sun javatm system identity solution - terena · access manager: functional overview • single sign...

Sun JavaTM System Identity Solution

Stuart SimChief ArchitectGlobal Education & ResearchSun Microsystems

Sun Proprietary/Confidential: Internal Use Only

Agenda

• Business Drivers for Identity Management• Sun’s Identity Management Solution• Sun Java System Access Manager Overview

> Authentication Services> Federation Services> Auditing Services> SSO for non web apps

• Sun Java System Identity Server Overview> User Provisioning

• Sun Open Source Strategy for Identity


Sun's Identity Management Suite

• Comprehensive software solution that includes> Directory Services> Access Control, Single Sign-On,

Federation> Provisioning and Identity

Synchronization Services> Identity Auditing

• Open, Integrated, “Integrate-able” to reduce cost, complexityIdentity Manager

Directory ServerEnterprise Edition

Access Manager

Identity Auditor

Sun JavaTM System Access Manager

Sun Proprietary/Confidential: Internal Use Only 513:40

Access Manager 6.3 Core✗ Auth (LDAP, Radius, AD, etc.)✗ SSO (CDSSO, SAML 1.1,

Liberty)✗ Authorization (Role Mgt,

Policy)

Liberty Alliance Compliant

✗ Phase 1 & 2 (ID-FF, ID-WSF)

✗ Discovery Service✗ Metadata Management✗ Bulk-federation✗ PAOS, LECP✗ Personal/Employee Profile✗ ResourceID Mapper✗ RoleID Mapper✗ Federation Manager


Access Management Today: Fragmented, Insecure, Costly

Employees

Customers

Partners

Web Services

Directories

Databases

Business Applications

Custom Systems

● Who has access to what resource?● What can users do with that access?● How much does secure access cost

me?● How do I quickly deploy new

services?● How do I how do I comply with laws

& regulations?


Sun JavaTM Enterprise System• Sun Java Enterprise Suites

• Application Platform Suite• Communication Suite• Availability Suite• Infrastructure Suite• Identity Management Suite

• Original « Business model »• Pricing per employee• Included license, service and support• RTU (employee, client)

• Multi-platforms• Solaris SPARC et x64, Linux RedHat AS 2.3• Windows 2003, HP-UX

NEW


Solution: Sun Java Access Manager● Increase enterprise-wide security

● Reduce complexity and operational costs

● Open access to customers, partners

● Provide a foundation for compliance

Employees

Customers

Web Services

Directories

Databases


Custom Systems

Employees

Customers

Partners

Web Services

Databases


Custom Systems

Access ManagerServices

Authentication

Policy

User Profile/Roles

Audit/Reports

Single Sign-On

Federation


Access Manager: Functional Overview• Single sign on to web, J2EE resources

• Centralize policy based authentication and authorization

• Enable distributed authentication and policy enforcement

• Audit and log all authentication events

• Platform for enabling identity based web services

Directories

Databases


Policy AgentsAccess Manager

Services

Authentication

Policy

User Profile/Roles

Audit/Reports

Single Sign-On

Federation


Centralized Authentication Services

• Leverage existing authentication mechanisms

• Centrally manage, establish user identity> Over 15 mechanisms out of the box - LDAP, Active Directory,

JDBC, SAML, others

• Adapt using custom modules as needed

Directories

Databases


Policy Agents


Authentication

Policy

User Profile/Roles

Audit/Reports

Single Sign-On

Federation

LDAP

HTTP

Cert

Modules

JDBC

Firewall


Distributed Authentication Services• Flexible deployment model

> Deploy authN mechanisms in the DMZ or behind the firewall> Customize presentation, credential extraction

• Create high performance, secure AuthN


Authentication

Policy

User Profile/Roles

Audit/Reports

Single Sign-On

Federation

Firewall

Distributed AuthN

DMZ


Centralized Policy Services• Flexible, comprehensive policy decision engine

> Centrally define, manage authorizations> Easily extend authorizations to new applications> Base access controls, authorizations on roles, user profiles

• Create a central point of control> Easier to audit usage> Easier to handle role/policy exceptions> Easier to make dynamic access decisions

• Define granular controls> Control access to specific end points> Systematic management of sessions


Centralized Policy Services

• Define Resource Realms> Create a virtual delegation hierarchy for managing

resources> Delegate policy administration based on realms

• Flexible policy deployment model> Decouple underlying directory structure from policy

implementation


Distributed Policy Services• Provide policy enforcement at the point of access

> Easily adapt centralized policy capabilities onto existing applications

> Provide deeper, fine grained enforcement of policy> Leverage system capabilities

• Provide centralized policy enforcement> Reverse Proxy solution expands flexibility, manageability


Centralized Audit Services

• Centrally track all AuthN, AuthZ events• Provide easy to manage proof points

> Who had access, who granted that access> What systems did they access> What functions did they perform> When did they perform those functions

• Standards-based implementation> Easy integration with existing auditing, reporting tools


Access Manager Architecture

FederationAccessManagement

Flexible AdministrationCentralized Audit

LoggingReportingCLI

AdministrationGUI

Administration

Access Manager ServicesAuthorization (Policy)

ExistingResources

ExistingApplications

ExistingData Stores

Authentication Single Sign-On

Auditing

Session


Access Manager Architecture• Open

> Unique J2EE architecture> Commitment to open standards and APIs - JAAS, JDK 1.4 Log

API, Liberty, SAML, etc.

• Integrated> Leverage the strengths of Sun's market leading Identity

Management platform> Reuse services, functionality

• Integrate-able> Deploys seamlessly into your existing environment> Data store independent> Modular, flexible deployment options> Faster time to deployment, lower TCO


Access Manager: Extended Integration

• Leveraging your existing network> Integration with smartcards, tokens, certificate providers> Reliable integration with enterprise applications> Superior integration with system management, monitoring> Out of the box support, easy customization


Liberty Platform Requirements• Trust Relationships

• Infrastructure entities – Identity Provider (IDP) and Service Provider (SP)

• Trust Circle (PKI trust root/paths)• Confidentiality and Integrity

• Secure back-channel (TLS, SSL or VPN)• XML signatures

• Peer Authentication and Authorization• Server-side certificates

• Session State Management• Common domain cookie


Sample Architecture


Liberty enable SMS GW

UserPrincipal

Discovery Server(DS)

Identity Provider(IDP)

3rd Party APContend Provider

Liberty ID-WSFLiberty ID-WSF SSOs Not Specified by Liberty

BA

K

TK CoTTK Security Affiliation zone Untrusted Security

D

F

G

CE

J

H

I

Web Service SSO Service FlowHow to Integrate Legacy application with SSO & WS


Legacy & Web Service SSO serviceSMS to Web Service SSO

HTTP/SOAP

Non HTTP

CP

CP

FederationManager

PP GeoLoc(LES)L

DA

P

SMS GWContent Provider

Identity Provider Attribute Provider

SMS Gateway

DS

IDP

FederationManager

Access ManagerAccess Manager

Service Request

Content Delivery

Auth Req Discovery Request

Service Request

SMS


Deployment EnvironmentTypical & Traditional Internet Architecture

24

Sun JavaTM System Federation Manager

25

Agenda

• What is Federated Identity?• Federation Business Drivers – The Virtual

Campus• Benefits of Identity Federation• Sun's Federated Identity Management• Sun Java SystemTM Federation Manager• Sun’s work in Federation

26

What is Federated Identity?

“The agreements, standards, and technologies that make identity and entitlements portable across autonomous domains.”

Burton Group, Identity and Privacy Strategies Research Report “Toward Federated Identity Management: The Journey Continues,” August 19, 2003.

27

Driving toward the Virtual Enterprise

• Reduce costs while increasing efficiency

• Increase quality of service for your users

• Increase security

• Open your business to new opportunities

• Enable regulatory compliance

28

Business Drivers for Federation:The Problem – No Room for Compromise

29

Business Drivers for Federation

• Open Access without risk Externalize and integrate applications in order to tap into new,

larger user communities

• Improve Quality of Service Provide seamless, secure access to ensure user confidence and

aggressive adoption

• Increase revenue opportunity Provide business partners with new channels and enhanced

services drive revenue

30

Benefits of Federation

• Secure yet open access Easy integration within the enterprise and with partners Secure, reusable framework based on open standards

• Enhanced user experience Create more responsible users Tie the user experience to security


Sun's Work in Federation

• Catalyst for Liberty Alliance Project> Co-founder in Sept 2001> First to implement Liberty specifications in product> First to be have product certified as “Liberty Interoperable”

• Leader in development of SAML> OASIS SSTC Chair> Drove standards convergence of Liberty ID-FF 1.1 and

SAML> Demonstrating leadership through SAML interop events

• Development of Shibboleth Connectors for Edu Community

• Strong and ongoing investment and executive commitment throughout company

32

Sun Federated Identity Management

33

Unique Characteristics

• Broadly implementing Liberty, SAML, and web services standards ID-FF1.2, SAML 1.1, SAML 2.0, ID-WSF1.0 Focus on multi-protocol environments

• Focuses on enabling complex, multi-party federations Solves common, out of band issues Delivers common operational functionality

• Integrated with other suite components (Identity Manager SPE) to provide: Provisioning, Registration, Self-Service

34

Federated Identity Solution: Sun Java System Access Manager and Federation Manager

• Deploy at the identity provider or identity consumer site

• Link identity data across sites

• Share authentication via Liberty/SAML

• Create reusable authentication, authorization with partners

35

Trusted Domain

Sun Java System Access Manager

Authentication

Authorization

Single-sign-on

Federation

Logging

Session

Consistent Identity

Pervasive Trust

Reusable Security

Federated Session Mgt

AutomatedId Federation

ExtranetSingle-sign-on

Sun Java System Federation Manager

Identity Provider Service Provider

Web ServiceFramework

SAML

36

Sun JavaTM System Identity Manager


Agenda

● Business Drivers for Identity Management● Sun’s Identity Management Solution● Sun Java System Identity Manager – Automated User Provisioning– Password Management– Identity Synchronization

● Why Sun, Why Identity Manager– Customer Successes– Integration Partners– Business Justification – What Sets Sun Apart


● User info entered in HR or user self-registers

● Accounts provisioned to enterprise systems, applications, directories

● Non-digital resources assigned and/or initiated

New Users

Dynamic Identity Life Cycle ● User info entered in HR

or user self-registers● Accounts provisioned

to enterprise systems, applications, directories


Change Events& User Support

● Job/role/status changes● Password changes and resets● Profile information changes● Additional requests for

accountaccess or non-digital resources

New Users

● User info entered in HR or user self-registers

● Accounts provisioned to enterprise systems, applications, directories


Change Events& User Support

● Job/role/status changes● Password changes and resets● Profile information changes● Additional requests for

accountaccess or non-digital resources

New Users

Users Leave

● Student status updated in SIS● Student contact changes● Admin closes account● Accounts disabled & removed● Non-digital resources retrieved

and/or cancelled


Sun Java System Identity Manager

● Automated user provisioning to improve operational efficiency and enhance security

● Secure, automated password management to improve service levels and lower costs

● User self-service and delegated administration to lower support costs

● Automated data synchronization to lower workloads associated with handling change

● Non-invasive, flexible architecture to speed deployment and ROI

● Comprehensive auditing and reporting to improve security compliance

A comprehensive solution for managing identity profiles and permissions throughout the entire identity lifecycle

● Enhanced security● Lowered costs● Improved productivity

Add

DeleteChange


Sun Java System Identity Manager

Agentless Adapters

EnterprisePackage

Applications

CustomApplications

Non-DigitalAssets

OperatingSystems

MainframesDatabasesDirectories

Self-ServiceInterfaces

Audit ReportingRole and PolicyManagement

DelegatedAdmin Views

RulesEngine

DynamicWorkflow

SPMLToolkit

Virtual IdentityManager

Auto-Discovery

AutomatedUser Provisioning

PasswordManagement

IdentitySynchronization

Unified Identity Console

Identity Platform Services


FormerStudents

Student ParentsTeachers

Provisioning Today: Fragmented, Manual and Insecure

Human ResourcesSystem

Call Center

Facilities/PurchasingHelp Desk

Other AssetsSiebel CRMOracle FinancialsExchange andActive Directory

Chargeable Assets● Mobile phone/service● Conference call account● Credit card

● Office space● Phone● Laptop

● Where are my risks?● Who has access?● What recurring charges am I still

paying for?● How much does all of this cost?


FormerStudents

Students ParentsTeachers

Provisioning with Sun: Streamlined, Automated and Secure

Other AssetsSiebel CRMOracle FinancialsExchange andActive Directory

Chargeable Assets● Mobile phone/service● Conference call account● Credit card

● Office space● Phone● Laptop

ApprovingManager

SIS Manager

● Reduced risk● Complete view

of user’s identity ● Efficient, automated

operations


Identity Manager’s Automated Provisioning Highlights● Granular delegated administration● Web-based self-service – With automated change approval processes

● Robust audit and reporting● Role based access control● Rule-based provisioning– Business policy enforcement through automated rule evaluation

● Multi-step, complex provisioning● Authoritative feeds from HR applications and directories ● Agentless adapters– Out of the box for leading enterprise systems & applications– Ref Kit and samples for custom adapter development

● SPML Toolkit


Password Management Today:Costly, Labor-Intensive and Painful

Help Desk

Help Desk

TemporaryStudents


Use

rsP

roce

ssE

nvi

ron

men

t

Oracle FinancialsExchange and Active Directory

PeopleSoft Human Resources System

Siebel CRM Unix RACF

● Expensive, manual process● Pattern of reset-request peaks● Users limited to service during

help desk hours● Users have to remember

multiple credentials


Password Management with Sun:Cost-Effective, Quick, and Convenient

Use

rs

VisitingStudents


Interactive Voice Response (IVR)

Pro

cess

En

viro

nm

ent

● Automated process● Available to users anytime,

delivered how they work● Users only have 1 set of

credentials to remember

Oracle FinancialsExchange and Active Directory

PeopleSoft Human Resources System

Siebel CRM Unix RACF


Identity Manager’s Password Management Highlights ● Self-service password reset & synchronization● Convenient access through– Web browser– IVR system– Network log-in (Windows)

● Automated password policy enforcement– Password history store– Password exclusion dictionary

● Help desk integration to track password-related activity● Agentless adapters– Out of the box for leading enterprise systems & applications– Ref Kit and samples for custom adapter development

● Reporting on self-service password resets


Identity Synchronization Challenges

● Migration to a directory-based infrastructure

● Maintenance of identity data to ensure attributes are accurate and consistent with other applications – Profile management driven via self-service– Point-to-point, system-driven synchronization


● Today’s environment includes multiple identity data sources

● Trend toward simplification of IT environment with a directory-centric identity infrastructure– Strategic initiatives, like portals, rely on directory

infrastructure– Re-usable architecture offers investment protection

for new application development

Identity Synchronization:Why Migration?

RACF Windows NT

Oracle RDBMS Lotus Notes LDAPLDAPLDAP


Identity Synchronization:Migration with Sun

Active Directory Sun Java System Directory Server

Sun Java System Directory Server

RACF Windows NT

Oracle RDBMS Lotus Notes LDAPLDAPLDAP

● Provides complete, automated data migration into new directories from existing repositories– Discover & correlate for data cleansing

and establishing of virtual identity– Create directory containers & hierarchy– Bulk actions for populating directories

with user data● Provides complete management of both

old systems and new directories during migration period


Identity Synchronization:Profile Management with Sun

Self Service

HR Manager Approval

New Hire Application

Exchange and Active Directory

Siebel CRM Human Resources System

Oracle Financials Payroll Systems

PartnersPartners Executives SalesEmployees

Customers OperationsEmployees

MarketingEmployees

EmployeeGets marriedChanges nameChanges address

● Efficient, automatedoperations

● High quality of service● Top line benefit


Identity Synchronization:System-to-System Updates Today

Custom Application

Extranet Directory

Exchange andActive Directory

CRM Human Resources

System

ERP Payroll Systems

● Data silos independently owned and manually administered

● Manual updates, if occurring, are error-prone ● Inconsistent identity information across

the enterprise ● Inefficient business operations


Identity Synchronization:System-to-System Updates with Sun

Employee got promoted● New Title● New Job Code● New Pay Grade● New Department

Corporate LDAP

Exchange andActive Directory

Human Resources

System

ERP

Payroll System

● Update ERP with new Job Code

● Modify access privileges to ensure separation of duty

Update Pay Grade as it impacts salary

● Update AD with new Department, Title, Job Code

● Modify home directory and move location of network files for employee

● Modify message database account size for employee

Update LDAP with new Department, Job Code, Title for use by corporate white pages

53

Identity Manager’s Identity Synchronization Highlights ● Auto-Discovery to create a unified Virtual Identity ● Automated and scheduled detection of change● Synchronization between heterogeneous data sources ● Identity data transformation● Granular, flexible authority assignment● Web-based self-service – Delegation to end-users with automated change approval processes

● Resource adapters– Out of the box for leading enterprise systems & applications– Out of the box schema maps – Ref Kit and samples for custom adapter development

● Audit and Reporting


Identity Platform Service:Auto-Discovery

● Logical management of multiple disparate identities

● Reduces risk of “orphaned” privileges

Databases

Applications

Directories

jms

Virtual Identity

Joe Smith

Jsmith

smitty


Identity Platform Service:Virtual Identity Manager

● Minimizes deployment time● Eliminates operational challenges● Manage centrally, enforce locally

Virtual Identity Manager

Applications

Web Applications

Directories

Databases

Asset Databases/Directories


Identity Platform Service:Agent-less Adapters

Agent-less

Connector

Agent

Unix Systems

Custom Applications

RDBMS

Directories

Mainframe

Package Applications

CustomApplication

Resource Adapter Wizard

NT/ADS

● Minimizes agent deployment● Eliminates agent management● Eliminates operational challenges


Unified Identity Console

● Web-based interfaces for administrators and end-users– Smart Forms are interactive web-based forms with embedded logic

to assist the user navigation – Delegated administration views based on granular delegation for

scope, capabilities, data sources and data● Self-service for self management of accounts, assets,

passwords, and profile data● Administrators – Define and manage: role models, policies, delegation assignments– View and act on identities

● Comprehensive reporting ● End-to-end identity auditing capabilities


Identity Manager Physical Architecture

HelpDesk

HR

ExternalWorkflow

WSBPEL

AuthoritativeSource

JMAC/ABAP/JDBC

TROUBLE TICKETCREATION

Approving

ManagerAny WebBrowser

SMTPHTTPS

Any WebBrowser

HTTPS

End UserSelf-Service

Agent-less

Gateway

Agent

• Laptop Serial Number

• Office Number

• Mobile Service Plan

• Mobile Phone Model

• Conference Call Account

• Credit Card

Mainframe

Unix Systems

Directories

Custom Apps

Package Apps

RDBMS

NT/ADS

Asset Database/Directory

Partner Web App

Custom

JDBC

API/JDBC

SOAP/XMLRPC

ADSI

3270

JNDI

LDAP/JDBC

SSH

RDBMS

Virtual ID Store

JDBC/LDAP

J2EEApplication

Any App Server

Au

tho

rita

tive

So

urc

es

Custom

JDBC

API/JDBC

SOAP/XMLRPC

ADSI

3270

JNDI

LDAP/JDBC

SSH


Identity Manager Server Components

IVR InterfaceBusinessProcessEditor

Console SOAP/SPMLActiveSyncAdapters

Web GUIs

Session API

Authentication Authorization Audit/Reporting

Object Cache

Repository

Persistence Resource Adapters

Reconciliation

Provisioning

WorkflowReports

Task Engine


Identity Manager Resource Connectivity Diagram Agent-less

Gateway

Agent

• Laptop Serial Number

• Office Number

• Mobile Service Plan

• Mobile Phone Model

• Conference Call Account

• Credit Card

Mainframe

Unix Systems

Directories

Custom Apps

Package Apps

RDBMS

NT/ADS

Asset Database/Directory

Partner Web App

Custom

JDBC

API/JDBC

SOAP/XMLRPC

ADSI

3270

JNDI

LDAP/JDBC

SSH

J2EEApplication

Any App Server

Au

tho

rita

tive

So

urc

es

61

Sun JavaTM Identity System

Q & A ?


Identity Manager Resource Adapter Types✗ Agentless connectivity✗ Easily integrated in existing environment

✗ Single maintenance point for upgrades✗ Eliminates most technical/political

objections✗ Gateways where appropriate✗ Crossing OS/AIP boundaries✗ Follows platform interface requirements✗ Provides compatibility over time using

recommended APIs✗ Custom Adapters✗ Unusual or proprietary resources✗ The RDK is a clean and efficient approach✗ Lots of custom skeletons to reuse


Identity Manager Auditing and Reporting✗ Every action in Identity Manager is logged✗ Stored in the Identity Manager repository✗ Discrete entries for each activity

✗ Allows for aggregate queries✗ Extendable, i.e., signed logging

✗ Extended logging for compliance reporting✗ Uses the "Audit" option in resource

schema definitions


Identity Manager Auditing & Reporting (cont.)✗ Reporting types

✗ User and administrator✗ Summary reports✗ Usage✗ Role ✗ Resource

✗ Report output options✗ Ad-hoc ✗ Scheduled✗ Visual✗ Formatted for export

✗ Risk analysis reports✗ Wizard to create new reports


Identity Manager Interface Options✗ Zero footprint Web-based applications

✗ Administrator Interface✗ End user self-service

✗ SOAP/SPML✗ Provides standards-based interface✗ HTTP connectivity

✗ Java API for custom applications✗ Console

✗ Scriptable✗ Bulk processes

✗ IVR (legacy InnerVoice Bright)✗ Business Process Editor (Java Swing)


Identity Manager Delegated Administration

✗ Capabilities✗ Discrete

✗ Can be assigned to a user that perform only one function

✗ N-level delegation✗ Can be assigned from one administrator to another providing true "n-level" delegation

✗ Administrators are created✗ Granular authority

✗ Any user can be an administrator✗ User's administration privileges may be limited✗ To a specific capability✗ In a specific organization

✗ Using the Web interface✗ Using rules, forms or workflow


Identity Manager Objects and Containers✗ Users✗ Resources✗ Any external data managed by Identity

Manager✗ Roles and resource groups✗ Contain multiple resources✗ Control behavior✗ Apply rules and policy

✗ Organizations and Virtual Organizations✗ Virtual Organizations map to org

structures in remote directories✗ Relationships between objects and

containers

68

The “Identity Grid”

Administration ServicesProvisioning ServicesPassword ManagementUser AdministrationIdentity SynchronizationPolicy Management

Transaction ServicesData transport ServicesAuthentication ServicesAuthorization Services

Data RepositoriesDirectories DatabasesFlat Files

CRM

ERP

SCM

HR

eCommerce

Customers

IT Administrators

Employees

Partners

Ap

plic atio

n In

terfac eW

e b In

te rfa ceP

ortal In

terfac e

Product Categories

69

Sun Java System Directory Server • Most widely deployed LDAP-based

directory server – over 1.5 billion licenses sold

• Built-in security – prevents DoS attacks, controls access, intercepts unauthorized operations

• World-class performance and scalability – from entry-level to large-scale deployments

• Multi-master replication and failover for high availability

• Intuitive Web-based administration interface• Password synchronization with Active

Directory enhances security, improves service to users

• Open, standards based architecture reduces total cost of ownership

Secure, highly available, scalable and easy-to-manage directory services.

● Enhanced security● Lowered costs● Investment protection ● Reduced IT complexity

70

Identity Administration Services

Databases


DirectoriesDatabases

Operating Systems

MainframesBusiness

Applications

IdentitySynchronization

PasswordManagement

Provisioning

Profile Management

App Server

Identity administration services Provisioning Profile Management Password Management Identity Synchronization

Identity ManagerAdmi

n

Delegated Admin

End User Self-Service

71

Identity Repository Services

DirectoryServices

Identity Repository Services LDAP Directory Security proxy services Active Directory Sync services

ADSynch

ProxyService

s

Directory Server Enterprise Edition

72

Integrated, End-to-End Identity Management

IdentityManager

Synchronization Services

Password Management

User Provisioning

AccessManager

Federation

Access Control

Web Single-Sign-On

DirectoryServer EE

AD Synchronization

Security/Failover

Directory Services

Web-Based Administration

Audit & Reporting

Sun Microsystems, Inc. Proprietary & Confidential

Audits

Standards

Technology Challenges of the Virtual Enterprise

Partnerships and user

relationships are

constantly changing

Legislative mandates

Multi-platformsupport

Additional staff

Access to critical

applications

Additional resources

Sun Microsystems, Inc. Proprietary & Confidential

Identity Management: Technology Cornerstone of the Virtual Enterprise

Identity ManagementConsistent Delivery ofHigh Levels of Service

Fast access to information

InteroperabilityOpen standards with

cross platform supportStandards-based,

federated framework

Non-invasive

architectures

Ability to Scale and Flex Cost-Effectively

Rapid, automatedprocesses

Data consistency,accuracy and reliability

InclusionarySecurity

Logging, auditing, reporting for regulatory

compliance

Eliminate securityloopholes

Commonsecurity

architecture

Sun Microsystems, Inc. Proprietary and Confidential

Deployment Architecture


Access Manager Architecture● Only vendor based on J2EE architecture– Java servlets deployed in web container JVM– Services can be distributed separately from others and are

modular– Customers to leverage their knowledge on running/developing

Java-based applications● Faster time to deployment, lower TCO

● Deeply customizable/extensible– Java, XML & C interfaces provide robust mechanisms for

integration and extensibility

● Highly reliable and scalable– Leverages multi-tier J2EE load-balancing and failover

● Built on and implements open standards and APIs– JAAS, JDK 1.4 Log API, Liberty, SAML, etc.


Authentication

● Standards-based, extensible authentication framework (JAAS: Java Authentication and Authorization Services)

● Supports multiple pluggable Authentication mechanisms

● LDAP, RADIUS, Certificate, SafeWord, RSA SecurID, Unix, Windows NT, Anonymous, Membership

● Custom authentication mechanisms using the SPI● Multi-factor Authentication (Chained authentication

mechanisms)● Levels-based Authentication● Levels assigned to authentication mechanisms● Resource-based Authentication


Authorization Governed by Policy● Policy = Rules + Subjects +

Conditions– Rules

● Resource being protected – URL, access method, allow/deny

– Subjects● Who is allowed access? User/role/group etc

– Condition● Additional constraints – IP address, authN

level/mechanism, day/time, session timeout

– Referral policies, SPI allow customization


Single Sign-On – How It Works● Policy Agent on Web or Application

Server intercepts resource requests and enforces access control

● Client is issued SSO token containing information for session validation with Session service

● SSO token has no content – just a long random string used as a handle


Single Sign-On Token

● Web-based applications use browser session cookies or URL rewriting to issue SSO token

● Non Web applications use the SSO API (Java/C) to obtain the SSO token to validate the user's identity


Cross Domain Single Sign-On

● User is issued a cookie for each domain accessed that is part of the CDSSO deployment

● Also accomplished with SAML/Liberty implementation


Web SSO FlowAccess Manager

Policy AgentAccess Manager

Policy Agent

Sun Java SystemAccess ManagerUser White Pages

ApplicationPaycheckApplication

1. Request resource

4. Authenticate + create SSO token

5. Redirect to resource with SSO token

9. Subsequent request for resource

11. Provide or refuse resource

6. Request resource

2. Agent checks forSSO token + policies

10. Agent checks forSSO token + policies

3. Redirect to login page

8. Provide or refuse resource7. Agent checks forSSO token + policies


New in 6.2: Windows Desktop SSO● User-eye view– Log in to Windows– Surf to a protected resource– The resource recognizes me and gives me

access based on policies, role etc

● That's it – the user logs in exactly once– No need for password sync process– Transparent integration for desktop users

into web applications


Windows Desktop SSO FlowSun Java SystemAccess ManagerUser Active Directory

2. Request protected resource

4. Request ticket from Kerberos Ticket Granting Service

1. Login to Windows Desktop in normal way

3. Return '401 Unauthorized' with 'WWW-Authenticate: Negotiate' header

5. Provideticket

6. Request protected resource – this time with SPNEGO token in 'Authorization: Negotiate' header9. Redirect to resource with SSO token – request can now proceed in normal way

7. Request ticket authentication

8. Authentication response


Session Features

● Session upgrade– User provides additional credentials to

access a resource with higher authentication requirements

● Client detection– Provide content based on client type –

standard browser, WAP, etc.● Resource-based session timeout● Java & C Session/SSO APIs


● Federation for cross-domain application integration

● Facilitates 'trusted partnerships'– Create tighter, more satisfying customer

& employee relationships– Extend existing & create new revenue

opportunities– Implement business models that generate new

efficiencies and productivity gains● Access Manager supports SAML 1.1

and Liberty 2.0– Successful participation in SAML interop events– Concurrent support for previous protocol versions

Federated Identity


SAML Browser/Artifact Profile SSO Flow

Sun Java SystemAccess ManagerUser Partner

Site

2. Request resource at Partner site

5. Browser follows redirection

3. AM●constructs artifact and assertion●stores assertion, indexed by artifact●constructs URL containing artifact

6. Partner site uses artifact to request assertion

8. Partner site sends appropriate response to browser

1. Authenticate to Access Manager in normal way

4. Redirect browser to partner site

7. AM provides assertion

sun javatm system identity solution - terena · access manager: functional overview • single sign...

Documents