Sun Java Solaris Communities My SDN Account Join SDN
» search tips 
Sun Developer Network

Article

From the Trenches at Sun Identity, Part 3: Federated Access Management Simplified

 
  Print-friendly VersionPrint-friendly Version
By Marina Sum, April 10, 2008  
See also:
 
 
Part 1: Access Management for Web Applications
Part 2: OpenSSO, a Thriving Community
Part 4: Virtual Federation, a Pioneering Way for Exchanging Authentication Data
Part 5: Support for OpenSSO
Part 6: Identity Services for Securing Web Applications
 
Photo of Daniel Raskin
— Daniel Raskin, senior product line manager, access and federation management, Sun Microsystems

Daniel Raskin, senior product line manager for access and federation management at Sun, joined the company in 2005 after a global business-focused stint at McGraw-Hill. He was product line manager for Sun Java Enterprise System before taking up his current position a year and a half ago.

In this interview, Daniel talks about his dedication to simplifying federation and identity management tasks for enterprises and describes the key features of the upcoming Sun Federated Access Manager.

Why the Product Merge?

Federated Access Manager results from the integration of two products:

  • Sun Java System Access Manager 7.1, which encompasses access management, secure Web services, and federation capabilities

  • Sun Java System Federation Manager 7.0, which, as a subset of the Access Manager code base, offers the federation capability only

Daniel points out that the goal of the merge is to eliminate confusion and streamline Sun's identity management offerings. "We stick closely to our Java [technology] roots," he emphasizes. "The merged product, written in its entirety in [the] Java [programming language], is self-contained and delivers access management, secure Web services, and federation capabilities in one single deployment. Only one process runs in your environment. All you need to do is deploy the WAR file on your application server and the product will be up and running. No need to integrate anything—integration adds complexity. From then on, you'll have only one product to maintain and monitor."

Figure 1 illustrates the benefits and relationships.

Figure 1: Sun Federated Access Manager Capabilities at a Glance
 

Simplicity Is the Theme

"Traditionally, to keep up with the competition, developers of major federation and access products have focused on the next big thing, the next standard, the next acquisition, the next service, and volume" Daniel says. "Soon after assuming my identity product management role at Sun, I discovered that quality, that is, ease of use, was to an extent being overlooked. Volume is important, but let's also think about how to, for example, simplify configurations. Configuring multiple instances of a product is mundane and cumbersome. Any way we can configure only once and automate the process for the other instances? And do the same for the other configurations—SPs [service providers], agents, and so forth?"

Often, the people who are tasked with configurations are technologists. "But I'm not one myself," he grins. "My background is mostly business." Also, the security arena is becomingly increasingly complex: Not only must enterprises set up internal access-management infrastructures, but they must also secure external applications and Web services with partners and worry about scalability. Ultimately, with time ever at a premium, "we must build simple and effective solutions that can handle repetitive tasks accurately, efficiently, and seamlessly," Daniel advocates.

Capabilities That Offer Simplicity, Speed, and Convenience

Daniel characterizes Federated Access Manager's unique capabilities that deliver simplicity and ease.

Fedlets
In conversations with customers, Daniel frequently hears the question "How do we quickly federate with partners, especially with third parties with whom we federate for the first time?" Bear in mind that some of the players involved are not technically savvy.

An innovative answer from Federated Access Manager is in the form of Fedlets, which are lightweight ("an 8.5-MByte footprint only"), self-contained ZIP files built with JavaServer Pages (JSP) technology and metadata and which can be deployed fast ("in minutes"). For example, a bank can federate with an SP for check imaging so as to offer the bank's clients the convenience of viewing and printing cancelled checks online. Fedlets ensure that such a federation is repeatable. At the outset, a task flow defines three or four inputs: the SP's name, the destination for the Fedlet, the basic attributes to share among the SPs. All an SP needs to do is add the Fedlet to an application, create a Web archive (WAR) file, and deploy.

Note also these benefits:

  • Fedlets run on both the Java and .NET platforms.

  • Fedlets function like filters and do not require configurations.

  • No full-fledged federation software comes into play on the SP sites—not even for SPs who federate with numerous identity providers (IdPs).

Virtual Federation
"Virtual federation is what I call pragmatic federation," Daniel says. "Large enterprises invariably point to SSO [single sign-on] as their goal, but that's not easily achievable because of the roadblocks caused by legacy applications. And since when has it ever been a high priority to fix them up in any enterprise? The realistic scenario is that many companies can't completely achieve SSO and the federation issue persists."

"The practical thing to do is to effect multiple sign-ons without attempting to resolve the legacy issues," Daniel continues. "In other words, federate with best practice and deploy federation at every point." Federated Access Manager approaches virtual federation with a centralized hub that contains one major federation instance to which are pointed all the applications, legacy or otherwise. That model works like a single product, simulating federation by storing the information and handling all the applications through only one instance of the product.

"That way, we reduce deployment and maintenance overheads and ensure that we implement SSO correctly the first time with no need for consolidation later on," Daniel explains.

Federation Validator
With the Federation Validator, you can test federated connections on the Administration Console. Other tests you can perform are SSO among IdPs and SPs, single logout, account linking, and account delinking.

Security Token Service
Daniel calls federation and security of Web services "greenfield opportunities." Why? "Because flexibility is paramount," he replies. "Enterprises are usually organized in divisions internally and Web-service clients and providers must integrate with each other. The security token service functions as a central point for issuing, validating, and translating tokens—scalably and repeatedly, as necessary."

Furthermore, that service supports many identity standards (SAML, ID-FF, WS-Federation), works well with transactions between protocols, and accepts proprietary tokens, such as those from Oracle Access Manager and CA SiteMinder. You can also deploy the security token service as a stand-alone component in support of third-party access management products.

Embedded OpenDS
Federated Access Manager contains OpenDS, Sun's open-source project for developing the next-generation version of directory service. Currently, to deploy Access Manager, you must configure two data stores: a user store and a configuration store for policies.

"No such chore with Federated Access Manager," Daniel assures me. "When you deploy, you specify the default user store, OpenDS, or another directory service and then click a button. Two steps and you're done. Definitely, you can configure your own directory service, but why bother when you already get scalability and replication with Federated Access Manager and OpenDS?"

Open Source and Sun Support
All the related source files are open to the community on the OpenSSO site. Meantime, a wiki is in place with plenty of ongoing dialog throughout the community.

Daniel adds that subsequent to Sun's recent acquisition of MySQL, the industry has been clamoring for support for popular open-source projects like OpenSSO. In response to that demand, Sun will soon announce support for certain certified OpenSSO builds. Stay tuned.

Upcoming Workshop at CommunityOne

At 2008 CommunityOne, Sun's free and open developer conference to be held on Monday, May 5, at the Moscone Center in San Francisco, California, Daniel and his colleagues will present the following:

OpenSSO Workshop: Creating Federated Relationships with Software as a Service, Social Networking, and Web 2.0 Applications

He looks forward to your participation. Do sign up soon!

References
Rate and Review
Tell us what you think of the content of this page.
Excellent   Good   Fair   Poor  
Comments:
Your email address (no reply is possible without an address):
Sun Privacy Policy

Note: We are not able to respond to all submitted comments.
Marina SumMarina Sum is a staff writer for Sun Developer Network. She has been writing for Sun since 1989, mostly in the technical arena. Marina blogs on Sun's products, technologies, events, publications, and unsung heroes.
 
About Sun  |  About This Site  |  Newsletters  |  Contact Us  |  Employment
How to Buy  |  Licensing  |  Terms of Use  |  Privacy  |  Trademarks
 

 
Copyright Sun Microsystems, Inc.
A Sun Developer Network Site

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.
 
XML Sun Developer RSS Feeds