Sun Java System Identity Solution

(1)

Sun Java

TM

System

Identity Solution

Stuart Sim

Chief Architect

(2)

Sun Proprietary/Confidential: Internal Use Only

Agenda

• Business Drivers for Identity Management

• Sun’s Identity Management Solution

• Sun Java System Access Manager Overview

>

Authentication Services

>

Federation Services

>

Auditing Services

>

_{SSO for non web apps}

• Sun Java System Identity Server Overview

>

User Provisioning

(3)

Sun's Identity Management Suite

• Comprehensive software solution that includes

> Directory Services

> Access Control, Single Sign-On, Federation

> Provisioning and Identity Synchronization Services

> Identity Auditing

• Open, Integrated, “Integrate-able” to reduce cost, complexity

Identity Manager Directory Server Enterprise Edition Access Manager

(4)

Sun Java

TM

System

(5)

Sun Proprietary/Confidential: Internal Use Only 5

13:40

Access Manager 6.3

Core

✗ Auth (LDAP, Radius, AD, etc.) ✗ SSO (CDSSO, SAML 1.1,

Liberty)

✗ Authorization (Role Mgt,

Policy)

Liberty Alliance Compliant

✗ Phase 1 & 2 (FF,

(6)

Access Management Today:

Fragmented, Insecure, Costly

Employees Customers Partners Web Services Directories Databases Business Applications Custom Systems

● Who has access to what resource? ● What can users do with that access? ● How much does secure access cost

me?

● How do I quickly deploy new

services?

● How do I how do I comply with laws

(7)

13:40

Sun Java

TM

Enterprise System

•

Sun Java Enterprise Suites

• Application Platform Suite

• Communication Suite

• Availability Suite

• Infrastructure Suite

• Identity Management Suite

•

Original « Business model »

• Pricing per employee

• Included license, service and support

• RTU (employee, client)

•

Multi-platforms

• Solaris SPARC et x64, Linux RedHat AS 2.3

• Windows 2003, HP-UX

(8)

Solution: Sun Java Access Manager

● Increase enterprise-wide security

● Reduce complexity and operational costs ● Open access to customers, partners

● Provide a foundation for compliance

(9)

Access Manager: Functional

Overview

• Single sign on to web, J2EE resources

• Centralize policy based authentication and authorization

• Enable distributed authentication and policy enforcement

• Audit and log all authentication events

• Platform for enabling identity based web services

(10)

Centralized Authentication Services

• Leverage existing authentication mechanisms

• Centrally manage, establish user identity

> Over 15 mechanisms out of the box - LDAP, Active Directory,

JDBC, SAML, others

• Adapt using custom modules as needed

(11)

Distributed Authentication Services

• Flexible deployment model

> Deploy authN mechanisms in the DMZ or behind the firewall > _{Customize presentation, credential extraction}

• Create high performance, secure AuthN

(12)

Centralized Policy Services

• Flexible, comprehensive policy decision engine

>

_{Centrally define, manage authorizations}

>

_{Easily extend authorizations to new applications}

>

Base access controls, authorizations on roles, user profiles

• Create a central point of control

>

_{Easier to audit usage}

>

Easier to handle role/policy exceptions

>

_{Easier to make dynamic access decisions}

• Define granular controls

>

Control access to specific end points

(13)

Centralized Policy Services

• Define Resource Realms

>

Create a virtual delegation hierarchy for managing

resources

>

Delegate policy administration based on realms

• Flexible policy deployment model

>

Decouple underlying directory structure from policy

(14)

Distributed Policy Services

• Provide policy enforcement at the point of access

> Easily adapt centralized policy capabilities onto existing

applications

> Provide deeper, fine grained enforcement of policy > _{Leverage system capabilities}

• Provide centralized policy enforcement

(15)

Centralized Audit Services

• Centrally track all AuthN, AuthZ events

• Provide easy to manage proof points

>

Who had access, who granted that access

>

What systems did they access

>

What functions did they perform

>

When did they perform those functions

• Standards-based implementation

(16)

Access Manager Architecture

Federation Access Management Flexible Administration Centralized Audit Logging Reporting CLI Administration GUI Administration

Access Manager Services

Authorization (Policy)

Existing Resources

Existing

Applications _{Data Stores}Existing

Authentication Single Sign-On Auditing

(17)

Access Manager Architecture

• Open

> _{Unique J2EE architecture}

> _{Commitment to open standards and APIs - JAAS, JDK 1.4 Log}

API, Liberty, SAML, etc.

• Integrated

> _{Leverage the strengths of Sun's market leading Identity}

Management platform

> _{Reuse services, functionality}

• Integrate-able

> Deploys seamlessly into your existing environment > _{Data store independent}

(18)

Access Manager: Extended

Integration

• Leveraging your existing network

> Integration with smartcards, tokens, certificate providers

> Reliable integration with enterprise applications

> Superior integration with system management, monitoring

(19)

13:40

Liberty Platform Requirements

•

Trust Relationships

•

Infrastructure entities – Identity Provider (IDP)

and Service Provider (SP)

•

Trust Circle (PKI trust root/paths)

•

Confidentiality and Integrity

•

Secure back-channel (TLS, SSL or VPN)

•

XML signatures

•

Peer Authentication and Authorization

•

Server-side certificates

•

Session State Management

(20)

13:40

(21)

13:40

Liberty enable SMS GW User

Principal Discovery Server(DS) Identity Provider(IDP) 3

rd_{Party AP}

Contend Provider

Liberty ID-WSF

Liberty ID-WSF SSOs Not Specified by Liberty

B A

K

TK CoT

TK Security Affiliation zone Untrusted Security

D F G C E J H I

Web Service SSO Service Flow

(22)

13:40

Legacy & Web Service SSO service

SMS to Web Service SSO

(23)

13:40

Deployment Environment

(24)

24

Sun Java

TM

System Federation

(25)

25

Agenda

• What is Federated Identity?

• Federation Business Drivers – The Virtual

Campus

• Benefits of Identity Federation

• Sun's Federated Identity Management

• Sun Java System

TM

Federation Manager

(26)

26

What is Federated Identity?

“The agreements, standards, and technologies

that make identity and entitlements portable

across autonomous domains.”

Burton Group, Identity and Privacy Strategies Research Report “Toward

Federated Identity Management: The Journey Continues,” August 19,

(27)

27

Driving toward the Virtual Enterprise

• Reduce costs while increasing efficiency

• Increase quality of service for your users

• Increase security

• Open your business to new opportunities

(28)

28

Business Drivers for Federation:

(29)

29

Business Drivers for Federation

• Open Access without risk

Externalize and integrate applications in order to tap into new, larger user communities

• Improve Quality of Service

Provide seamless, secure access to ensure user confidence and aggressive adoption

• Increase revenue opportunity

(30)

30

Benefits of Federation

• Secure yet open access

Easy integration within the enterprise and with partners

Secure, reusable framework based on open standards

• Enhanced user experience

Create more responsible users

(31)

Sun's Work in Federation

• Catalyst for Liberty Alliance Project

>

_{Co-founder in Sept 2001}

>

_{First to implement Liberty specifications in product}

>

First to be have product certified as “Liberty Interoperable”

• Leader in development of SAML

>

_{OASIS SSTC Chair}

>

Drove standards convergence of Liberty ID-FF 1.1 and

SAML

>

Demonstrating leadership through SAML interop events

• Development of Shibboleth Connectors for Edu Community

• Strong and ongoing investment and executive commitment

(32)

32

(33)

33

Unique Characteristics

• Broadly implementing Liberty, SAML, and web services

standards

ID-FF1.2, SAML 1.1, SAML 2.0, ID-WSF1.0

Focus on multi-protocol environments

• Focuses on enabling complex, multi-party federations

Solves common, out of band issues

Delivers common operational functionality

• Integrated with other suite components (Identity Manager

SPE) to provide:

(34)

34

Federated Identity Solution:

Sun Java System Access Manager and Federation Manager

• Deploy at the identity provider or identity consumer site

• Link identity data across sites

• Share authentication via Liberty/SAML

(35)

35

Trusted Domain

Sun Java System Access Manager Authentication Authorization Single-sign-on Federation Logging Session Consistent Identity Pervasive Trust Reusable Security Federated Session Mgt Automated Id Federation Extranet Single-sign-on

Sun Java System Federation Manager

Identity Provider Service Provider

Web Service Framework

(36)

36

Sun Java

TM

System

(37)

13:40

Agenda

●

Business Drivers for Identity Management

●

Sun’s Identity Management Solution

●

Sun Java System Identity Manager

– Automated User Provisioning

– Password Management

– Identity Synchronization

●

Why Sun, Why Identity Manager

– Customer Successes

– Integration Partners

– Business Justification

(38)

● User info entered in HR

or user self-registers

● Accounts provisioned

to enterprise systems, applications, directories

● Non-digital resources

assigned and/or initiated

New Users

Dynamic Identity

Life Cycle

Change Events & User Support

● Job/role/status changes

● Password changes and resets ● Profile information changes ● Additional requests for

account

access or non-digital resources

New Users

Change Events & User Support

● Job/role/status changes

● Password changes and resets

● Profile information changes

● Additional requests for

account

access or non-digital resources

New Users

Users Leave

● Student status updated in SIS ● Student contact changes

● Admin closes account

● Accounts disabled & removed ● Non-digital resources retrieved

(39)

Sun Java System Identity Manager

● Automated user provisioning

to improve operational efficiency and enhance security

● Secure, automated password

management to improve service levels and lower costs

● User self-service and delegated

administration to lower support costs

● Automated data synchronization

to lower workloads associated with handling change

● Non-invasive, flexible architecture

to speed deployment and ROI

● Comprehensive auditing and

reporting to improve security compliance

A comprehensive solution for managing identity profiles and permissions throughout the entire identity lifecycle

(40)

Sun Java System Identity Manager

Agentless Adapters

Enterprise Package Applications

Custom

Applications Non-DigitalAssets Operating Systems Mainframes Databases Directories Self-Service

Interfaces Audit Reporting

Role and Policy Management Delegated

Admin Views

Rules

Engine WorkflowDynamic ToolkitSPML

Virtual Identity Manager

Auto-Discovery

Automated

User Provisioning ManagementPassword SynchronizationIdentity

Unified Identity Console

(41)

Former Students

Student Teachers Parents

Provisioning Today: Fragmented,

Manual and Insecure

Human Resources

System Call Center

Facilities/ Purchasing Help Desk Other Assets Siebel CRM Oracle Financials Exchange and

Active Directory ●Chargeable AssetsMobile phone/service ● Conference call account ● Credit card

● Office space ● Phone ● Laptop

● Where are my risks? ● Who has access?

● What recurring charges am I still

paying for?

(42)

Former Students

Students Teachers Parents

Provisioning with Sun:

Streamlined, Automated and Secure

Other Assets Siebel CRM

Oracle Financials Exchange and

(43)

13:40

Identity Manager’s

Automated Provisioning Highlights

● Granular delegated administration ● Web-based self-service

– _{With automated change approval processes}

● Robust audit and reporting ● Role based access control ● Rule-based provisioning

– Business policy enforcement through automated rule evaluation ● Multi-step, complex provisioning

● Authoritative feeds from HR applications and directories ● Agentless adapters

– Out of the box for leading enterprise systems & applications

– _{Ref Kit and samples for custom adapter development}

(44)

Password Management Today:

Costly, Labor-Intensive and Painful

Help Desk

Temporary Students

Students Teachers Parents

U se rs P ro ce ss E n vi ro n m en t Oracle Financials Exchange and

Active Directory Siebel CRM Unix Human Resources SystemPeopleSoft RACF

● Expensive, manual process ● Pattern of reset-request peaks ● Users limited to service during

help desk hours

● Users have to remember

(45)

Password Management with Sun:

Cost-Effective, Quick, and Convenient

U

se

rs

Visiting Students

Students Teachers Parents

Interactive Voice Response (IVR) P ro ce ss E n vi ro n m en t ● Automated process

● Available to users anytime,

delivered how they work

● Users only have 1 set of

credentials to remember

Oracle Financials Exchange and

(46)

13:40

Identity Manager’s Password

Management Highlights

● Self-service password reset & synchronization ● Convenient access through

– Web browser

– IVR system

– Network log-in (Windows)

● Automated password policy enforcement

– Password history store

– Password exclusion dictionary

● Help desk integration to track password-related activity ● Agentless adapters

– Out of the box for leading enterprise systems & applications

(47)

Sun Proprietary/Confidential: Internal Use Only 47 13:40

Identity Synchronization

Challenges

●

Migration to a directory-based

infrastructure

●

Maintenance of identity data to ensure

attributes are accurate and consistent

with other applications

(48)

● Today’s environment includes multiple

identity data sources

● Trend toward simplification of IT environment

with a directory-centric identity infrastructure

– Strategic initiatives, like portals, rely on directory infrastructure

– Re-usable architecture offers investment protection for new application development

Identity Synchronization:

Why Migration?

RACF Windows

(49)

Identity Synchronization:

Migration with Sun

Active Directory Sun Java System

Directory Server Sun Java System Directory Server

RACF Windows

NT Oracle RDBMS Lotus Notes LDAP LDAP LDAP

● Provides complete, automated data

migration into new directories from existing repositories

– Discover & correlate for data cleansing and establishing of virtual identity

– Create directory containers & hierarchy

– Bulk actions for populating directories with user data

● Provides complete management of both

(50)

Identity Synchronization:

Profile Management with Sun

Self Service

HR Manager Approval

New Hire

Application Active DirectoryExchange and Siebel CRM Human Resources System Oracle Financials Payroll Systems Partners

Partners Executives Sales

Employees EmployeesMarketing Customers OperationsEmployees Employee Gets married Changes name Changes address ● Efficient, automated operations

(51)

Identity Synchronization:

System-to-System Updates Today

Custom Application Extranet

Directory Exchange and

Active Directory CRM Resources Human System

ERP Payroll Systems

● Data silos independently owned and

manually administered

● Manual updates, if occurring, are error-prone ● Inconsistent identity information across

the enterprise

(52)

Identity Synchronization:

System-to-System Updates with Sun

Employee got promoted

●New Title ●New Job Code ●New Pay Grade ●New Department

Corporate LDAP

Exchange and

Active Directory _Human

Resources System

ERP

Payroll System

●Update ERP with new

Job Code ●Modify access privileges to ensure separation of duty Update Pay Grade as it impacts salary

●Update AD with new Department,

Title, Job Code

●Modify home directory and move

location of network files for employee

●Modify message database account

size for employee Update LDAP with

new Department, Job

Code, Title for use by

(53)

53

Identity Manager’s Identity

Synchronization Highlights

● Auto-Discovery to create a unified Virtual Identity ● Automated and scheduled detection of change

● Synchronization between heterogeneous data sources ● Identity data transformation

● Granular, flexible authority assignment ● Web-based self-service

– Delegation to end-users with automated change approval processes

● Resource adapters

– Out of the box for leading enterprise systems & applications – Out of the box schema maps

– Ref Kit and samples for custom adapter development

(54)

Identity Platform Service:

Auto-Discovery

● Logical management of multiple

disparate identities

● Reduces risk of “orphaned” privileges

(55)

Identity Platform Service:

Virtual Identity Manager

● Minimizes deployment time

● Eliminates operational challenges ● Manage centrally, enforce locally

(56)

Identity Platform Service:

Agent-less Adapters

Agent-less Connector Agent Unix Systems Custom Applications RDBMS Directories Mainframe Package Applications Custom Application Resource Adapter Wizard NT/ADS

(57)

Unified Identity Console

●

Web-based interfaces for administrators and end-users

– Smart Forms are interactive web-based forms with embedded logic

to assist the user navigation

– Delegated administration views based on granular delegation for scope, capabilities, data sources and data

●

Self-service for self management of accounts, assets,

passwords, and profile data

●

Administrators

– Define and manage: role models, policies, delegation assignments

– View and act on identities

●

Comprehensive reporting

(58)

Identity Manager Physical Architecture

Help Desk HR External Workflow WSBPEL Authoritative Source JMAC/ABAP/JDBC TROUBLE TICKET CREATION Approvin g Manager Any Web Browser SMTP HTTPS Any Web Browser HTTPS End User Self-Service Agent-less Gateway Agent

• Laptop Serial Number • Office Number • Mobile Service Plan • Mobile Phone Model

• Conference Call Account • Credit Card Mainframe Unix Systems Directories Custom Apps Package Apps RDBMS NT/ADS Asset Database/Directory Partner Web App

Custom JDBC API/JDBC SOAP/ XMLRPC ADSI 3270 JNDI LDAP/ JDBC SSH RDBMS Virtual ID Store JDBC/LDAP J2EE Application

Any App Server

(59)

Identity Manager Server Components

IVR Interface Business

Process

Editor Console

SOAP/SPML ActiveSync_Adapters Web GUIs

Session API

Authentication Authorization Audit/Reporting

Object Cache Repository

Persistence Resource Adapters

Reconciliation

Provisioning Workflow Reports

(60)

Identity Manager Resource

Connectivity Diagram

Agent-less

Gateway Agent

• Laptop Serial Number • Office Number • Mobile Service Plan • Mobile Phone Model

• Conference Call Account • Credit Card Mainframe Unix Systems Directories Custom Apps Package Apps RDBMS NT/ADS Asset Database/Directory Partner Web App

Custom JDBC API/JDBC SOAP/ XMLRPC ADSI 3270 JNDI LDAP/ JDBC SSH J2EE Application

Any App Server

(61)

61

Sun Java

TM

Identity System

(62)

13:40

Identity Manager Resource Adapter

Types

✗

Agentless connectivity

✗

Easily integrated in existing environment

✗

Single maintenance point for upgrades

✗

Eliminates most technical/political

objections

✗

Gateways where appropriate

✗

Crossing OS/AIP boundaries

✗

Follows platform interface requirements

✗

Provides compatibility over time using

recommended APIs

✗

Custom Adapters

✗

Unusual or proprietary resources

✗

The RDK is a clean and efficient approach

(63)

13:40

Identity Manager Auditing and

Reporting

✗

Every action in Identity Manager is logged

✗

Stored in the Identity Manager repository

✗

Discrete entries for each activity

✗

Allows for aggregate queries

✗

Extendable, i.e., signed logging

✗

Extended logging for compliance reporting

✗

Uses the "Audit" option in resource

(64)

13:40

Identity Manager Auditing &

Reporting (cont.)

✗

Reporting types

✗

User and administrator

✗

Summary reports

✗

Usage

✗

Role

✗

Resource

✗

Report output options

✗

Ad-hoc

✗

Scheduled

✗

Visual

✗

Formatted for export

✗

Risk analysis reports

(65)

13:40

Identity Manager Interface Options

✗

Zero footprint Web-based applications

✗

Administrator Interface

✗

End user self-service

✗

SOAP/SPML

✗

Provides standards-based interface

✗

HTTP connectivity

✗

Java API for custom applications

✗

Console

✗

Scriptable

✗

Bulk processes

✗

IVR (legacy InnerVoice Bright)

(66)

13:40

Identity Manager Delegated

Administration

✗

Capabilities

✗

Discrete

✗

Can be assigned to a user that

perform only one function

✗

N-level delegation

✗

Can be assigned from one

administrator to another providing

true "n-level" delegation

✗

Administrators are created

✗

Granular authority

✗

Any user can be an administrator

✗

User's administration privileges may

be limited

✗

To a specific capability

✗

In a specific organization

✗

Using the Web interface

(67)

13:40

Identity Manager Objects and

Containers

✗_✗

Users

_Resources

✗

Any external data managed by Identity

Manager

✗

Roles and resource groups

✗

Contain multiple resources

✗

Control behavior

✗

Apply rules and policy

✗

Organizations and Virtual Organizations

✗

Virtual Organizations map to org

structures in remote directories

✗

Relationships between objects and

(68)

68

The “Identity Grid”

Administration Services Provisioning Services Password Management User Administration Identity Synchronization Policy Management Transaction Services

(69)

69

Sun Java System

Directory Server

• Most widely deployed LDAP-based

directory server – over 1.5 billion licenses sold

• Built-in security – prevents DoS attacks, controls access, intercepts unauthorized operations

• World-class performance and scalability – from entry-level to large-scale deployments

• Multi-master replication and failover for high availability

• Intuitive Web-based administration interface

• Password synchronization with Active Directory enhances security, improves service to users

• Open, standards based architecture reduces total cost of ownership

Secure, highly available, scalable and

easy-to-manage directory services.

● Enhanced security

● Lowered costs

● Investment protection

(70)

70

Identity Administration Services

Databases Business Applications Directories Databases Operating Systems

Mainframes _ApplicationsBusiness

Identity Synchronization Password Management Provisioning Profile Management App Server

 Identity administration services  Provisioning  Profile Management  Password Management  Identity Synchronization Identity Manager Admi n Delegated Admin

(71)

71

Identity Repository Services

Directory Services

 Identity Repository Services  LDAP Directory

 Security proxy services

 Active Directory Sync services

(72)

72

Integrated, End-to-End Identity

Management

Identity Manager Synchronization Services Password Management User Provisioning Access Manager Federation Access Control Web Single-Sign-On Directory Server EE AD Synchronization Security/Failover Directory Services Web-Based Administration

(73)

Sun Microsystems, Inc. Proprietary & Confidential

Audits Standards

Technology Challenges of the Virtual

Enterprise

Partnerships and us er relationships are constantly changing

Legislative man

(74)

Sun Microsystems, Inc. Proprietary & Confidential

Identity Management: Technology

Cornerstone of the Virtual Enterprise

Identity Management Consistent Delivery of

High Levels of Service

Fast access to information

Interoperability Open standards with

cross platform support

Standards-based, federated framework Non-invasive architectures Ability to Scale

and Flex Cost-Effectively

Rapid, automated processes

Data consistency, accuracy and reliability

Inclusionary Security

Logging, auditing, reporting for regulatory

(75)

Sun Microsystems, Inc. Proprietary and Confidential

(76)

Access Manager Architecture

●

Only vendor based on J2EE architecture

– Java servlets deployed in web container JVM

– Services can be distributed separately from others and are modular

– Customers to leverage their knowledge on running/developing Java-based applications

● Faster time to deployment, lower TCO

●

Deeply customizable/extensible

– Java, XML & C interfaces provide robust mechanisms for integration and extensibility

●

Highly reliable and scalable

– Leverages multi-tier J2EE load-balancing and failover

●

Built on and implements open standards and

APIs

(77)

Authentication

● Standards-based, extensible authentication framework

(JAAS: Java Authentication and Authorization Services)

● Supports multiple pluggable Authentication

mechanisms

● LDAP, RADIUS, Certificate, SafeWord, RSA SecurID,

Unix, Windows NT, Anonymous, Membership

● Custom authentication mechanisms using the SPI ● Multi-factor Authentication (Chained authentication

mechanisms)

● Levels-based Authentication

(78)

Authorization Governed by

Policy

●

Policy = Rules + Subjects +

Conditions

–

_Rules

● Resource being protected – URL, access

method, allow/deny

–

Subjects

● Who is allowed access? User/role/group etc

–

Condition

● Additional constraints – IP address, authN

level/mechanism, day/time, session timeout

(79)

Single Sign-On – How It

Works

●

Policy Agent on Web or Application

Server intercepts resource requests

and enforces access control

●

Client is issued SSO token

containing information for session

validation with Session service

●

SSO token has no content – just a

(80)

Single Sign-On Token

●

Web-based applications use

browser session cookies or URL

rewriting to issue SSO token

●

Non Web applications use the SSO

API (Java/C) to obtain the SSO

(81)

Cross Domain Single Sign-On

●

User is issued a cookie for each

domain accessed that is part of the

CDSSO deployment

●

Also accomplished with

(82)

Web SSO Flow

Access Manager

Policy Agent Access ManagerPolicy Agent

Sun Java System Access Manager

User White Pages_Application _ApplicationPaycheck

1. Request resource

4. Authenticate + create SSO token 5. Redirect to resource with SSO token

9. Subsequent request for resource

11. Provide or refuse resource

6. Request resource

2. Agent checks for SSO token + policies 10. Agent checks for SSO token + policies

3. Redirect to login page

8. Provide or refuse resource

7. Agent checks for SSO token +

(83)

New in 6.2:

Windows Desktop SSO

●

User-eye view

–

Log in to Windows

–

Surf to a protected resource

–

_{The resource recognizes me and gives me}

access based on policies, role etc

●

That's it – the user logs in exactly

once

–

No need for password sync process

(84)

Windows Desktop SSO Flow

Sun Java System

Access Manager

User Active Directory

2. Request protected resource

4. Request ticket from Kerberos Ticket Granting Service

1. Login to Windows Desktop in normal way

3. Return '401 Unauthorized' with 'WWW-Authenticate: Negotiate' header

5. Provideticket

6. Request protected resource – this time with SPNEGO token in 'Authorization: Negotiate'

header

9. Redirect to resource with SSO token – request can now proceed in normal way

(85)

Session Features

●

Session upgrade

–

User provides additional credentials to

access a resource with higher

authentication requirements

●

Client detection

–

_{Provide content based on client type –}

standard browser, WAP, etc.

●

Resource-based session timeout

(86)

●

Federation for cross-domain application

integration

●

Facilitates 'trusted partnerships'

– Create tighter, more satisfying customer & employee relationships

– Extend existing & create new revenue opportunities

– Implement business models that generate new

efficiencies and productivity gains

●

Access Manager supports SAML 1.1

and Liberty 2.0

– Successful participation in SAML interop events – Concurrent support for previous protocol versions

(87)

SAML Browser/Artifact Profile

SSO Flow

Sun Java System Access Manager

User Partner_Site

2. Request resource at Partner site

5. Browser follows redirection

3. AM

●constructs artifact and assertion ●stores assertion, indexed by

artifact

●constructs URL containing artifact

6. Partner site uses artifact to request assertion

8. Partner site sends appropriate response to browser

1. Authenticate to Access Manager in normal way

4. Redirect browser to partner site