny
– Subjects● Who is allowed access? User/role/group etc
– Condition● Additional constraints – IP address, authN
level/mechanism, day/time, session timeout
– Referral policies, SPI allow customization
Sun Microsystems, Inc. Proprietary and Confidential
Single Sign-On – How It Works● Policy Agent on Web or Application
Server intercepts resource requests and enforces access control
● Client is issued SSO token containing information for session validation with Session service
● SSO token has no content – just a long random string used as a handle
Sun Microsystems, Inc. Proprietary and Confidential
Single Sign-On Token
● Web-based applications use browser session cookies or URL rewriting to issue SSO token
● Non Web applications use the SSO API (Java/C) to obtain the SSO token to validate the user's identity
Sun Microsystems, Inc. Proprietary and Confidential
Cross Domain Single Sign-On
● User is issued a cookie for each domain accessed that is part of the CDSSO deployment
● Also accomplished with SAML/Liberty implementation
Sun Microsystems, Inc. Proprietary and Confidential
Web SSO FlowAccess Manager
Policy AgentAccess Manager
Policy Agent
Sun Java SystemAccess ManagerUser White Pages
ApplicationPaycheckApplication
1. Request resource
4. Authenticate + create SSO token
5. Redirect to resource with SSO token
9. Subsequent request for resource
11. Provide or refuse resource
6. Request resource
2. Agent checks forSSO token + policies
10. Agent checks forSSO token + policies
3. Redirect to login page
8. Provide or refuse resource7. Agent checks forSSO token + policies
Sun Microsystems, Inc. Proprietary and Confidential
New in 6.2: Windows Desktop SSO● User-eye view– Log in to Windows– Surf to a protected resource– The resource recognizes me and gives me
access based on policies, role etc
● That's it – the user logs in exactly once– No need for password sync process– Transparent integration for desktop users
into web applications
Sun Microsystems, Inc. Proprietary and Confidential
Windows Desktop SSO FlowSun Java SystemAccess ManagerUser Active Directory
2. Request protected resource
4. Request ticket from Kerberos Ticket Granting Service
1. Login to Windows Desktop in normal way
3. Return '401 Unauthorized' with 'WWW-Authenticate: Negotiate' header
5. Provideticket
6. Request protected resource – this time with SPNEGO token in 'Authorization: Negotiate' header9. Redirect to resource with SSO token – request can now proceed in normal way
7. Request ticket authentication
8. Authentication response
Sun Microsystems, Inc. Proprietary and Confidential
Session Features
● Session upgrade– User provides additional credentials to
access a resource with higher authentication requirements
● Client detection– Provide content based on client type –
standard browser, WAP, etc.● Resource-based session timeout● Java & C Session/SSO APIs
Sun Microsystems, Inc. Proprietary and Confidential
● Federation for cross-domain application integration
● Facilitates 'trusted partnerships'– Create tighter, more satisfying customer
& employee relationships– Extend existing & create new revenue
opportunities– Implement business models that generate new
efficiencies and productivity gains● Access Manager supports SAML 1.1
and Liberty 2.0– Successful participation in SAML interop events– Concurrent support for previous protocol versions
Federated Identity
Sun Microsystems, Inc. Proprietary and Confidential
SAML Browser/Artifact Profile SSO Flow
Sun Java SystemAccess ManagerUser Partner
Site
2. Request resource at Partner site
5. Browser follows redirection
3. AM●constructs artifact and assertion●stores assertion, indexed by artifact●constructs URL containing artifact
6. Partner site uses artifact to request assertion
8. Partner site sends appropriate response to browser
1. Authenticate to Access Manager in normal way
4. Redirect browser to partner site
7. AM provides assertion