Sun Identity Management Suite

Sun Proprietary & Confidential

Agenda
● Introductions
● Travelocity and GetThere Overview
● Requirements
● Sun JES Overview
● Sun AM Architecture
● SAML/Liberty Architecture
● Identity Management Architecture
● Open Discussion
● Next Steps

Sun Microsystems, Inc. Proprietary and Confidential

 Sun Java Systems

Runs on: Solaris (x86 and SPARC), Linux, HP-UX*, AIX*, Windows*
* Future release
 World Class Software
Portal Services Network Identity Services Availability Services
● Portal Server, ● Directory Server, Gartner Group ● Recognized leader in Unix
Gartner Group leader 3 years clustering market by Gartner
leader 3 years ● Directory Server Market Leader and IDC
● Bankers Automated Clearing
● Portal Server Market with 2 billion entries
Leader, Radicati, ● Identity Server, eWeek eXcellence Services (BACS) has
2002 & 2001 Award Finalist achieved 100% availability
● Portal Server, levels with Sun Cluster
● Service availability
Winner 2003,
RealWare commitment of up to
Enterprise Portal 99.99% on Sun Fire
Application systems

Communications Web and

and Collaboration Application Services
Services ● Web Server is used by 80%
of Fortune 100 Finance &
● Messaging Server, Insurance companies
Gartner Group leader ● App Server is used by 55% of
● #1 Market Share in Service
Global 500 Telecommunications
Provider Messaging, Radicati companies
● 2x better TCO than MSFT and IBM
● Web Server powers MLB.com which is

in the enterprise, Radicati Sun Proprietary/ Confidential

visited by 38 million people each month
The “Identity Grid”

Application Interface
Product Categories

IT Administrators Administration Services

Provisioning Services
Password Management
User Administration
Identity Synchronization
Policy Management

Transaction Services
Web Interface

Employees Data transport Services

Authentication Services
Authorization Services

Data Repositories
Partners Directories
Databases
Portal Interface

Flat Files

CRM eCommerce

ERP HR

SCM
Customers

Sun Proprietary & Confidential

Integrated, End-to-End Identity Management

Web-Based Administration

Identity Access Directory

Manager Manager Server EE

User Provisioning Web Single-Sign-On Directory Services

Password Management Access Control Security/Failover

Synchronization Services Federation AD Synchronization

Audit & Reporting

Sun Proprietary & Confidential

 Support for 3rd party platforms
 Identity Manager
– Supported Platforms: IBM AIX, HP-UX, Windows, Solaris, Red Hat Linux, BEA WebLogic, IBM
WebSphere, Sun Application Server
– Resource Adapters (agentless): LDAP 3, Microsoft Active Directory, Novell eDirectory, Novell
NDS, Oracle Internet Directory, Sun Java System Directory Server, IBM DB2, IBM Informix,
Microsoft SQL Server, MySQL, Oracle8i and 9i, Sybase, Oracle11i E-Business Suite,
PeopleSoft, SAP R/3, Siebel CRM, Peregrine Service Center, Remedy Help Desk, Lotus Notes,
Microsoft Exchange, Novell GroupWise, HP OpenVMS, HP-UX, IBM AIX, IBM OS/400,
Microsoft Windows 2000, 2003, NT, RedHat Linux, Sun Solaris, CA-ACF2, CA-Top Secret,
Entrust Authority Security Manager
IBM RACF, RSA SecurID, Entrust GetAccess, IBM Tivoli Access Manager, Netegrity Siteminder,
Oblix NetPoint, OpenNetwork DirectorySmart, RSA ClearTrust, Sun Java System Identity
Server
 Access Manager (Authentication, Authorization, and Federation)
– Supported Platforms: Red Hat Linux, Sun Solaris, Microsoft Windows*, HP-UX*, Linux
RedHat*, IBM WebSphere*, BEA WebLogic* (*coming in Q1, 2005)
– Policy Agents: Apache, BEA WebLogic , IBM WebSphere, IBM HTTP Server, Lotus Domino,
Microsoft IIS, Oracle Application Server, Sun Java System Web Server, Sun Java System
Application Server, Tomcat Application Server, Oracle, PeopleSoft, SAP ITS, SAP Portal,
Siebel
 Directory Server
– Supported Platforms: Microsoft Windows, HP-UX IBM AIX, Solaris, Red Hat Linux

Sun Proprietary & Confidential

Commitment to Standards
Industry Standard Sun Leadership
Liberty Alliance (Identity Federation) Management board member; 1st vendor to earn “Liberty
Alliance Interoperable” logo for Access Manager

OASIS Security Assertion Markup Language Co-founder, former chair, and current secretary of Security
(SAML) Services tech committee; leader in defining SAML; 1st to
deliver in Access Manager
OASIS Service Provisioning Markup Language Chair of OASIS Provisioning Services Technical Committee;
(SPML) major contributor to the SPML specification; 1st to release
open source SPML toolkit
OASIS eXtensible Access Control Markup Secretary of the OASIS XACML technical committee; 1st to
Language (XACML) release open source version of XACML 1.0.

Web Services Interoperability Organization Board member and vice-chair of the Basic Security Profile
(WS-I) Working Group of WS-I

Lightweight Directory Access Protocol (LDAP) Co-author of the LDAP V3 technical specification and 1st
vendor to ship reference LDAP implementation

OASIS Directory Services Markup Language 2.0 Contributor to the DSML technical specification and one of
(DSML) the 1st vendors to productize DSML 2.0.

Sun Proprietary & Confidential

 Sun Identity Management

Customers Partners Employees

A unified portfolio for using, sharing, and

managing identity information

Open Unified Secure

Decreases integration Lowers total cost of Reduces risk through
costs, reduces ownership, improves centralized control and
deployment time, visibility and control, enforcement, helps
maximizes the value of unifies identity across meet audit and
prior technology technology and business compliance goals
investments boundaries

Sun Proprietary & Confidential

Sun Identity Solution:
Single Sign On,
Authentication and
Authorization
Sun Java System “Sun leads in implementation of the
Access Manager federated identity management
specifications of Liberty Alliance and
Delivering single sign-on, access OASIS SAML.”
control and federation services - Burton Group, August 2003
across intranets and extranets.
● Single sign-on improves user experience,
enhances security, reduces support costs
● Role/rule-based authorization provides
● Improved security centralized security policy enforcement
● Enhanced user
experience ● Federation services increase revenue
opportunities by enabling trusted
● Increased revenue partnerships
opportunities
● Reduced ● Proven scalability for securing large,
administrative costs Internet-scale deployments
● Instant auditing of critical access-related
information

Sun Proprietary & Confidential

Access Manager
Core Components

Admin GUI
Access Identity Service
Management Management Management Federation
User
Authentication Management
API
SPI (Plugin API) Delegated
Policy Administration Configuration SAML
CLI
Self
Session/SSO Management Registration Liberty

Logging Self Registration

Directory Server

Sun Proprietary & Confidential

Solution: Sun Java System Access
Manager Provide consistent, strong security
–
– Reduce complexity and
operational costs
– Increase revenue opportunities
and competitive advantage
– Lower risk, increase compliance
Customers Directories

Access Manager
Databases
Employees
Web Access Control
Single • Role and rule-based
Sign-on access control
• Centralized
Federation
authentication Business
Partners services
Applications
• Real-time audits

Web Services Custom Systems

Sun Microsystems, Inc. Proprietary and Confidential
What Does Access Manager Do
● Web-based Access Management
● 3 main features
– Single Sign-On – minimize necessity for end
user to provide credentials, without
compromising security
– Access Control – ensure that access to
protected resources is restricted to authorized
users
– Federation – provide identity services across
department/enterprise boundaries

Sun Microsystems, Inc. Proprietary and Confidential

Access Manager Architecture
HTTP(S)
Web Browser

C Applications Web / Application Server Java Applications

SDK Policy Agent SDK
XML/HTTP(S) HTTP(S) XML/HTTP(S)

Web / J2EE Container

Access Manager Java Applications

Services
SDK
Java APIs

Admin CLI Access Manager APIs

(XML)
Access Manager Framework

SPI (Service Provider Interface) Sun Java

Custom Custom System
Plugin Plugin Directory
Plugin Plugin
Modules Modules Server
Modules Modules
Provided by Sun Java System Access Manager Java APIs
Sun Microsystems, Inc. Proprietary and Confidential
Access Manager Architecture
● Only vendor based on J2EE architecture
– Java servlets deployed in web container JVM
– Services can be distributed separately from others and are modular
– Customers to leverage their knowledge on running/developing
Java-based applications
● Faster time to deployment, lower TCO

● Deeply customizable/extensible
– Java, XML & C interfaces provide robust mechanisms for integration
and extensibility
● Highly reliable and scalable
– Leverages multi-tier J2EE load-balancing and failover
● Built on and implements open standards and APIs
– JAAS, JDK 1.4 Log API, Liberty, SAML, etc.
Sun Microsystems, Inc. Proprietary and Confidential
Deployment Architecture

Sun Microsystems, Inc. Proprietary and Confidential

Authentication Services
● Standards-based, extensible authentication
framework
– Supports JAAS (Java AuthN AuthZ Service), SAML (Security Assertion
Markup Language), Liberty Alliance specifications
● Out of the box authentication schemes
– LDAP, Certificate, SecurID, RADIUS, Unix, HTTP, Windows, Safeword,
NT, Windows Desktop SSO, JDBC, and more
● Flexible authentication configuration
– Per org/resource, Multi-factor, Levels-based, Failure lockout
● Customizable and integratable
– Java/JAAS interfaces to extend and customize authentication
– APIs to integrate remote applications

Sun Microsystems, Inc. Proprietary and Confidential

Windows Desktop SSO Flow
Sun Java System
User Active Directory
Access Manager
1. Login to Windows Desktop in
normal way

2. Request protected resource

3. Return '401 Unauthorized' with

'WWW-Authenticate: Negotiate'
header

4. Request ticket from Kerberos

Ticket Granting Service

5. Provideticket

6. Request protected resource –

this time with SPNEGO token in
'Authorization: Negotiate' header
7. Request ticket authentication
9. Redirect to resource with SSO
token – request can now proceed 8. Authentication response
in normal way

Sun Microsystems, Inc. Proprietary and Confidential

Authorization Governed by Policy
● Policy = Rules + Subjects + Conditions
– Rules
● Resource being protected – URL, access method,
allow/deny
– Subjects
● Who is allowed access? User/role/group etc
– Condition
● Additional constraints – IP address, authN
level/mechanism, day/time, session timeout
– Referral policies, SPI allow customization
Sun Microsystems, Inc. Proprietary and Confidential
Authorization: Policy Agents
● Agents for more than 100 applications/platforms
● Web Policy Agents enforce URL access
– Protects static html resources or web applications, supports full
or partial URL strings
● J2EE Agents protect J2EE resources such as EJBs and servlets
– Map EJB, servlet access control to Access Manager Policies

Sun Microsystems, Inc. Proprietary and Confidential

Single Sign-On – How It Works
● Policy Agent on Web or Application
Server intercepts resource requests
and enforces access control
● Client is issued SSO token containing
information for session validation with
Session service
● SSO token has no content – just a long
random string used as a handle
Sun Microsystems, Inc. Proprietary and Confidential
Single Sign-On Token
● Web-based applications use browser
session cookies or URL rewriting to
issue SSO token
● Non Web applications use the SSO API
(Java/C) to obtain the SSO token to
validate the user's identity

Sun Microsystems, Inc. Proprietary and Confidential

Audit Services
● Centralized logging from multiple server
activities
● Configurable log content aids in regulatory
compliance
– “Who did what to which resource?”
● Secure, tamper-proof logs
● Flexible output format – JDBC or ELF

● Open, standards-based, JDK 1.4 logging API

Sun Microsystems, Inc. Proprietary and Confidential

Cross Domain Single Sign-On
● User is issued a cookie for each domain
accessed that is part of the CDSSO
deployment
● Also accomplished with SAML/Liberty
implementation

Sun Microsystems, Inc. Proprietary and Confidential

Web SSO Flow
Access Manager Access Manager
Policy Agent Policy Agent

White Pages Sun Java System Paycheck

User
Application Access Manager Application
1. Request resource
2. Agent checks for
3. Redirect to login page SSO token + policies

4. Authenticate + create SSO token

5. Redirect to resource with SSO token

6. Request resource
7. Agent checks for
8. Provide or refuse resource SSO token + policies

9. Subsequent request for resource

10. Agent checks for
11. Provide or refuse resource SSO token + policies

Sun Microsystems, Inc. Proprietary and Confidential

Session Features
● Session upgrade
– User provides additional credentials to access a
resource with higher authentication
requirements
● Client detection
– Provide content based on client type – standard
browser, WAP, etc.
● Resource-based session timeout
● Java & C Session/SSO APIs
Sun Microsystems, Inc. Proprietary and Confidential
Sun Identity Solution:
Federated Identity,
Partner Integration
Federated Identity
● Federation for cross-domain application
integration
● Facilitates 'trusted partnerships'
– Create tighter, more satisfying customer
& employee relationships
– Extend existing & create new revenue opportunities
– Implement business models that generate new
efficiencies and productivity gains
● Access Manager supports SAML 1.1
and Liberty 2.0
– Successful participation in SAML interop events
– Concurrent support for previous protocol versions
Sun Microsystems, Inc. Proprietary and Confidential
SAML Browser/Artifact Profile
SSO Flow
Sun Java System Partner
User
Access Manager Site

1. Authenticate to Access Manager

in normal way

2. Request resource at Partner site 3. AM

•constructs artifact and assertion
4. Redirect browser to partner site •stores assertion, indexed by artifact
•constructs URL containing artifact

5. Browser follows redirection

6. Partner site uses artifact to
request assertion

7. AM provides assertion
8. Partner site sends appropriate
response to browser

Sun Microsystems, Inc. Proprietary and Confidential

 Beyond Phase II – Identity Services
Identity Services Interface
Identity Federation

Employee Profile
Specifications (ID-SIS)

Business Profile
Interface and data

Personal Profile
Framework(ID-FF) •

Contact Book

Geolocation
schema

Notification
Availability
Presence
Calendar

Payment
Enables Identity • Horizontal or vertical

Wallet
Alert
federation and
management • Will be defined in
through features
such as Identity Web Services Framework parallel
identity/account (ID-WSF) • First service tracks:
linkage, simplified
sign on, and simple Provides the framework for building
• Contact Book
session interoperable identity-based web services. • Geolocation
management • Presence
Discovery, Interaction

WS- XML
SAML HTTP WSDL
Security Enc
XML
WAP XML SSL/TLS SOAP
Sig

Phase-3 will develop specification of interoperable personalized services based on ID-WSF framework. This new
body of work is referred to as “Liberty Alliance’s Service Interface Specifications (ID-SIS)” services are still in
definition.
Sun Proprietary & Confidential
The Complete Liberty Architecture
Liberty Identity Services Interface
Specifications (ID-SIS)
Liberty Identity Enables interoperable identity services such as personal
Federation identity profile service, alert service, calendar service,
Framework (ID-FF) wallet service, contacts service, geo-location service,
presence service and so on.

Enables identity federation

and management through Liberty Identity Web Services Framework
features such as (ID-WSF)
identity/account linkage,
simplified sign on, and Provides the framework for building interoperable
simple session identity services, permission based attribute sharing,
management identity service description and discovery, and the
associated security profiles

Liberty specifications build on existing standards

(SAML, SOAP, WSS, XML, etc.)
Sun Proprietary/ Confidential
 Liberty Standards Support
1.2
Liberty Standard Version

1.1
Liberty Spec
Sun Product
Netegrity Product
IBM Product

1.0

.9
Q3/2002 Q4/2002 Q1/2003 Q2/2003 Q3/2003 Q4/2003 Q1/2004 Q2/2004 Q3/2004

Time (Quarters)
Sun Proprietary/ Confidential
 Current Environment

Service Infrastructure

Customer

Challenges
•Multiple Customer Accounts
•Non-Integrated
Service Infrastructure

Sun Proprietary/ Confidential

 Sun Recommended Solution
Phase 1

HIPCS
Service Provider

Service Infrastructure
Identity Provider

Customer

HIPCS
Service Provider
Solution Advantages:
•Customer Choice
•Non-Invasive
Service Infrastructure •Optimal Time to Market
•Open Standards (Liberty 1.2)
•Extensible Bundling opportunities
(internal and external)

Sun Proprietary/ Confidential

Sun Recommended Solution
Phase 2: FreedomPass Network

Identity Provider Solution Advantages:

•Liberty Circle of Trust
•Bundling Opportunities
•Customer Choice
•Owned network

Sun Proprietary & Confidential

 Recommended Solution
Phase 2 and beyond

Partner 1
Service Provider

Service Infrastructure
Identity Provider

Customer

HIPCS
Service Provider

Service Infrastructure

Liberty Web Service #1: Distributed User Profile Partner 2

Liberty Web Service #1: Video On Demand Order
Sun Proprietary/ Confidential
 Recommended Solution
Phase 2 and beyond

Service Partner 1
Provider

Service Infrastructure
Identity Provider

SBC Customer

Service
Provider

Service Infrastructure

Liberty Web Service #1: Distributed User Profile Partner 2

Liberty Web Service #1: Video On Demand Order
Sun Proprietary/ Confidential
 Recommended Solution
Phase 2 and beyond
Liberty Web Services
requires Liberty 1.2 Partner DSL
Yahoo 1
Service
HIPCS
HIPCS
support Service
Provider
Service
Provider
Provider
Service Infrastructure
SBC
Identity
Identity
Provider
Provider
Sun is committed to
delivering on the Liberty SBC Customer

Roadmap. HIPCS(1.2 support today)

Service
UC
Provider
Service
Service
Provider
Provider

Sun provides a
Service Infrastructure
Time to Market advantage
Liberty Web Service #1: Distributed User Profile Dish
Partner
Network
2
Liberty Web Service #1: Video On Demand Order
Sun Proprietary/ Confidential
Liberty Phase 2:
Identity-Based Web Services
● Federation Framework
(ID-FF) for identity
federation
● Web Services Framework
(ID-WSF) for profile
discovery and user
interaction service
● Service Interface Spec
(ID-SIS) for personal
profiles, collections of
attributes to be shared
Sun Microsystems, Inc. Proprietary and Confidential
Sun Identity Solution:
Workflow, Provisioning,
Delegated Administration and
Self Service
Sun Java System Identity
Manager
A comprehensive solution ● Automated user provisioning
for managing identity profiles to improve operational efficiency
and permissions throughout and enhance security
the entire identity lifecycle ● Secure, automated password
management to improve service
● Enhanced security
levels and lower costs
● Lowered costs ● User self-service and delegated
● Improved productivity administration to lower support costs
● Automated data synchronization
Add to lower workloads associated with
handling change
● Non-invasive, flexible architecture
to speed deployment and ROI
Delete
Change ● Comprehensive auditing and reporting
to improve security compliance

Sun Microsystems, Inc. Proprietary and Confidential

Identity Administration Services

 Identity administration services

 Provisioning
 Profile Management
 Password Management
 Identity Synchronization

Identity Manager Directories

Databases

Admin
Identity
Provisioning Business
Synchronization Mainframes Applications

Delegated Admin Password Operating

Profile Management Management Systems

End User Self-Service

Business
Applications

App
Server Databases
Sun Proprietary & Confidential
Sun Java System Identity Manager
Delegated
Unified Identity
Role and Policy Self-Service
Console
Audit Reporting
Admin Views Management Interfaces

Automated Password Identity

User Provisioning Management Synchronization

Identity Platform Services

Auto- Virtual Identity Rules Dynamic SPML
Discovery Manager Engine Workflow Toolkit

Agentless Adapters

Directories Databases Mainframes Operating Enterprise Custom Non-Digital

Systems Package Applications Assets
Applications
Sun Microsystems, Inc. Proprietary and Confidential
Provisioning Today: Fragmented,
Manual and Insecure

Partners Employees Customers Former

Employees

● Where are my risks?

● Who has access?
● What recurring charges am I still Facilities/
Purchasing
Human Resources Call Center Help Desk
paying for?
System
● How much does all of this cost?

Exchange and Oracle Financials Siebel CRM Chargeable Assets Other Assets
Active Directory ● Mobile phone/service ● Office space
● Conference call account ● Phone
● Credit card ● Laptop

Sun Microsystems, Inc. Proprietary and Confidential

Provisioning with Sun:
Streamlined, Automated and Secure
HR Manager

Partners Employees Customers Former

Employees

● Reduced risk
● Complete view
of user’s identity
● Efficient,
Approving
Manager
automated
operations

Exchange and Oracle Financials Siebel CRM Chargeable Assets Other Assets
Active Directory ● Mobile phone/service ● Office space
● Conference call account ● Phone
● Credit card ● Laptop

Sun Microsystems, Inc. Proprietary and Confidential

Identity Manager’s
Automated Provisioning Highlights
● Granular delegated administration
● Web-based self-service

– With automated change approval processes

● Robust audit and reporting
● Role based access control

● Rule-based provisioning

– Business policy enforcement through automated rule evaluation

● Multi-step, complex provisioning
● Authoritative feeds from HR applications and directories

● Agentless adapters

– Out of the box for leading enterprise systems & applications

– Ref Kit and samples for custom adapter development
● SPML Toolkit
Sun Microsystems, Inc. Proprietary and Confidential
 Password Management with Sun:
Cost-Effective, Quick, and Convenient
Users

Partners Employees Customers Temporary

Employees

● Automated process
Available to users anytime,
Process

delivered Interactive
how they Voice work
Response (IVR)
● Users only have 1 set of
credentials to remember
Environment

Exchange and Active Siebel CRM Unix PeopleSoft Oracle Financials RACF
Directory Human Resources System

Sun Microsystems, Inc. Proprietary and Confidential

Identity Manager’s Password
Management Highlights
● Self-service password reset & synchronization
● Convenient access through

– Web browser
– IVR system
– Network log-in (Windows)
● Automated password policy enforcement
– Password history store
– Password exclusion dictionary
● Help desk integration to track password-related activity
● Agentless adapters

– Out of the box for leading enterprise systems & applications

– Ref Kit and samples for custom adapter development
● Reporting on self-service password resets
Sun Microsystems, Inc. Proprietary and Confidential
Identity Synchronization:
Migration with Sun

RACF Windows NT Oracle RDBMS Lotus Notes LDAP LDAP LDAP

● Provides complete, automated data

migration into new directories from
existing repositories
– Discover & correlate for data cleansing
and establishing of virtual identity
– Create directory containers & hierarchy
– Bulk actions for populating directories
with user data
● Provides complete management of both
old systems and new directories during
migration period
Active Directory Sun Java System Sun Java System
Directory Server Directory Server

Sun Microsystems, Inc. Proprietary and Confidential

 Identity Synchronization:
Profile Management with Sun
Employee
Gets married
Changes name
Changes address
Partners Partners Executives Sales Marketing Customers Operations
Employees Employees Employees

Self Service
● Efficient, automated
operations
● High quality of service
HR Manager
Approval
● Top line benefit

New Hire Exchange and Active Siebel CRM Human Resources Oracle Financials Payroll Systems
Application Directory System

Sun Microsystems, Inc. Proprietary and Confidential

 Identity Synchronization:
System-to-System Updates with Sun
Employee got promoted
● New Title

● New Job Code

Update LDAP with new
● New Pay Grade
Department, Job Code,
Title for use by ● New Department

corporate white pages

Corporate
LDAP
Payroll System

Update Pay
Grade as it
Exchange and ERP
impacts salary
Active Directory
Human Resources ● Update ERP with new
System
● Update AD with new Department, Title, Job Code
Job Code ● Modify access privileges

● Modify home directory and move location to ensure separation of

of network files for employee duty
● Modify message database account size for

employee

Sun Microsystems, Inc. Proprietary and Confidential

Identity Manager’s Identity
Synchronization Highlights
● Auto-Discovery to create a unified Virtual Identity
● Automated and scheduled detection of change
● Synchronization between heterogeneous data sources
● Identity data transformation
● Granular, flexible authority assignment
● Web-based self-service
– Delegation to end-users with automated change approval processes
● Resource adapters
– Out of the box for leading enterprise systems & applications
– Out of the box schema maps
– Ref Kit and samples for custom adapter development
● Audit and Reporting
Sun Microsystems, Inc. Proprietary and Confidential
Identity Platform Services
● Common underlying, non-invasive
technologies that enable rapid deployment,
and efficient ongoing management:
– Rules Engine
– Dynamic Workflow
– Auto-Discovery
– Virtual Identity Manager
– Agent-less Adapters

Sun Microsystems, Inc. Proprietary and Confidential

Identity Platform Service:
Auto-Discovery
● Logical management of multiple
disparate identities Jsmith
● Reduces risk of “orphaned” privileges
Applications

jms

Databases

smitty
Joe Smith
Virtual Identity Directories

Sun Microsystems, Inc. Proprietary and Confidential

Other Vendors’ Approach:
Centralized Repository
● Deployment issues
– Technical, political
● Operational challenges Applications

– Synchronization

Databases

Provisioning
Server

Web Applications

Directories

Sun Microsystems, Inc. Proprietary and Confidential

Identity Platform Service:
Virtual Identity Manager
● Minimizes deployment time
● Eliminates operational challenges
Applications

● Manage centrally, enforce locally

Databases

Web Applications

Virtual Identity
Directories
Manager

Asset Databases/Directories

Sun Microsystems, Inc. Proprietary and Confidential

Identity Platform Service:
Agent-less Adapters
● Minimizes agent deployment
Unix Systems
● Eliminates agent management
● Eliminates operational challenges Custom Applications

RDBMS

Package Applications

Resource Adapter Directories

Wizard
NT/ADS
Mainframe

Agent-less
Custom
Application Connector
Agent
Sun Microsystems, Inc. Proprietary and Confidential
Unified Identity Console
● Web-based interfaces for administrators and end-users
– Smart Forms are interactive web-based forms with embedded
logic to assist the user navigation
– Delegated administration views based on granular delegation
for scope, capabilities, data sources and data
● Self-service for self management of accounts, assets,
passwords, and profile data
● Administrators
– Define and manage: role models, policies, delegation
assignments
– View and act on identities
● Comprehensive reporting
● End-to-end identity auditing capabilities
Sun Microsystems, Inc. Proprietary and Confidential
Business Justifications:
Sun Java System Identity Manager
Driver Mitigation with Identity Manager
Minimize ● Role and rule-based provisioning for business policy enforcement
Risk ● Dynamic workflow with specified approvals
● Automation of de-provisioning
● Comprehensive audit and reporting of profile data, change history, and user permissions
● Active risk scanning for orphaned accounts
● Password policy enforcement across data sources

Improve ● Self-Service for automated provisioning, registration, password management,

Access and profile management
and ● Automated synchronization of identity data across heterogeneous resources
Improve ● Granular delegated administration
Service ● Standards support for SPML, including SPML toolkit

Reduce ● Self-Service for automated provisioning, registration, password management,

Costs and profile management
● Automated de-provisioning of accounts and non-digital assets with recurring charges
● Automated identity data synchronization across enterprise systems
● Granular delegated administration
● Identity data migration to directory-based infrastructure

Sun Microsystems, Inc. Proprietary and Confidential

Why Sun Is Right for You
● Our commitment to Identity Management
– Major strategic initiative for Sun
– Full product line offering
– Industry alignment with leading partners including; PwC, Deloitte,
Accenture and Northrup Grumman
– Validation in accordance with the provisions of the NIAP Common
Criteria Evaluation
● Technology that works
– Non-invasive architecture means faster time-to-value
– Assured interoperability with your environment
– Open, standards-based solutions
● Industry's only complete user provisioning
and synchronization solution
● Strongest track record of customer success
Sun Microsystems, Inc. Proprietary and Confidential
Sun Identity Solution:
Demonstration
Demonstration:
Provisioning/ Workflow/ SSO/ User Management/ Self Service
Admin Portal AM Login Module

SSO / Common L&F

Notifications
SMTP
Delegated Admin
Policy Admin
Self service

Portal Server

Audit / Repository
Oracle
Adapter Adapter Adapter
Mail

Calendar

Exchange Badge
HR

Project Management

Auth Pages

Sun Microsystems, Inc. Proprietary and Confidential

 Demonstration:
Provisioning/ Workflow/ SSO/ User Management/ Self Service
User Administration
– Enter new user details
SMTP Approval
Admin Portal Notification sent to
SSO to IM approver
Hiring Manager

User Administration
– Add phone# & approve
Approver receives Provision
Admin Portal Create IS account
email and follows
SSO to IM Create Exchange
link to IM
Approving Mgr Create badge

SSO to Portal Page

Employee Accessed
portal
End User

Sun Microsystems, Inc. Proprietary and Confidential

 Demonstration:
Provisioning/ Workflow/ SSO/ User Management/ Self Service

Self-service SMTP Approval

Password Reset Notification sent to
Change details approver
End User Request new services

User Administration
– Approve new services
SSO to
Employee Provision
Change IS rights
portal
Approving Mgr

Sun Microsystems, Inc. Proprietary and Confidential

Questions
Demonstration:
Federation and Partner Integration

Partner
Service Provider

Service Infrastructure
Identity Provider

Customer

HIPCS
Service Provider

Service Infrastructure

Liberty Web Service #1: Distributed User Profile Partner

Liberty Web Service #1: Video On Demand Order

Sun Microsystems, Inc. Proprietary and Confidential

Sun Identity Solution:
Best Practices, Success Stories,
Customer Examples
Identity Customers

Sun Proprietary & Confidential

Sample Customers

Sun Microsystems, Inc. Proprietary and Confidential

Partners

Sun Microsystems, Inc. Proprietary and Confidential

Sun Identity Solution
Sun Java System Directory Server

Sun Confidential &

Proprietary
For Authorized
Partners ONLY
Do not Distribute to
Public
Sun Microsystems, Inc
Sun Java System Directory Server
● Highly Available Directory Services
– Multi-master replication
– Automatic fail-over across multiple servers *
– Online backup, indexing, schema & config changes
– Transaction logging
– Systems Management via SNMP

● High Performance & Scalability

– Multi-database architecture for tuning & scalability
– Several 25-50M directories in deployment today
* w/ Direcotry Proxy Server
Sun Proprietary/ Confidential
Sun Java System Directory Server
● Security
– Attribute level restriction to read, write, search, compare, ...
– Restrictions based on user, group, date/time, src, filter, ...
– Operations and replications encrypted via SSL
– ID/password; X.509 certs; plug-in support
– Password policy management & encryption

● Administration
– Role-based access, class of service
– Sun Java System Console GUI for all configuration &
management Sun Proprietary/ Confidential
Sun Java System Directory Server
● History & Standards
– Netscape, iPlanet, Innosoft & Sun code base
– LDAP version 2 & 3 operations (RFC 1777, 2251, 2252)
– X.509 certificates
– LDAP search filters, including presence, equality, inequality,
substring, approximate ("sounds like"), and the Boolean
operators and (&), or (|), and not (!)
– LDAP version 3 intelligent referral, which lets a directory
refer a query to another directory
– Implements relevant LDAP version 2 and 3 RFCs, including
RFC 1274, 1558, 1567, 1777, 1778, 1959, 2222, 2246, 2247,
2251, 2252, 2253,Sun
2254, 2255,Confidential
Proprietary/ 2256, 2279, 2307, 2377,
 Replication Topology
LDAP clients
Write operations

Master Master
MMR

Read-only Read-only
Hub Hub

Read-only
Replicas

LDAP clients
Read operations
Sun Proprietary/ Confidential
Directory Server 5.2 Performance
● Last public test was ● Single Machine
Network World Report Results so far (6/03):
– Bind, Multiple Search,
Unbind:
● In-depth 50 million
entry benchmark ● 7,500 (search)/sec
documented in 2001
– Mod:
● 300/sec
● Customer Benchmark
of 100 million entries

Sun Proprietary/ Confidential

 Directory Server 5.2 Release
Features/Improvements
Release 5.2 (6/03)
– Large cache 64-bit (Solaris)
– 4-way Multi-Mastering
– Multi-Master over WAN
– Scoped password policy
– Fractional replication
– Attribute level encryption
– DSMLv2

Sun Proprietary/ Confidential

Sun Java System Directory Proxy
Server
● Failover and failback services
● Added security for directory assets
● Protects from denial of service or flood attacks
● Routing/Load Balancing
● Dynamic schema mapping of hard-coded client
definitions to directory server's schema
● Automatically recognizes and acts on directory
referrals
Sun Proprietary/ Confidential
Sun ONE Directory Proxy Server
– Example
Master Master
MMR

Read-only Read-only
Hub Hub

Read-only
Replicas

LDAP Service
Direcotry Direcotry
Proxy Proxy

Load
Balancers

LDAP clients
Write & Read
Sun Proprietary/ Confidential
 JAAS Support
● class com.sun.identity.policy.jaas.ISPermission
can be used as a JAAS permission
internally makes IS policy evaluation calls to compute
authorization decision
● class com.sun.identity.policy.jaas.ISPolicy
can be used as JAAS policy provider

Sun Proprietary: Internal Use Only

SunTM JavaTM System Identity Server 2004Q2 TOI Slide 82
Copyright 2003 Sun Microsystems, Inc. All Rights Reserved.
 New Policy Plugins
● LEAuthLevelCondition
Implies the policy applies to the request if request auth
level is <= condition auth level ( our old
AuthLevelCondition implies the policy applies to the
request if request auth level is >= request auth level).
● AuthenticatedUsers (Subject plugin)
Implies the policy applies if the request SSOToken is a
valid SSOToken
● WebServicesClients (Subject plugin)
Implies the policy applies if the request is from a trusted
web service client. Used for our liberty implementation.

Sun Proprietary: Internal Use Only

SunTM JavaTM System Identity Server 2004Q2 TOI Slide 83
Copyright 2003 Sun Microsystems, Inc. All Rights Reserved.
 Kerberos Desktop Login Architectural
Overview

Sun Proprietary: Internal Use Only

SunTM JavaTM System Identity Server 2004Q2 TOI Slide 84
Copyright 2003 Sun Microsystems, Inc. All Rights Reserved.
 Identity Server 6.2 System Architecture

Sun Proprietary: Internal Use Only

SunTM JavaTM System Identity Server 2004Q2 TOI Slide 85
Copyright 2003 Sun Microsystems, Inc. All Rights Reserved.
Liberty Goal
● Mission
● To serve as the premier open Alliance for federated
network identity management & services by ensuring
interoperability, supporting privacy and promoting
adoption of its specifications, guidelines and best
practices
● Goals
● Provide open standard and business guidelines for
federated identity management spanning all network
devices
● Provide open and secure standard for SSO with
decentralized authentication and open authorization
● Allow consumers/businesses to maintain personal
Sun Proprietary/ Confidential
information more securely, and on their terms
Phase I – Federated SSO

Identity Federation
• Spec. released 7/02 (1.1 Jan `03)
Framework (ID- • Browser and WAP profiles
FF)
• Opt-in
Enables Identity
federation and
management • Single Sign-on and Log out
through features
such as
identity/account
• Profiles for “thin” clients
linkage, simplified
sign on, and simple • Open source Java based IPL
session
management • Submitted to OASIS SAML TC
• RSA Interop. Event 4/03
• AOL, Communicator Inc, Ericsson, HP,
SAML HTTP Jabber, Mycroft, NeuStar, Nokia, Novell,
NTT, Ping ID, Phaos, PostX,
WAP XML SSL/TLS SchlumbergerSema, Sigaba, Sun,
Symlabs, Trustgenix, Vodafone, Waveset

Sun Proprietary & Confidential

Phase II – Identity Services Framework

Identity Federation
ID based discovery &
invocation

Employee Profile
Framework(ID-FF)

Personal Profile
Interaction services
Enables Identity • Permission based
federation and
management attribute sharing
through features
such as Identity Web Services Framework
identity/account (ID-WSF) • Services Template
linkage, simplified •(ID data services definition)
sign on, and simple Provides the framework for building
session interoperable identity-based web services.
management • Released Nov `03
Discovery, Interaction •Available for public
download

WS- XML
SAML HTTP
Security
WSDL Enc • Already supported in 5
WAP XML SSL/TLS SOAP
XML implementations
Sig • Sun ID Server 6.2

Sun Proprietary & Confidential

Phase 2 Support
Companies already supporting Phase 2 (IDFF 1.2):

• Phaos – Support for Phase 2 enhancements in the Phaos Liberty

Service Provider (SP), J2EE Server components package, full Phase 2
support by Q2 2004
• Ping Identity – Deploying Phase 2 Liberty-enabled version of its open
source SourceID Federation Platform in early 2004
• Sun Microsystems –Expanding existing Liberty functionality in Java
System Identity Server to support Phase 2 specifications, Liberty 1.0
originally supported in Dec. 2002, 1.1 in May 2003, 1.2 in May 2004
• Trustgenix - Trustgenix IdentityBridge, available now, supports the
Liberty Phase 2 standards and provides federated identity
management (SSO, provisioning and privilege management in the
extended enterprise)
• Vodafone – Deploying Phase 1 and Phase 2 Liberty standards in its
intranet and commercial service platforms across Vodafone. Vodafone
will include the specifications as part of platform releases in 2004-2005
• Ericsson – USIS - IDP

Sun Proprietary & Confidential

 Beyond Phase II – Identity Services
Identity Services Interface
Identity Federation

Employee Profile
Specifications (ID-SIS)

Business Profile
Interface and data

Personal Profile
Framework(ID-FF) •

Contact Book

Geolocation
schema

Notification
Availability
Presence
Calendar

Payment
Enables Identity • Horizontal or vertical

Wallet
Alert
federation and
management • Will be defined in
through features
such as Identity Web Services Framework parallel
identity/account (ID-WSF) • First service tracks:
linkage, simplified
sign on, and simple Provides the framework for building
• Contact Book
session interoperable identity-based web services. • Geolocation
management • Presence
Discovery, Interaction

WS- XML
SAML HTTP WSDL
Security Enc
XML
WAP XML SSL/TLS SOAP
Sig

Phase-3 will develop specification of interoperable personalized services based on ID-WSF framework. This new
body of work is referred to as “Liberty Alliance’s Service Interface Specifications (ID-SIS)” services are still in
definition.
Sun Proprietary & Confidential
SAML Browser/Artifact Profile
SSO Flow
Sun Java System Partner
User
Access Manager Site

1. Authenticate to Access Manager

in normal way

2. Request resource at Partner site 3. AM

•constructs artifact and assertion
4. Redirect browser to partner site •stores assertion, indexed by artifact
•constructs URL containing artifact

5. Browser follows redirection

6. Partner site uses artifact to
request assertion

7. AM provides assertion
8. Partner site sends appropriate
response to browser

Sun Microsystems, Inc. Proprietary and Confidential

Liberty Phase 1: Technical Basics

● Leverages existing open Web standards

– SOAP, SAML elements, WS-Security
● Defines basic roles
– Identity Provider, Service Provider
● Basic Federation capability
– Opt-in Account Linking
– Single Sign-On
– Single Log-Out
– Pseudonymity
Sun Microsystems, Inc. Proprietary and Confidential
Liberty Phase 2: Technical Basics
● Building out Federation
– Identity data services definition
– Identity based service discovery & invocation
– Permission based attribute sharing
– Interaction service
– Anonymity
● Phase 3 under construction
– Contact book
– Geo-location
– Presence
Sun Microsystems, Inc. Proprietary and Confidential
Liberty Attribute Sharing Flow
myRingtones myWireless myBank

Service Identity Discovery Personal Profile

User
Provider Provider Service Service

1. SSO

1a. Assertion (includes Discovery Service location)

2. Request ringtone

3. Request personal profile location

4. Provide personal profile location

5. Request user attributes

6. Optional approval

7. Provide user attributes

8. Provide ringtone

Sun Microsystems, Inc. Proprietary and Confidential

XML Web services Security
Standards Status
ID-WSF 1.0
ID-FF 1.2
XACML
WSPL
SAML
WS-Fed
WSPL WS-Security XML Enc
WS-Trust XrML XML Sig
WSPL
WS-Policy XKMS C14N
Stability
Early Draft Mature Draft V1 Complete

W3C OASIS Liberty Private

Sun Proprietary/ Confidential