Sun One Identity Management framework:
Sun Microsystems provides a number of products which interact with each other to complete an identity management solution for the enterprise. The products used to implement the same are:
Sun One Identity Server.
Sun One Directory Server
Sun One Directory Proxy &
Sun One Meta Directory.
Of these the first two are the required components to implement a identity management solution with all the important features like: user identity administration, LDAP data repository, access management etc.
Each of these are briefly discussed below.
1.Sun One Identity Server:
Formerly known as iPlanet Directory Server Access Management Edition, is a product to help an organization manage secure access to the web-based resources. Its access management enables the web SSO (Single Sign On), identity administration and directory services. It simplifies the creation and administration of identities, management and enforcement of authentication and policies for accessing the web-based applications and services. The identity management console included with the product helps in achieving the above mentioned features along with the user self-service for account management. The same can also be used to administer the roles and policies and thus helping the enterprise to secure and protect the assets and provide web-based services from the internet.
2.Sun One Directory Server:
Formerly known as iPlanet Directory Server provides a storage and management of identity profiles, access privileges, application & network resource information. The framework uses the information stored in the directory server to authenticate and authorize the users to provide access to the secure resources and applications.
The directory server comes with an administration console which simplifies the management of the data stored in the LDAP.
3.Sun One Directory Proxy Server:
The Sun One Directory Proxy server, formerly known as iPlanet Directory Access Router, is a product which provides secure firewall like services for directory server access control, query filtering and query routing. It works with the directory server to provide protection against directory “denial of service” attacks to provide the availability of the directory services at all times. It automatically routes the client requests to the appropriate directory server through referral mechanism. It also provide a load balancing feature so as to avoid the overloading of a particular directory server and makes sure that the clients requests are serviced in real time. If one or more directory servers become unavailable, the load is proportionally distributed among the remaining servers, again when the server comes back online, the load is proportionally and dynamically reallocated.
4.Sun One Meta-Directory:
Formerly part of the iPlanet Directory Server Integration Edition, it consolidates and integrates identity information which is spread throughout the enterprise into a single profile. Since a single profile is maintained, it helps in improving the quality of information through bidirectional synchronization. So if the information of the identity in one application is changed, the change is effected in other applications too.
The Join engine applies an extensive set of rules to determine how to combine the user data from the different applications. These rules also control the direction of updates, define the definitive sources for different types of user data and delegate administration of the user base.
Sun One Identity Server Components :
The major components which form the Identity server are as shown in the figure:1 and are briefly discussed below:
1. Identity management:
The Identity Management component provides GUI and command line tools to create and manage identity-related objects. User, role, group, policies, organization, suborganization and container objects can be defined, modified or deleted using either the Identity Server console or the command line interface. The console has default administrators with varying degrees of privileges used to create and manage the organizations, groups, containers, users, services, and policies. The administrators are defined within the Directory Server when installed with Identity Server. The identity management console presents two basic types of views depending on the role of the user logging in.
When a user with an administrative role authenticates to the Identity Server, the default view is the Identity Management view. In this view the administrator can perform administrative tasks. Depending on the role of the administrator, this can include, but is not limited to, creating objects (users, organizations, policies, and so forth), and configuring services.
When a user who has not been assigned an administrative role authenticates to the Identity Server, the default view is their own User Profile. In this view the user can modify the values of the attributes particular to their personal profile. This can include, but is not limited to, name, home address and password.
2. Service management
A service in identity server is a group of attributes defined under a common name like mail, calender etc.. The attributes define the parameters that the service provides to an organization. For example, in developing a mail service, one can decide to include attributes for employee’s organization name, a VoIP extension and the supervisor name. When the service is registered to an organization, the organization can use these attributes in the configuration of its entries.
The services in the Identity Server are defined using Extensible Markup Language (XML). The Service Management Services Document Type Definition (sms.dtd) defines the structure of a service XML file. This file can be found in the following directory:
Identity_Server_root/SUNWam/web-apps/services/dtd/
Identity server comes with some default services which are defined by XML files located in the following directory:
Identity_Server_root/SUNWam/web-apps/services/WEB-INF/config/xml
Service management component provides the interface (using the identity server console GUI) to configure and register these services and service attributes.
3.Access management
The identity server provides a common authentication & authorization platform which the administrators can use to implement access to multiple servers using one single account for each user. The users can access all the web resources which they are entitled using the SSO authorization services. The users can do this in different DNS domains without authenticating again & again.
Identity Server provides a plug-in solution for user authentication. The criteria needed to authenticate a particular user is based on the authentication service configured for each organization in the Identity Server enterprise. It also supports multi-level authentication which enforces the users to pass through multiple levels of authentication successfully in order to access the resources. Each authentication level maps to one or more authentication mechanisms. Once a user has been authenticated at a prticular level, he can access all the resources which require lower level of authentication. This way he can avoid the process of the re-authentication while accessing the other resources.
A set of rules combine to form a policy. These define who has access to resources and which users can perform what tasks when the appropriate conditions are met. A single policy can define either binary or non-binary decisions. A binary decision is yes/no, true/false or allow/deny and most policies are of this type. A non-binary decision represents the value of an attribute. For example, a mail service might include a mailbox Quota attribute with a maximum storage value set for each user. A policy service administers this restriction ensuring that each user’s quota is not exceeded.
Identity server provides policy APIs, comman line tools(amadmin) and the identity server console to create, modify and administer the policies.
Identity server uses SSO (Single Sign On) to authenticate the user once in order to get him the access to multiple resources. Each time the authenticated user tries to access a protected page, the SSO API determines whether the user has the permissions required based on their authentication credentials. If the user is valid, access to the page is given without additional authentication. If not, the user will be prompted to authenticate again. This is achieved by creating a SSO token with a session identifier.
The Cross Domain Single Sign-On (CDSSO) feature makes it possible for users to authenticate once in a DNS domain in your enterprise, and then access Identity Server services running on other domains. This service is implemented through the use of a controller plus any number of CDSSO components that you install on the participating domains.
The Cross-Domain Controller (CDC) component is automatically installed when you install Identity Services. The controller is responsible for appropriately directing authentication requests. If a request contains no Single Sign-On (SSO) information, the controller directs the request to the Authentication service. If a request contains SSO information the request is directed to the appropriate CDSSO component with the SSO information appended to the query string.
Identity server makes the use of Policy agents to implement the web SSO and protect the access to the restricted web reources. If a user tries to access a protected resource and there is valid SSO token found, the request is redirected to the Identity server and the user has to pass through the SSO authentication process. Once a valid SSO token is generated the policy agent checks for the access rights of the user and the user is then redirected to the requested web resource. The access is provided depending upon the access privileges.
The Session Management module provides a solution for viewing user session information and managing user sessions. It keeps track of various session times. The adminstrators can use this to view & terminate the authenticated user sessions which are currently active .
4.Federation management
Today a user on the internet usually has a number of accounts to access various business, community and personal service providers. The user might have different names, passwords & preferences for his bank account, email account, utility providers, news portals etc. A local identity refers to the set of attributes that an individual might set up with one service provider. These attributes serve to uniquely identify the individual with that provider.
Its becoming increasing important to develop and implement systems system for the online users to aggregate their local identities, enabling them to have one network identity. This system is identity federation. Identity federation allows a user to associate, connect or bind multiple internet service provider’s local identities. A network identity allows users to login at one service provider’s site and then go to an affiliated site without having to re-authenticate or re-establish their identity.
Liberty alliance is one such project which is trying to make this concept a reality.
The purpose of Liberty is to develop technical specifications for network identity in a federated environment. It is a project of the Liberty Alliance, a group organized to establish open standards for network-based identity interactions.
The key features of Liberty are:
The Liberty user: The user who interacts with two types of entities:
Service Providers: Businesses and information providers of the on-line world
Identity Providers: Entities that maintain and manage identity information. Both the Service and Identity providers could be either remote or hosted providers.
Single sign-on: The ability of the user to authenticate himself once per session with an identity provider and then use that authentication to create sessions with various service providers and perhaps even other identity providers without having to re-authenticate himself.
Federated Identity: Federation allows the user to keep his existing accounts with different service providers on one hand and to establish a connection between those accounts on the other hand.
Single Logout: When a user logs out from an identity provider, the user will effectively be logged out from all affiliated service providers within an authentication domain. Logout information is sent to the identity provider when it is initiated from a service provider. Users can initiate logout from either a service provider or the identity provider
Liberty does not limit Identity Providers to a particular scheme of authentication. It could be something simple like prompting the user for the username & password or more complex and secure mechanisms involving cryptographic signatures, certificates, or challenge/responses protocols. Liberty is friendly in the sense that the re-direction for these operations is done by the system and not by the user
Liberty protocols exchange identity information through pre-existing protocols and languages (SOAP and SAML respectively) as well as Web redirects. .Liberty protocols use SSL to encrypt these web communications and provide user confidentiality
SOAP (Simple Object Access Protocol) is a peer-to-peer protocol for exchanging structured and typed information between peers in a distributed environment. The SOAP envelope is a framework for expressing what is in a message, who should handle it, and whether it is optional or mandatory. SOAP also has encoding rules for exchanging application-defined datatypes, exactly what is needed in Liberty.
SAML (Security Assertion Markup Language) is an XML-based security assertion framework SAML defines three types of assertions: authentication, attribute, and authorization decision. Liberty uses authentication assertions, which state that subject S was authenticated at time T by means M.
In the Sun One Identity Server the administrator can use the provided tools like the GUI or the command line to enable Liberty. Now if the user or an application tries to access a protected resource, the user is redirected to a Pre-Login page which invokes the Federation Management Service’s Pre-Login servlet instead of the authentication service. This servlet searches for either a valid Identity Server single sign-on token or a valid Federation Cookie (which indicates that a user has federated his account using this Identity Server provider). If an SSO token is found, the user’s federation information is retrieved, and the user is authenticated; a Federation Cookie is also set and the user is returned to the target resource. If a Federation Cookie is found, the user is directed to the Federation Single Sign-On Service which provides an Authentication Assertion allowing the user access to the target resource. If neither of these items is found, the user is redirected to the Identity Server Authentication Service where, upon successful authentication, the user is directed to the Post-Login page which invokes the Post-Login servlet. This servlet processes the user’s Identity Server authentication and initiates the Federation Management Single Sign-On Service which, once again, provides an Authentication Assertion to allow the user access to the target resource.
The IS console can be used to adminster the Authentication Domains and the providers.
5.Directory server
Sun ONE Directory Server provides global directory services. A global directory service provids a single, centralized repository of directory information that any application can access. Offering a wide variety of applications access to the directory requires that those applications be able to communicate with the directory over the network in a standard way. Sun ONE Directory Server provides two standard protocols through which applications can access its global directory: Lightweight Directory Access Protocol (LDAP), and Directory Services Markup Language (DSML).
Directory server acts as the primary layer on which the Identity server is built. All the users, policies, organizations etc which are created through the identity console are finally stored in the directory server database. The information in the directory can also be administered through the Directory Server Console (GUI).
By,
Ashokkumar.
No comments:
Post a Comment