Resources
Identity Use Cases & Scenarios.- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- D3.1: Overview on IMS.
- D3.2: A study on PKI and biometrics.
- D3.3: Study on Mobile Identity Management.
- D3.5: Workshop on ID-Documents.
- D3.6: Study on ID Documents.
- D3.7: A Structured Collection on RFID Literature.
- D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication.
- D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management.
- D3.10: Biometrics in identity management.
- D3.11: Report on the Maintenance of the IMS Database.
- D3.15: Report on the Maintenance of the ISM Database.
- D3.17: Identity Management Systems – recent developments.
- D12.1: Integrated Workshop on Emerging AmI Technologies.
- D12.2: Study on Emerging AmI Technologies.
- D12.3: A Holistic Privacy Framework for RFID Applications.
- D12.4: Integrated Workshop on Emerging AmI.
- D12.5: Use cases and scenarios of emerging technologies.
- D12.6: A Study on ICT Implants.
- D12.7: Identity-related Crime in Europe – Big Problem or Big Hype?.
- D12.10: Normality Mining: Results from a Tracking Study.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D3.1: Overview on IMS
 |
Title: Overview on IMS LIBERTY ALLIANCE AND SUN JAVA ACCESS MANAGER |
 |
Liberty Alliance and Sun Java Access Manager
This section gives an overview of the Liberty Alliance and details one conforming implementation named Access Manager. The Access Manager is one component of the Sun Java Enterprise System.
Liberty Alliance
The goal of the Liberty Alliance Project is the development of an open standard for federated network identity. The alliance includes companies, non-profit and government organisations as members and the total number exceeds 150.
Different kinds of memberships are possible, according to the level of involvement and the available budget (management board members, sponsor members, associates and affiliates).
Goals
The following five expert groups are developing the specifications [Sun05]:
Technology (development of sample implementations and interoperability tests)
Public Policy (regulatory issues, legal compliance, …)
Business & Marketing (identification of market requirements)
Conformance (interoperability and conformance testing)
Services (identity service specifications)
Status
To date, several case studies have been conducted, whitepapers and guidelines have been made available and a number of specifications are available for download on the project’s website. Based on these specifications and guidelines many vendors have implemented solutions which are now available in the market.
Recently, Sun Microsystems has successfully conducted an authentication trial with 80 million users. This trial was based on the Java System Access Manager which is described in detail in the following section.
Sun Java System Access Manager
The Sun Java System Access Manager [Sun05] (previous versions of which were known as “Sun Java System Identity Server” and “Sun ONE Identity Server”) is a part of Sun’s Identity Management framework. It provides functionality to manage access to resources by providing mechanisms for single sign-on (SSO) as well as the main building blocks of an identity management system:
Authentication, Authorisation and Accounting/Auditing across multiple servers;
a centralised administration with capabilities for delegation;
the concept of Federated Identity supporting standards such as the Security Assertion Markup Language (SAML) and the Liberty Alliance specifications;
a highly scalable identity directory.
The foundation for an identity platform is laid by five main components, namely the Sun Java System Directory Server and four components integrated into the Access Manager, as shown in :
Figure : Components of the identity platform
The Sun Java System Directory Server is an LDAP-based central repository for identity, application, and network resource information. In the context of identity management, it is used for storing and managing information related to identity profiles, access privileges, and policies.
The Identity Management component supports administration tasks such as managing users’ identities, services and polices, by providing tools and GUIs that may be used to customise and automate the related tasks. To reduce the administrative overhead in systems containing a large number of participating users, the users may be enabled to manage their own data, or parts thereof, via this component (Self Management/ Self Registration). Delegated Administration is supported by Role-Based Access Control mechanisms.
The Access Management component provides infrastructure for authentication and authorisation tasks, allowing the centralised enforcement of access control policies for multiple resources using a single account for each user. SSO mechanisms allow the user to access resources on multiple servers without having to authenticate repeatedly for each new resource. Cross-Domain SSO (CDSSO, see Section ) allows SSO across multiple different DNS domains. The Access Management component supports multi-level authentication, where each authentication level corresponds to at least one authentication mechanism. Authentication levels are assigned to all resources, and the user may choose from the associated authentication mechanisms when authenticating for a resource. After a successful authentication, the user will only have to re-authenticate for resources a higher authentication level has been assigned to. Policy agents integrate application servers and web servers with the Access Manager: Whenever a user attempts to access a protected resource via the web server, the respective policy agent determines whether an authentication token is present, and redirects the request to the Access Manager for authentication if necessary.
The Service Management components provides GUIs and tools for the administration of services, including tasks such as registering services or updating service attributes. In this context, a service is abstractly defined by a name and a group of attributes describing related information, i.e. typically but not necessarily the parameters provided by a service actually implemented as a software module. The services of the Access Manager themselves (the Core Services providing its basic functionality) are configured via this component as well.
The Federation Management component provides functionality for SAML interoperability and federated identity. Federation is a term describing the linking of a user’s separate accounts across multiple domains. To achieve federation, information about the respective user must be exchanged securely. The SAML standard is used in this context for exchanging security assertions between trusted security authorities.
| |
   |
|
| 12 / 31 |
