Sun Java Solaris Communities My SDN Account Join SDN
» search tips 
Sun Developer Network
Developers Home > Identity Management
 
Sun Java System Access Manager and Sun Java System Federation Manager FAQ
Sun Identity Management
Solutions for authentication, authorization, provisioning, and auditing   » Download Now
 
Begin Product Tab Sub Links At a Glance What's New Active Sub LinkFAQs

Sun Java System Access Manager and Sun Java System Federation Manager FAQ: Liberty Alliance and Security Assertion Markup Language

 

Q: Do Access Manager and Federation Manager support SAMLv2 metadata?

Yes. Both products support Security Assertion Markup Language version 2 (SAMLv2) metadata. Currently, a command-line interface (CLI) is available for metadata exchanges.

The upcoming release will support one-click metadata exchanges, which automatically import or export the data for establishing basic federated communications among hubs and spokes.

Q: Does Federation Manager require privileged access to install?

No, you can install Federation Manager as a nonroot user.

Q: Can Sun partners enable federation and manage their own user data?

The core concept in a federated model is for the partners to both manage their own user information and take advantage of the authentication and authorization services from the identity provider (IdP) in a federation. Access Manager complies with Liberty Alliance and SAML and fully supports that model.

Q: Do Access Manager and Federation Manager support the element attributes of the SAML 2.0 assertion conditions NotOnOrAfter, NotBefore, Condition, AudienceRestriction, oneTimeuse, and ProxyRestriction?

Yes.

Q: What SAMLv2 profiles does Sun support?

Access Manager and Federation Manager support the following profiles:

  • Web browser SSO profile
  • Identity provider discovery profile
  • Single logout profile
  • Name finder management profile
  • Artifact resolution profile
  • Assertion query-request profile (SAML 1.0 and 1.1)

The upcoming release will also support the following profiles:

  • Enhanced client and proxy profile
  • Assertion query-request profile (SAML 2.0)
  • Name identifier mapping protocol
  • Basic attribute profile
  • LDAP attribute profile
  • X.500 attribute profile (extensible, not out of box)
  • UUID attribute profile (extensible, not out of box)
  • DCE PAC attribute profile (extensible, not out of box)
  • IDP proxy profile
  • XACML attribute profile

Q: Are benchmarking data for Access Manager and Federation Manager available?

Several Access Manager and Federation Manager customers have over a million users. Sun can supply relevant benchmarking results around federation with Access Manager upon request. Contact your Sun representative.

Q: Which federation standards do Access Manager and Federation Manager support?

Access Manager and Federation Manager lead the market in supporting the latest federation specifications, including Liberty ID-FF 1.1 and 1.2; ID-WSF 1.0 and 1.1; and ID-SIS 1.0. Sun was a founding member and sponsor at the inception of the Liberty Alliance Project and continues to fully support the Liberty business guidelines and technical specifications.

Access Manager and Federation Manager also lead in supporting SAML 1.0, 1.1, and 2.0. SAML, an XML framework for exchanging authentication and authorization information across security domains, is managed by the Organization for the Advancement of Structured Information Standards (OASIS); Sun actively participates in developing SAML and co-chairs OASIS.

Q: What identity-based services come with Access Manager?

Access Manager includes the following Liberty ID-WSF Web services:

  • Authentication Web Service — A Web service that adds the authentication capability to the Simple Object Access Protocol (SOAP) binding. This service also accords authentication to a Web-service client (WSC) so that the latter can obtain security tokens for interactions with other services, such as discovery or SSO services, at the same provider. If authentication succeeds, the final Simple Authentication and Security Layer (SASL) response contains the resource offering for the Discovery Service.

  • Liberty Personal Profile Service — A data service that stores and modifies a principal's identity attributes. This service maps a user profile's attributes—such as the user's first name, last name, and address—to the LDAP attributes in a data store. A WSC acting on behalf of the principal queries this service.

  • Discovery Service — A framework that describes and specifies identity Web services. This service enables a requesting entity, for example, a service provider (SP), to dynamically determine a principal's registered Web-service provider (WSP), such as an attribute provider. Typically, an SP queries this service, which responds with a resource that describes the requested WSP. That resource defines the associations between a piece of identity data and the service instance that offers access to that data.

    The Discovery Service includes Java technology-based and Web-based interfaces. It is bootstrapped with Liberty ID-FF SSO or the Liberty ID-WSF Authentication Web Service.

  • SOAP Binding Service — The method of transport that conveys identity data between Web services. This service includes Java APIs through which a Liberty-enabled identity service sends and receives identity-based messages through SOAP, an XML-based messaging protocol. In addition, this service invokes the correct request handler class (specified by a service endpoint) to handle the messages.

  • Liberty Employee Profile Service — A data service, specified by the Liberty ID-SIS Employee Profile Service Specification (Liberty ID-SIS-EP), that defines an identity's profile as it relates to employment. An example is a corporate calendar or phone book. Access Manager has adopted the Liberty ID-SIS-EP by developing a sample that includes the files for deploying and invoking this service. Note that this service, which is not part of Access Manager, must be deployed separately to become available.

Q: Can I create customized IDP login pages for an SP?

Yes. With Access Manager, you can set up login pages with JavaServer Pages (JSP) templates and Java resource bundles. Furthermore, you can configure the pages per locale, service, or application to provide branding for the SPs.

Q: What utilities does Access Manager include for creating and maintaining federated connections? Could you describe the capabilities of those utilities?

Both Access Manager and Federation Manager boast an administration graphical user interface (GUI) and a CLI. With the tools there, you can centrally manage identity profiles, access privileges, policies, and service information. From the Access Manager Administration Console or CLI, administrators with different access levels can configure federation data, that is, create, delete, or modify authentication domains and providers. Typical tasks are—

  • Defining Circles of Trust
  • Configuring IdPs, SPs, and Web services

In addition, Access Manager includes a software development kit (SDK) with public interfaces that invoke Access Manager capabilities from Java technology-based or C-based applications—capabilities that can be extended through software programming interfaces (SPIs).

Q: Can I run Socket Layer Security or Transport Layer Security over directory connections with Access Manager and Federation Manager?

Yes. Access Manager and Federation Manager support SSL at all levels (HTTP and LDAP), including the connections to the user directory if required.

Q: Could you describe the procedure for establishing a partner connection from the IdP and SP side of a federation?

Currently, a console interface exists for SAML 1.x and the Liberty ID-FF partner configuration, also a CLI for SAML 2.0. To create an ID-FF federation, build a Circle of Trust and an Entity, which can be an IdP or SP. Next, add the Entity to the Authentication Domain. You as the administrator must ensure consistency across the local providers and remote partners, for example, by configuring them to use the POST profile.

The SAML 2.0 case is similar. However, you must generate template XML metadata files, manually edit them, and import them into the system through the CLI.

The upcoming release will switch to a task-oriented approach, in which you will be guided through the process on the Administration Console. You'll be able to create a local IDP, a Circle of Trust, and remote providers without reentering data. For example, once you have configured a local IDP, you will be prompted to specify whether to create a remote SP in the same Circle of Trust with the same SAML 2.0 bindings. A most efficient and helpful interface!

Q: How do Access Manager and Federation Manager support scenarios in which federations require back-end data synchronizations among partners?

The answer depends on the federation standard in question and the implementation requirements.

For example, for back-end data synchronizations, bulk federation is not a part of the standard for Liberty federation protocols. However, with Access Manager and Federation Manager, you can create identities at the partner site and automatically generate federation agreements for the users.

To synchronize ongoing attributes, you can use a Liberty Web-service infrastructure (Personal Profile and Employee Profiles or custom-developed Web services). That's part of the Liberty standard and, with those Web services, you can selectively exchange user data with partner sites. Depending on the implementation requirements, you can also synchronize user data on demand in the same manner.

With the SAML standard, you can exchange user data during a SAML assertion. Just configure the capability in Access Manager in an attribute mapper, which defines the attributes exchanged with the partner. Again, depending on the implementation requirements, you can synchronize user data on demand in the same manner.

Both the SAML and Liberty standards enable user federation, whether or not an anonymous or predefined user account exists at the partner site.

Q: Could you describe the functional components in Federation Manager?

Here they are:

  • Federation Manager Console — This is a Web interface for managing authentication domains, provider metadata, and authentication.

  • SAML — These are SAML-related services, including artifacts and support for the POST profile and assertion queries.

  • Federation and associated Web services — These are services that comply with the Liberty ID-FF and ID-WSF specifications. The capabilities include federation and SSO, single logout, termination of federation, name registration, and support for the Common Domain. The associated Web services include a SOAP binding service, a discovery service, a personal profile service, and an authentication service.

  • Authentication — This is a Java Authentication and Authorization Service (JAAS)-based framework.

  • Session — This component manages sessions for SP applications.

  • Logging — This component enables activity logs for auditing—logs you can store in flat files or Java Database Connectivity (JDBC)-compliant databases.

  • Agents — This component enables applications to participate in the federation protocol.

  • APIs — These APIs enable interactions among the SSO, logging, SAML, Liberty ID-FF, and authentication components. Also included are APIs that build Web services (Liberty ID-WSF) for clients and providers.

  • SPIs — These are interfaces into which applications can insert their custom logic. For example, one SPI tackles post-federation processing tasks; another handles tasks that follow successful single logouts.

Q: What monitoring tools are available in Federation Manager? What type of activity is logged?

Federation Manager maintains a history of all event data to meet specific requirements for auditability and to ensure regulatory compliance. As for logging, Federation Manager writes the logs to a file system or database and supports third-party reporting.

 

Back to top

Java EE SDK Fuels Efficiency - Get it Now

Related Links
Downloads
Access Manager
Directory Server
Federation Manager
Identity Manager
See all
 
Sun Resources
Access Manager
Directory Server
Federation Manager
Identity Manager
Identity Management Solutions
Identity Management Training
Identity Management Professional Services
Identity Management Support Services
Identity Standards
Identity Management for Industries
Sun Security
Service-Oriented Architecture
System Administration
 
Related Sites
Identity Management Community
OpenDS
OpenSSO
 
About Sun  |  About This Site  |  Newsletters  |  Contact Us  |  Employment  |  How to Buy  |  Licensing  |  Terms of Use  |  Privacy  |  Trademarks
 

 
Copyright Sun Microsystems, Inc.
A Sun Developer Network Site

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.
 
XML Sun Developer RSS Feeds