Sun Java TM System Identity Solution Stuart Sim Chief Architect - - PowerPoint PPT Presentation

Sun Java

TM System

Identity Solution

Stuart Sim

Chief Architect Global Education & Research Sun Microsystems

Sun Proprietary/Confidential: Internal Use Only

Agenda

• Business Drivers for Identity Management
• Sun’s Identity Management Solution
• Sun Java System Access Manager Overview

> Authentication Services > Federation Services > Auditing Services > SSO for non web apps

• Sun Java System Identity Server Overview

> User Provisioning

• Sun Open Source Strategy for Identity

Sun Proprietary/Confidential: Internal Use Only

Sun's Identity Management Suite

• Comprehensive software solution

that includes

> Directory Services > Access Control, Single Sign-On,

Federation

> Provisioning and Identity

Synchronization Services

> Identity Auditing

• Open, Integrated, “Integrate-able”

to reduce cost, complexity

Identity Manager Directory Server Enterprise Edition Access Manager Identity Auditor

Sun Java

TM System

Access Manager

Sun Proprietary/Confidential: Internal Use Only

5 13:40

Access Manager 6.3

Core

✗

Auth (LDAP, Radius, AD, etc.)

✗

SSO (CDSSO, SAML 1.1, Liberty)

✗

Authorization (Role Mgt, Policy)

Liberty Alliance Compliant

✗

Phase 1 & 2 (ID-FF, ID- WSF)

✗

Discovery Service

✗

Metadata Management

✗

Bulk-federation

✗

PAOS, LECP

✗

Personal/Employee Profile

✗

ResourceID Mapper

✗

RoleID Mapper

✗

Federation Manager

Sun Proprietary/Confidential: Internal Use Only

Access Management Today: Fragmented, Insecure, Costly

Employees Customers Partners Web Services Directories Databases Business Applications Custom Systems

• Who has access to what resource?
• What can users do with that access?
• How much does secure access cost

me?

• How do I quickly deploy new

services?

• How do I how do I comply with laws

& regulations?

Sun Proprietary/Confidential: Internal Use Only

7 13:40

Sun JavaTM Enterprise System

• Sun Java Enterprise Suites
• Application Platform Suite
• Communication Suite
• Availability Suite
• Infrastructure Suite
• Identity Management Suite
• Original « Business model »
• Pricing per employee
• Included license, service and support
• RTU (employee, client)
• Multi-platforms
• Solaris SPARC et x64, Linux RedHat AS 2.3
• Windows 2003, HP-UX

NEW

Sun Proprietary/Confidential: Internal Use Only

Solution: Sun Java Access Manager

• Increase enterprise-wide security
• Reduce complexity and operational costs
• Open access to customers, partners
• Provide a foundation for compliance

Employees Customers Web Services Directories Databases Business Applications Custom Systems Employees Customers Partners Web Services Databases Business Applications Custom Systems Access Manager

Services

Authentication Policy User Profile/Roles Audit/Reports Single Sign-On Federation

Sun Proprietary/Confidential: Internal Use Only

Access Manager: Functional Overview

• Single sign on to web, J2EE resources
• Centralize policy based authentication and authorization
• Enable distributed authentication and policy enforcement
• Audit and log all authentication events
• Platform for enabling identity based web services

Directories

Databases Business Applications Policy Agents Access Manager

Services

Authentication Policy User Profile/Roles Audit/Reports Single Sign-On Federation

Sun Proprietary/Confidential: Internal Use Only

Centralized Authentication Services

• Leverage existing authentication mechanisms
• Centrally manage, establish user identity

> Over 15 mechanisms out of the box - LDAP, Active Directory,

JDBC, SAML, others

• Adapt using custom modules as needed

Directories

Databases Business Applications Policy Agents Access Manager

Services

Authentication Policy User Profile/Roles Audit/Reports Single Sign-On Federation

LDAP HTTP Cert

Modules

JDBC

Firewall

Sun Proprietary/Confidential: Internal Use Only

Distributed Authentication Services

• Flexible deployment model

> Deploy authN mechanisms in the DMZ or behind the firewall > Customize presentation, credential extraction

• Create high performance, secure AuthN

Access Manager

Services

Authentication Policy User Profile/Roles Audit/Reports Single Sign-On Federation

Firewall

Distributed AuthN

DMZ

Sun Proprietary/Confidential: Internal Use Only

Centralized Policy Services

• Flexible, comprehensive policy decision engine

> Centrally define, manage authorizations > Easily extend authorizations to new applications > Base access controls, authorizations on roles, user profiles

• Create a central point of control

> Easier to audit usage > Easier to handle role/policy exceptions > Easier to make dynamic access decisions

• Define granular controls

> Control access to specific end points > Systematic management of sessions

Sun Proprietary/Confidential: Internal Use Only

Centralized Policy Services

• Define Resource Realms

> Create a virtual delegation hierarchy for managing

resources

> Delegate policy administration based on realms

• Flexible policy deployment model

> Decouple underlying directory structure from policy

implementation

Sun Proprietary/Confidential: Internal Use Only

Distributed Policy Services

• Provide policy enforcement at the point of access

> Easily adapt centralized policy capabilities onto existing

applications

> Provide deeper, fine grained enforcement of policy > Leverage system capabilities

• Provide centralized policy enforcement

> Reverse Proxy solution expands flexibility, manageability

Sun Proprietary/Confidential: Internal Use Only

Centralized Audit Services

• Centrally track all AuthN, AuthZ events
• Provide easy to manage proof points

> Who had access, who granted that access > What systems did they access > What functions did they perform > When did they perform those functions

• Standards-based implementation

> Easy integration with existing auditing, reporting tools

Sun Proprietary/Confidential: Internal Use Only

Access Manager Architecture

Federation Access Management Flexible Administration

Centralized Audit Logging Reporting CLI Administration GUI Administration

Access Manager Services

Authorization (Policy) Existing Resources Existing Applications Existing Data Stores Authentication Single Sign-On Auditing Session

Sun Proprietary/Confidential: Internal Use Only

Access Manager Architecture

• Open

> Unique J2EE architecture > Commitment to open standards and APIs - JAAS, JDK 1.4 Log

API, Liberty, SAML, etc.

• Integrated

> Leverage the strengths of Sun's market leading Identity

Management platform

> Reuse services, functionality

• Integrate-able

> Deploys seamlessly into your existing environment > Data store independent > Modular, flexible deployment options > Faster time to deployment, lower TCO

Sun Proprietary/Confidential: Internal Use Only

Access Manager: Extended Integration

• Leveraging your existing network

> Integration with smartcards, tokens, certificate providers > Reliable integration with enterprise applications > Superior integration with system management, monitoring > Out of the box support, easy customization

Sun Proprietary/Confidential: Internal Use Only

19 13:40

Liberty Platform Requirements

• Trust Relationships
• Infrastructure entities – Identity Provider (IDP)

and Service Provider (SP)

• Trust Circle (PKI trust root/paths)
• Confidentiality and Integrity
• Secure back-channel (TLS, SSL or VPN)
• XML signatures
• Peer Authentication and Authorization
• Server-side certificates
• Session State Management
• Common domain cookie

Sun Proprietary/Confidential: Internal Use Only

20 13:40

Sample Architecture

Sun Proprietary/Confidential: Internal Use Only

21 13:40

Liberty enable SMS GW User Principal Discovery Server (DS) Identity Provider (IDP) 3rd Party AP Contend Provider Liberty ID-WSF Liberty ID-WSF SSOs Not Specified by Liberty B A K

TK CoT

TK Security Affiliation zone Untrusted Security D F G C E J H I

Web Service SSO Service Flow

How to Integrate Legacy application with SSO & WS

Sun Proprietary/Confidential: Internal Use Only

22 13:40

Legacy & Web Service SSO service

SMS to Web Service SSO

HTTP/SOAP

Non HTTP

CP CP

Federation Manager

PP

Geo-Loc (LES) LDAP

SMS GW Content Provider Identity Provider Attribute Provider SMS Gateway

DS IDP

Federation Manager

Access Manager Access Manager

Service Request Content Delivery

Auth Req Discovery Request Service Request SMS

Sun Proprietary/Confidential: Internal Use Only

23 13:40

Deployment Environment

Typical & Traditional Internet Architecture

24

Sun JavaTM System Federation Manager

25

Agenda

• What is Federated Identity?
• Federation Business Drivers – The Virtual

Campus

• Benefits of Identity Federation
• Sun's Federated Identity Management
• Sun Java SystemTM Federation Manager
• Sun’s work in Federation

26

What is Federated Identity? “The agreements, standards, and technologies that make identity and entitlements portable across autonomous domains.”

Burton Group, Identity and Privacy Strategies Research Report “Toward Federated Identity Management: The Journey Continues,” August 19, 2003.

27

Driving toward the Virtual Enterprise

• Reduce costs while increasing efficiency
• Increase quality of service for your users
• Increase security
• Open your business to new opportunities
• Enable regulatory compliance

28

Business Drivers for Federation:

The Problem – No Room for Compromise

29

Business Drivers for Federation

• Open Access without risk

­ Externalize and integrate applications in order to tap into new, larger user communities

• Improve Quality of Service

­ Provide seamless, secure access to ensure user confidence and aggressive adoption

• Increase revenue opportunity

­ Provide business partners with new channels and enhanced services drive revenue

30

Benefits of Federation

• Secure yet open access

­ Easy integration within the enterprise and with partners ­ Secure, reusable framework based on open standards

• Enhanced user experience

­ Create more responsible users ­ Tie the user experience to security

Sun Proprietary/Confidential: Internal Use Only

Sun's Work in Federation

• Catalyst for Liberty Alliance Project

> Co-founder in Sept 2001 > First to implement Liberty specifications in product > First to be have product certified as “Liberty Interoperable”

• Leader in development of SAML

> OASIS SSTC Chair > Drove standards convergence of Liberty ID-FF 1.1 and

SAML

> Demonstrating leadership through SAML interop events

• Development of Shibboleth Connectors for Edu Community
• Strong and ongoing investment and executive commitment

throughout company

32

Sun Federated Identity Management

33

Unique Characteristics

• Broadly implementing Liberty, SAML, and web services

standards

­ ID-FF1.2, SAML 1.1, SAML 2.0, ID-WSF1.0 ­ Focus on multi-protocol environments

• Focuses on enabling complex, multi-party federations

­ Solves common, out of band issues ­ Delivers common operational functionality

• Integrated with other suite components (Identity Manager

SPE) to provide:

­ Provisioning, Registration, Self-Service

34

Federated Identity Solution:

Sun Java System Access Manager and Federation Manager

• Deploy at the identity provider or identity consumer site
• Link identity data across sites
• Share authentication via Liberty/SAML
• Create reusable authentication, authorization with partners

35

Trusted Domain Sun Java System Access Manager

Authentication Authorization Single-sign-on Federation Logging Session

Consistent Identity Pervasive Trust Reusable Security

Federated Session Mgt Automated Id Federation Extranet Single-sign-on

Sun Java System Federation Manager

Identity Provider Service Provider

Web Service Framework SAML

36

Sun JavaTM System Identity Manager

Sun Proprietary/Confidential: Internal Use Only

37 13:40

Agenda

• Business Drivers for Identity Management
• Sun’s Identity Management Solution
• Sun Java System Identity Manager

– Automated User Provisioning – Password Management – Identity Synchronization

• Why Sun, Why Identity Manager

– Customer Successes – Integration Partners – Business Justification – What Sets Sun Apart

Sun Proprietary/Confidential: Internal Use Only

• User info entered in HR
• r user self-registers
• Accounts provisioned

to enterprise systems, applications, directories

• Non-digital resources

assigned and/or initiated

New Users

Dynamic Identity Life Cycle

• User info entered in HR
• r user self-registers
• Accounts provisioned

to enterprise systems, applications, directories

• Non-digital resources

assigned and/or initiated

Change Events & User Support

• Job/role/status changes
• Password changes and resets
• Profile information changes
• Additional requests for

account access or non-digital resources

New Users

• User info entered in HR
• r user self-registers
• Accounts provisioned

to enterprise systems, applications, directories

• Non-digital resources

assigned and/or initiated

Change Events & User Support

• Job/role/status changes
• Password changes and resets
• Profile information changes
• Additional requests for

account access or non-digital resources

New Users Users Leave

• Student status updated in SIS
• Student contact changes
• Admin closes account
• Accounts disabled & removed
• Non-digital resources retrieved

and/or cancelled

Sun Proprietary/Confidential: Internal Use Only

Sun Java System Identity Manager

• Automated user provisioning

to improve operational efficiency and enhance security

• Secure, automated password

management to improve service levels and lower costs

• User self-service and delegated

administration to lower support costs

• Automated data synchronization

to lower workloads associated with handling change

• Non-invasive, flexible architecture

to speed deployment and ROI

• Comprehensive auditing and

reporting to improve security compliance

A comprehensive solution for managing identity profiles and permissions throughout the entire identity lifecycle

• Enhanced security
• Lowered costs
• Improved productivity

Add Delete Change

Sun Proprietary/Confidential: Internal Use Only

Sun Java System Identity Manager

Agentless Adapters

Enterprise Package Applications Custom Applications Non-Digital Assets Operating Systems Mainframes Databases Directories

Self-Service Interfaces Audit Reporting Role and Policy Management Delegated Admin Views

Rules Engine Dynamic Workflow SPML Toolkit Virtual Identity Manager Auto- Discovery

Automated User Provisioning Password Management Identity Synchronization Unified Identity Console Identity Platform Services

Sun Proprietary/Confidential: Internal Use Only

Former Students Student Parents Teachers

Provisioning Today: Fragmented, Manual and Insecure

Human Resources System Call Center Facilities/ Purchasing Help Desk Other Assets Siebel CRM Oracle Financials Exchange and Active Directory Chargeable Assets

• Mobile phone/service
• Conference call account
• Credit card
• Office space
• Phone
• Laptop
• Where are my risks?
• Who has access?
• What recurring charges am I still

paying for?

• How much does all of this cost?

Sun Proprietary/Confidential: Internal Use Only

Former Students Students Parents Teachers

Provisioning with Sun: Streamlined, Automated and Secure

Other Assets Siebel CRM Oracle Financials Exchange and Active Directory Chargeable Assets

• Mobile phone/service
• Conference call account
• Credit card
• Office space
• Phone
• Laptop

Approving Manager SIS Manager

• Reduced risk
• Complete view
• f user’s identity
• Efficient, automated
• perations

Sun Proprietary/Confidential: Internal Use Only

43 13:40

Identity Manager’s Automated Provisioning Highlights

• Granular delegated administration
• Web-based self-service

– With automated change approval processes

• Robust audit and reporting
• Role based access control
• Rule-based provisioning

– Business policy enforcement through automated rule evaluation

• Multi-step, complex provisioning
• Authoritative feeds from HR applications and directories
• Agentless adapters

– Out of the box for leading enterprise systems & applications – Ref Kit and samples for custom adapter development

• SPML Toolkit

Sun Proprietary/Confidential: Internal Use Only

Password Management Today: Costly, Labor-Intensive and Painful

Help Desk Help Desk Temporary Students Students Parents Teachers

Users Process Environment

Oracle Financials Exchange and Active Directory PeopleSoft Human Resources System Siebel CRM Unix RACF

• Expensive, manual process
• Pattern of reset-request peaks
• Users limited to service during

help desk hours

• Users have to remember

multiple credentials

Sun Proprietary/Confidential: Internal Use Only

Password Management with Sun: Cost-Effective, Quick, and Convenient

Users

Visiting Students Students Parents Teachers Interactive Voice Response (IVR)

Process Environment

• Automated process
• Available to users anytime,

delivered how they work

• Users only have 1 set of

credentials to remember

Oracle Financials Exchange and Active Directory PeopleSoft Human Resources System Siebel CRM Unix RACF

Sun Proprietary/Confidential: Internal Use Only

46 13:40

Identity Manager’s Password Management Highlights

• Self-service password reset & synchronization
• Convenient access through

– Web browser – IVR system – Network log-in (Windows)

• Automated password policy enforcement

– Password history store – Password exclusion dictionary

• Help desk integration to track password-related activity
• Agentless adapters

– Out of the box for leading enterprise systems & applications – Ref Kit and samples for custom adapter development

• Reporting on self-service password resets

Sun Proprietary/Confidential: Internal Use Only

47 13:40

Identity Synchronization Challenges

• Migration to a directory-based

infrastructure

• Maintenance of identity data to ensure

attributes are accurate and consistent with other applications

– Profile management driven via self-service – Point-to-point, system-driven synchronization

Sun Proprietary/Confidential: Internal Use Only

• Today’s environment includes multiple

identity data sources

• Trend toward simplification of IT environment

with a directory-centric identity infrastructure

– Strategic initiatives, like portals, rely on directory

infrastructure

– Re-usable architecture offers investment protection

for new application development

Identity Synchronization: Why Migration?

RACF Windows NT Oracle RDBMS Lotus Notes LDAP LDAP LDAP

Sun Proprietary/Confidential: Internal Use Only

Identity Synchronization: Migration with Sun

Active Directory Sun Java System Directory Server Sun Java System Directory Server

RACF Windows NT Oracle RDBMS Lotus Notes LDAP LDAP LDAP

• Provides complete, automated data

migration into new directories from existing repositories

– Discover & correlate for data cleansing

and establishing of virtual identity

– Create directory containers & hierarchy – Bulk actions for populating directories

with user data

• Provides complete management of both
• ld systems and new directories during

migration period

Sun Proprietary/Confidential: Internal Use Only

Identity Synchronization: Profile Management with Sun

Self Service HR Manager Approval

New Hire Application Exchange and Active Directory Siebel CRM Human Resources System Oracle Financials Payroll Systems Partners Partners Executives Sales Employees Customers Operations Employees Marketing Employees

Employee

Gets married Changes name Changes address

• Efficient, automated
• perations
• High quality of service
• Top line benefit

Sun Proprietary/Confidential: Internal Use Only

Identity Synchronization: System-to-System Updates Today

Custom Application Extranet Directory Exchange and Active Directory CRM Human Resources System ERP Payroll Systems

• Data silos independently owned and

manually administered

• Manual updates, if occurring, are error-prone
• Inconsistent identity information across

the enterprise

• Inefficient business operations

Sun Proprietary/Confidential: Internal Use Only

Identity Synchronization: System-to-System Updates with Sun

Employee got promoted

• New Title
• New Job Code
• New Pay Grade
• New Department

Corporate LDAP Exchange and Active Directory Human Resources System ERP Payroll System

• Update ERP with new

Job Code

• Modify access

privileges to ensure separation of duty Update Pay Grade as it impacts salary

• Update AD with new Department,

Title, Job Code

• Modify home directory and move

location of network files for employee

• Modify message database account

size for employee Update LDAP with new Department, Job Code, Title for use by corporate white pages

53

Identity Manager’s Identity Synchronization Highlights

• Auto-Discovery to create a unified Virtual Identity
• Automated and scheduled detection of change
• Synchronization between heterogeneous data sources
• Identity data transformation
• Granular, flexible authority assignment
• Web-based self-service

– Delegation to end-users with automated change approval processes

• Resource adapters

– Out of the box for leading enterprise systems & applications – Out of the box schema maps – Ref Kit and samples for custom adapter development

• Audit and Reporting

Sun Proprietary/Confidential: Internal Use Only

Identity Platform Service: Auto-Discovery

• Logical management of multiple

disparate identities

• Reduces risk of “orphaned” privileges

Databases Applications Directories

jms

Virtual Identity

Joe Smith Jsmith smitty

Sun Proprietary/Confidential: Internal Use Only

Identity Platform Service: Virtual Identity Manager

• Minimizes deployment time
• Eliminates operational challenges
• Manage centrally, enforce locally

Virtual Identity Manager

Applications Web Applications Directories Databases Asset Databases/Directories

Sun Proprietary/Confidential: Internal Use Only

Identity Platform Service: Agent-less Adapters

Agent-less Connector Agent

Unix Systems Custom Applications RDBMS Directories Mainframe Package Applications Custom Application

Resource Adapter Wizard NT/ADS

• Minimizes agent deployment
• Eliminates agent management
• Eliminates operational challenges

Sun Proprietary/Confidential: Internal Use Only

Unified Identity Console

• Web-based interfaces for administrators and end-users

– Smart Forms are interactive web-based forms with embedded logic

to assist the user navigation

– Delegated administration views based on granular delegation for

scope, capabilities, data sources and data

• Self-service for self management of accounts, assets,

passwords, and profile data

• Administrators

– Define and manage: role models, policies, delegation assignments – View and act on identities

• Comprehensive reporting
• End-to-end identity auditing capabilities

Sun Proprietary/Confidential: Internal Use Only

Identity Manager Physical Architecture

Help Desk HR

External Workflow WSBPEL Authoritative Source JMAC/ABAP/JDBC TROUBLE TICKET CREATION

Approvin g Manager Any Web Browser

SMTP HTTPS

Any Web Browser

HTTPS

End User Self-Service

Agent-less Gateway Agent

• Laptop Serial Number
• Office Number
• Mobile Service Plan
• Mobile Phone Model
• Conference Call Account
• Credit Card

Mainframe Unix Systems Directories Custom Apps Package Apps RDBMS NT/ADS Asset Database/Directory Partner Web App Custom JDBC API/JDBC SOAP/ XMLRPC ADSI 3270 JNDI LDAP/ JDBC SSH RDBMS

Virtual ID Store

JDBC/LDAP J2EE Application Any App Server Authoritative Sources Custom JDBC API/JDBC SOAP/ XMLRPC ADSI 3270 JNDI LDAP/ JDBC SSH

Sun Proprietary/Confidential: Internal Use Only

Identity Manager Server Components

IVR Interface Business Process Editor

Console

SOAP/SPML ActiveSync Adapters Web GUIs Session API Authentication Authorization Audit/Reporting Object Cache Repository

Persistence

Resource Adapters Reconciliation Provisioning Workflow Reports Task Engine

Sun Proprietary/Confidential: Internal Use Only

Identity Manager Resource Connectivity Diagram

Agent-less Gateway Agent

• Laptop Serial Number
• Office Number
• Mobile Service Plan
• Mobile Phone Model
• Conference Call Account
• Credit Card

Mainframe Unix Systems Directories Custom Apps Package Apps RDBMS NT/ADS Asset Database/Directory Partner Web App Custom JDBC API/JDBC SOAP/ XMLRPC ADSI 3270 JNDI LDAP/ JDBC SSH J2EE Application Any App Server Authoritative Sources

61

Sun JavaTM Identity System

Q & A ?

Sun Proprietary/Confidential: Internal Use Only

62 13:40

Identity Manager Resource Adapter Types

✗ Agentless connectivity ✗ Easily integrated in existing environment ✗ Single maintenance point for upgrades ✗ Eliminates most technical/political

• bjections

✗ Gateways where appropriate ✗ Crossing OS/AIP boundaries ✗ Follows platform interface requirements ✗ Provides compatibility over time using

recommended APIs

✗ Custom Adapters ✗ Unusual or proprietary resources ✗ The RDK is a clean and efficient approach

Sun Proprietary/Confidential: Internal Use Only

63 13:40

Identity Manager Auditing and Reporting

✗ Every action in Identity Manager is logged ✗ Stored in the Identity Manager repository ✗ Discrete entries for each activity ✗ Allows for aggregate queries ✗ Extendable, i.e., signed logging ✗ Extended logging for compliance reporting ✗ Uses the "Audit" option in resource

schema definitions

Sun Proprietary/Confidential: Internal Use Only

64 13:40

Identity Manager Auditing & Reporting (cont.)

✗ Reporting types ✗ User and administrator ✗ Summary reports ✗ Usage ✗ Role ✗ Resource ✗ Report output options ✗ Ad-hoc ✗ Scheduled ✗ Visual ✗ Formatted for export ✗ Risk analysis reports

Sun Proprietary/Confidential: Internal Use Only

65 13:40

Identity Manager Interface Options

✗ Zero footprint Web-based applications ✗ Administrator Interface ✗ End user self-service ✗ SOAP/SPML ✗ Provides standards-based interface ✗ HTTP connectivity ✗ Java API for custom applications ✗ Console ✗ Scriptable ✗ Bulk processes ✗ IVR (legacy InnerVoice Bright)

Sun Proprietary/Confidential: Internal Use Only

66 13:40

Identity Manager Delegated Administration

✗ Capabilities ✗ Discrete ✗ Can be assigned to a user that

perform only one function

✗ N-level delegation ✗ Can be assigned from one

administrator to another providing true "n-level" delegation

✗ Administrators are created ✗ Granular authority ✗ Any user can be an administrator ✗ User's administration privileges may

be limited

Sun Proprietary/Confidential: Internal Use Only

67 13:40

Identity Manager Objects and Containers

✗ Users ✗ Resources ✗ Any external data managed by Identity

Manager

✗ Roles and resource groups ✗ Contain multiple resources ✗ Control behavior ✗ Apply rules and policy ✗ Organizations and Virtual Organizations ✗ Virtual Organizations map to org

structures in remote directories

✗ Relationships between objects and

containers

68

The “Identity Grid”

Administration Services Provisioning Services Password Management User Administration Identity Synchronization Policy Management Transaction Services Data transport Services Authentication Services Authorization Services Data Repositories Directories Databases Flat Files

CRM ERP SCM HR eCommerce

Customers IT Administrators Employees Partners

Application Interface Web Interface Portal Interface

Product Categories

69

Sun Java System Directory Server

• Most widely deployed LDAP-based

directory server – over 1.5 billion licenses sold

• Built-in security – prevents DoS attacks,

controls access, intercepts unauthorized

• perations
• World-class performance and scalability –

from entry-level to large-scale deployments

• Multi-master replication and failover for high

availability

• Intuitive Web-based administration interface
• Password synchronization with Active

Directory enhances security, improves service to users

• Open, standards based architecture

reduces total cost of ownership

Secure, highly available, scalable and easy-to- manage directory services.

• Enhanced security
• Lowered costs
• Investment protection
• Reduced IT complexity

70

Identity Administration Services

Databases Business Applications Directories Databases Operating Systems Mainframes Business Applications

Identity Synchronization Password Management Provisioning Profile Management

App Server

• Identity administration services
• Provisioning
• Profile Management
• Password Management
• Identity Synchronization

Identity Manager

Admi n Delegated Admin End User Self- Service

71

Identity Repository Services

Directory Services

• Identity Repository Services
• LDAP Directory
• Security proxy services
• Active Directory Sync services

AD Synch Proxy Service s

Directory Server Enterprise Edition

72

Integrated, End-to-End Identity Management

Identity Manager

Synchronization Services Password Management User Provisioning

Access Manager

Federation Access Control Web Single-Sign-On

Directory Server EE

AD Synchronization Security/Failover Directory Services

Web-Based Administration Audit & Reporting

Sun Microsystems, Inc. Proprietary & Confidential

A u d i t s Standards

Technology Challenges of the Virtual Enterprise

P a r t n e r s h i p s a n d u s e r r e l a t i

• n

s h i p s a r e c

• n

s t a n t l y c h a n g i n g Legislative mandates Multi-platform support Additional staff A c c e s s t

• c

r i t i c a l a p p l i c a t i

• n

s Additional resources

Sun Microsystems, Inc. Proprietary & Confidential

Identity Management: Technology Cornerstone of the Virtual Enterprise

Identity Management Consistent Delivery of High Levels of Service Fast access to information Interoperability Open standards with cross platform support Standards-based, federated framework Non- invasive architectures Ability to Scale and Flex Cost-Effectively Rapid, automated processes Data consistency, accuracy and reliability Inclusionary Security Logging, auditing, reporting for regulatory compliance Eliminate security loopholes Common security architecture

Sun Microsystems, Inc. Proprietary and Confidential

Deployment Architecture

Sun Microsystems, Inc. Proprietary and Confidential

Access Manager Architecture

• Only vendor based on J2EE architecture

– Java servlets deployed in web container JVM – Services can be distributed separately from others and are

modular

– Customers to leverage their knowledge on running/developing

Java-based applications

• Faster time to deployment, lower TCO
• Deeply customizable/extensible

– Java, XML & C interfaces provide robust mechanisms for

integration and extensibility

• Highly reliable and scalable

– Leverages multi-tier J2EE load-balancing and failover

• Built on and implements open standards and

APIs

Sun Microsystems, Inc. Proprietary and Confidential

Authentication

• Standards-based, extensible authentication framework

(JAAS: Java Authentication and Authorization Services)

• Supports multiple pluggable Authentication

mechanisms

• LDAP, RADIUS, Certificate, SafeWord, RSA SecurID,

Unix, Windows NT, Anonymous, Membership

• Custom authentication mechanisms using the SPI
• Multi-factor Authentication (Chained authentication

mechanisms)

• Levels-based Authentication
• Levels assigned to authentication mechanisms
• Resource-based Authentication

Sun Microsystems, Inc. Proprietary and Confidential

Authorization Governed by Policy

• Policy = Rules + Subjects +

Conditions

– Rules

• Resource being protected – URL, access

method, allow/deny

– Subjects

• Who is allowed access? User/role/group etc

– Condition

• Additional constraints – IP address, authN

level/mechanism, day/time, session timeout

– Referral policies, SPI allow customization

Sun Microsystems, Inc. Proprietary and Confidential

Single Sign-On – How It Works

• Policy Agent on Web or Application

Server intercepts resource requests and enforces access control

• Client is issued SSO token

containing information for session validation with Session service

• SSO token has no content – just a

long random string used as a handle

Sun Microsystems, Inc. Proprietary and Confidential

Single Sign-On Token

• Web-based applications use

browser session cookies or URL rewriting to issue SSO token

• Non Web applications use the SSO

API (Java/C) to obtain the SSO token to validate the user's identity

Sun Microsystems, Inc. Proprietary and Confidential

Cross Domain Single Sign-On

• User is issued a cookie for each

domain accessed that is part of the CDSSO deployment

• Also accomplished with

SAML/Liberty implementation

Sun Microsystems, Inc. Proprietary and Confidential

Web SSO Flow

Access Manager Policy Agent Access Manager Policy Agent Sun Java System Access Manager User White Pages Application Paycheck Application

• 1. Request resource
• 4. Authenticate + create SSO token
• 5. Redirect to resource with SSO token
• 9. Subsequent request for resource
• 11. Provide or refuse resource
• 6. Request resource
• 2. Agent checks for

SSO token + policies

• 10. Agent checks

for SSO token + policies

• 3. Redirect to login page
• 8. Provide or refuse resource
• 7. Agent checks for

SSO token + policies

Sun Microsystems, Inc. Proprietary and Confidential

New in 6.2: Windows Desktop SSO

• User-eye view

– Log in to Windows – Surf to a protected resource – The resource recognizes me and gives me

access based on policies, role etc

• That's it – the user logs in exactly
• nce

– No need for password sync process – Transparent integration for desktop users

into web applications

Sun Microsystems, Inc. Proprietary and Confidential

Windows Desktop SSO Flow

Sun Java System Access Manager User Active Directory

• 2. Request protected resource
• 4. Request ticket from Kerberos

Ticket Granting Service

• 1. Login to Windows Desktop in

normal way

• 3. Return '401 Unauthorized'

with 'WWW-Authenticate: Negotiate' header

• 5. Provideticket
• 6. Request protected resource –

this time with SPNEGO token in 'Authorization: Negotiate' header

• 9. Redirect to resource with

SSO token – request can now proceed in normal way

• 7. Request ticket authentication
• 8. Authentication response

Sun Microsystems, Inc. Proprietary and Confidential

Session Features

• Session upgrade

– User provides additional credentials to

access a resource with higher authentication requirements

• Client detection

– Provide content based on client type –

standard browser, WAP, etc.

• Resource-based session timeout
• Java & C Session/SSO APIs

Sun Microsystems, Inc. Proprietary and Confidential

• Federation for cross-domain application

integration

• Facilitates 'trusted partnerships'

– Create tighter, more satisfying customer

& employee relationships

– Extend existing & create new revenue

• pportunities

– Implement business models that generate new

efficiencies and productivity gains

• Access Manager supports SAML 1.1

and Liberty 2.0

– Successful participation in SAML interop events – Concurrent support for previous protocol versions

Federated Identity

Sun Microsystems, Inc. Proprietary and Confidential

SAML Browser/Artifact Profile SSO Flow

Sun Java System Access Manager User Partner Site

• 2. Request resource at Partner site
• 5. Browser follows redirection
• 3. AM
• constructs artifact and assertion
• stores assertion, indexed by

artifact

• constructs URL containing artifact
• 6. Partner site uses artifact to

request assertion

• 8. Partner site sends

appropriate response to browser

• 1. Authenticate to Access

Manager in normal way

• 4. Redirect browser to partner site
• 7. AM provides assertion