sun java tm system identity solution
play

Sun Java TM System Identity Solution Stuart Sim Chief Architect - PowerPoint PPT Presentation

Sun Java TM System Identity Solution Stuart Sim Chief Architect Global Education & Research Sun Microsystems Agenda Business Drivers for Identity Management Suns Identity Management Solution Sun Java System Access Manager


  1. Sun Java TM System Identity Solution Stuart Sim Chief Architect Global Education & Research Sun Microsystems

  2. Agenda • Business Drivers for Identity Management • Sun’s Identity Management Solution • Sun Java System Access Manager Overview > Authentication Services > Federation Services > Auditing Services > SSO for non web apps • Sun Java System Identity Server Overview > User Provisioning • Sun Open Source Strategy for Identity Sun Proprietary/Confidential: Internal Use Only

  3. Sun's Identity Management Suite • Comprehensive software solution that includes Directory Server Enterprise Edition > Directory Services Access Manager > Access Control, Single Sign-On, Federation > Provisioning and Identity Synchronization Services > Identity Auditing • Open, Integrated, “Integrate-able” Identity Manager to reduce cost, complexity Identity Auditor Sun Proprietary/Confidential: Internal Use Only

  4. Sun Java TM System Access Manager

  5. Access Manager 6.3 Core Auth (LDAP, Radius, AD, etc.) ✗ SSO (CDSSO, SAML 1.1, ✗ Liberty) Authorization (Role Mgt, ✗ Policy) Liberty Alliance Compliant Phase 1 & 2 (ID-FF, ID- ✗ WSF) Discovery Service ✗ Metadata Management ✗ Bulk-federation ✗ PAOS, LECP ✗ Personal/Employee Profile ✗ ResourceID Mapper ✗ RoleID Mapper ✗ Federation Manager ✗ 13:40 5 Sun Proprietary/Confidential: Internal Use Only

  6. Access Management Today: Fragmented, Insecure, Costly ● Who has access to what resource? ● What can users do with that access? Directories Customers ● How much does secure access cost me? Databases ● How do I quickly deploy new Employees services? ● How do I how do I comply with laws & regulations? Business Partners Applications Web Custom Services Systems Sun Proprietary/Confidential: Internal Use Only

  7. Sun Java TM Enterprise System • Sun Java Enterprise Suites Application Platform Suite • Communication Suite • NEW Availability Suite • Infrastructure Suite • Identity Management Suite • • Original « Business model » Pricing per employee • Included license, service and support • RTU (employee, client) • • Multi-platforms Solaris SPARC et x64, Linux RedHat AS 2.3 • Windows 2003, HP-UX • 13:40 7 Sun Proprietary/Confidential: Internal Use Only

  8. Solution: Sun Java Access Manager ● Increase enterprise-wide security ● Reduce complexity and operational costs ● Open access to customers, partners ● Provide a foundation for compliance Directories Access Manager Customers Customers Services Authentication Databases Databases Employees Employees Single Sign-On Policy User Profile/Roles Federation Business Business Audit/Reports Partners Applications Applications Web Web Custom Custom Sun Proprietary/Confidential: Internal Use Only Services Services Systems Systems

  9. Access Manager: Functional Overview • Single sign on to web, J2EE resources • Centralize policy based authentication and authorization • Enable distributed authentication and policy enforcement • Audit and log all authentication events • Platform for enabling identity based web services Policy Agents Access Manager Services Directories Authentication Single Sign-On Policy Databases User Profile/Roles Federation Audit/Reports Business Applications Sun Proprietary/Confidential: Internal Use Only

  10. Centralized Authentication Services • Leverage existing authentication mechanisms • Centrally manage, establish user identity > Over 15 mechanisms out of the box - LDAP, Active Directory, JDBC, SAML, others • Adapt using custom modules as needed Firewall Policy Agents Access Manager Modules Directories Services JDBC Authentication LDAP Cert Single Sign-On Policy Databases HTTP User Profile/Roles Federation Audit/Reports Business Applications Sun Proprietary/Confidential: Internal Use Only

  11. Distributed Authentication Services • Flexible deployment model > Deploy authN mechanisms in the DMZ or behind the firewall > Customize presentation, credential extraction • Create high performance, secure AuthN Firewall DMZ Access Manager Services Distributed Authentication AuthN Single Sign-On Policy User Profile/Roles Federation Audit/Reports Sun Proprietary/Confidential: Internal Use Only

  12. Centralized Policy Services • Flexible, comprehensive policy decision engine > Centrally define, manage authorizations > Easily extend authorizations to new applications > Base access controls, authorizations on roles, user profiles • Create a central point of control > Easier to audit usage > Easier to handle role/policy exceptions > Easier to make dynamic access decisions • Define granular controls > Control access to specific end points > Systematic management of sessions Sun Proprietary/Confidential: Internal Use Only

  13. Centralized Policy Services • Define Resource Realms > Create a virtual delegation hierarchy for managing resources > Delegate policy administration based on realms • Flexible policy deployment model > Decouple underlying directory structure from policy implementation Sun Proprietary/Confidential: Internal Use Only

  14. Distributed Policy Services • Provide policy enforcement at the point of access > Easily adapt centralized policy capabilities onto existing applications > Provide deeper, fine grained enforcement of policy > Leverage system capabilities • Provide centralized policy enforcement > Reverse Proxy solution expands flexibility, manageability Sun Proprietary/Confidential: Internal Use Only

  15. Centralized Audit Services • Centrally track all AuthN, AuthZ events • Provide easy to manage proof points > Who had access, who granted that access > What systems did they access > What functions did they perform > When did they perform those functions • Standards-based implementation > Easy integration with existing auditing, reporting tools Sun Proprietary/Confidential: Internal Use Only

  16. Access Manager Architecture Flexible Administration GUI CLI Reporting Centralized Audit Administration Administration Logging Access Federation Management Access Manager Services Session Authentication Authorization (Policy) Single Sign-On Auditing Existing Existing Existing Applications Resources Data Stores Sun Proprietary/Confidential: Internal Use Only

  17. Access Manager Architecture • Open > Unique J2EE architecture > Commitment to open standards and APIs - JAAS, JDK 1.4 Log API, Liberty, SAML, etc. • Integrated > Leverage the strengths of Sun's market leading Identity Management platform > Reuse services, functionality • Integrate-able > Deploys seamlessly into your existing environment > Data store independent > Modular, flexible deployment options > Faster time to deployment, lower TCO Sun Proprietary/Confidential: Internal Use Only

  18. Access Manager: Extended Integration • Leveraging your existing network > Integration with smartcards, tokens, certificate providers > Reliable integration with enterprise applications > Superior integration with system management, monitoring > Out of the box support, easy customization Sun Proprietary/Confidential: Internal Use Only

  19. Liberty Platform Requirements • Trust Relationships • Infrastructure entities – Identity Provider (IDP) and Service Provider (SP) • Trust Circle (PKI trust root/paths) • Confidentiality and Integrity • Secure back-channel (TLS, SSL or VPN) • XML signatures • Peer Authentication and Authorization • Server-side certificates • Session State Management • Common domain cookie 13:40 19 Sun Proprietary/Confidential: Internal Use Only

  20. Sample Architecture 13:40 20 Sun Proprietary/Confidential: Internal Use Only

  21. Web Service SSO Service Flow How to Integrate Legacy application with SSO & WS TK CoT TK Security Affiliation zone Untrusted Security User Liberty enable Discovery Server Identity Provider 3 rd Party AP Principal SMS GW (DS) (IDP) Contend Provider A B C D E F G H I J K Liberty ID-WSF SSOs Not Specified by Liberty Liberty ID-WSF 13:40 21 Sun Proprietary/Confidential: Internal Use Only

  22. Legacy & Web Service SSO service SMS to Web Service SSO SMS Gateway Content Provider Service Request SMS GW SMS CP Content Delivery Federation CP Manager Federation Auth Req Discovery Request Manager Service Request LDAP IDP DS Geo-Loc PP (LES) Access Manager Access Manager HTTP/SOAP Identity Provider Attribute Provider Non HTTP 13:40 22 Sun Proprietary/Confidential: Internal Use Only

  23. Deployment Environment Typical & Traditional Internet Architecture 13:40 23 Sun Proprietary/Confidential: Internal Use Only

  24. Sun Java TM System Federation Manager 24

  25. Agenda • What is Federated Identity? • Federation Business Drivers – The Virtual Campus • Benefits of Identity Federation • Sun's Federated Identity Management • Sun Java System TM Federation Manager • Sun’s work in Federation 25

  26. What is Federated Identity? “The agreements, standards, and technologies that make identity and entitlements portable across autonomous domains.” Burton Group, Identity and Privacy Strategies Research Report “Toward Federated Identity Management: The Journey Continues,” August 19, 2003. 26

Recommend


More recommend