Sun Java Solaris Communities My SDN Account Join SDN
» search tips 
Sun Developer Network

Article

From the Trenches at Sun Identity, Part 6: Identity Services for Securing Web Applications

 
  Print-friendly VersionPrint-friendly Version
By Marina Sum, August 18, 2008  
See also:
 
 
Part 1: Access Management for Web Applications
Part 2: OpenSSO, a Thriving Community
Part 3: Federated Access Management Simplified
Part 4: Virtual Federation, a Pioneering Way for Exchanging Authentication Data
Part 5: Support of OpenSSO
Part 7: Security for Web Services
Part 8: Quality Assurance
 
Photo of Aravindan Ranganathan
— Aravindan Ranganathan, software architect, Sun Microsystems

Aravindan Ranganathan, a software architect at Sun, joined the company in 1994 and worked on the Solaris Operating System for six years before switching his focus to the identity arena in 2000. For the past year, he's been designing and developing identity services for OpenSSO, Sun's open-source project for access management, federation, and secure Web services.

Identity services are the theme of an ongoing Sun Developer Network (SDN) series, which readers say they enjoy. Recently, Aravindan met with me to talk about the background of identity services, their capabilities and benefits, and an important upcoming feature: integration with federation.

Background

Sun's flagship product for managing Web access and achieving federation is Sun Java System Access Manager (henceforth, Access Manager), complete with robust interface support for Java APIs. In 2005, it became available in open source as OpenSSO, a popular project that currently boasts 700 members. Presently, work focuses on merging, with OpenSSO, Access Manager and Sun Java System Federated Manager into a single product, due for release later this year.

Since the advent of Web 2.0 a couple of years ago and with the increasing popularity of non-Java scripting languages, such as PHP, Ruby, and C#, developers have been clamoring for related APIs for calling into Access Manager. "They want something that's easy to learn and to use and that would necessitate only a few tweaks to their script code. Agility is key," says Aravindan. Identity services are Sun's answer.

"Jamie Nelson [Sun's director of engineering for access and federation management] got it right," Aravindan adds, referring to an SDN interview with Jamie published in March. "Many application developers don't tackle security and federation until they are down to the wire in the cycle. Before, if they'd been programming in a language other than Java, they couldn't take advantage of Access Manager. Soon they can: Identity services, now available in OpenSSO, will be part of the upcoming merged product, which will manage agents with those interfaces."

Part 1 of the identity-service series contains more details on the background.

Capabilities

"Simplicity is the principle behind the architecture of identity services," Aravindan goes on. "Right off the bat, we decided to base the interfaces on Simple Object Access Protocol [SOAP] or Representational State Transfer [REST], both of which enjoy support by tools like IDEs [integrated development environments] all over. Really, all you need is a socket or the Internet protocol suite, TCP/IP."

What do identity services do for Web applications? They perform tasks that relate to four security-related categories:

  • Authentication, single sign-on (SSO), and logout, the basic functions for protecting Web applications.

  • Creation, management, and deletion of user accounts and attributes, called CRUD: create, read, update, and delete.

    The entire life cycle of user access management, such as that for an employee, is known as provisioning, which is outside the scope of identity services. In the case of an employee, provisioning encompasses the process that approves that person's intranet access when employment begins and that terminates the access when employment ends. Sun Identity Manager, whose recently released version 8.0 is free for download, handles provisioning from start to finish.

  • Authorization, sometimes referred to as policy management, which specifies who can access what sites and perform what actions there.

    Currently, the identity-service interface for upfront authorization is available in OpenSSO. For details, see Part 2 of the identity-service series. In the works are the capabilities for creating and managing policies.

  • Auditing, the mechanism with which to track and record user activities, such as purchase transactions on an eCommerce site.
Benefits

Aravindan points to efficient development as the number-one benefit of identity services. "SOAP and REST have been around for years and are widely supported by developer tools. You need not depend on external software to make things work—no client SDK, toolkit, or library, which often brings along a baggage of configuration chores and uncertainties. The learning curve for identity services is mild and its nuances intuitive."

Furthermore, identity services work as "behind-the-scenes plumbing," transparent, noninterfering, and unobtrusive. Developers simply add calls to complete the interfaces and are free to design the related front-end UI for their applications. "So, programmers get to program and designers get to create the UI. After all, they specialize in those tasks," says Aravindan.

Integration With Federation

"Identity services do not offer a federation capability," Aravindan points out. "Why would we reinvent the wheel? The upcoming merged product will make your enterprise federation-capable. It will support numerous protocols: Security Assertion Markup Language (SAML) 2.0, Identity Federation Framework (ID-FF) from Liberty Alliance, WS-Federation. Federating with partners will be straightforward and seamless, as mentioned by Daniel Raskin, a Sun senior product line manager, in a previous interview."

How will the integration of identity services with the new, merged product work? Aravindan cites a typical scenario:

  1. A services provider (SP) redirects a user to the identity provider (IdP) to log in.

  2. After successful authentication, the user will be redirected to the SP with a SAML or Liberty token, as the case might be.

  3. At the SP, the SAML or Liberty token will be validated and an authenticated token issued. That token then triggers the appropriate identity services to perform the other security-related tasks: authorization, auditing, and so forth.

Tighter integration with federation protocols is being planned. Once it's complete, OpenSSO will announce the news. Stay tuned.

References
Rate and Review
Tell us what you think of the content of this page.
Excellent   Good   Fair   Poor  
Comments:
Your email address (no reply is possible without an address):
Sun Privacy Policy

Note: We are not able to respond to all submitted comments.
Marina SumMarina Sum is a staff writer for Sun Developer Network. She has been writing for Sun since 1989, mostly in the technical arena. Marina blogs on Sun's products, technologies, events, publications, and unsung heroes.
 
About Sun  |  About This Site  |  Newsletters  |  Contact Us  |  Employment
How to Buy  |  Licensing  |  Terms of Use  |  Privacy  |  Trademarks
 

 
Copyright Sun Microsystems, Inc.
A Sun Developer Network Site

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.
 
XML Sun Developer RSS Feeds