Putting Liberty to work

Online consumers and corporate end-users burdened with dozens of online identities, as well as the IT administrators who must manage all of their passwords and access privileges on the back end, may soon see relief in the form of e-commerce-oriented identity management systems.

Sun released last month Sun ONE Identity Server 6.0, a system that manages not only the identity and authentication mechanism of users on large, disparate enterprise networks, but also addresses end-user log-in headaches via federated identity management based on a specification released by the Liberty Alliance Project last July.

This means that Identity Server can be configured in two basic ways: First as an authentication service for use on large, heterogeneous corporate networks, and second as a Liberty-enabled federation management service. In corporate mode, users or applications attempting to access resources anywhere on the network must first pass through Identity Server’s Authentication Service, typically via a log-in Web page, although this can be routed towards a custom GUI interface via additional programming tools. Once the user has provided the required information, the Authentication Service either grants or denies access. Although this sounds similar to what we already have, Identity Server can manage access across domains and operating systems, as well as many existing authentication systems and directory services.

The Liberty-enabled configuration is intended to allow Web users to sign in to a Web site or Internet resource that is part of a Liberty authentication domain — basically a conglomerate of resources operating in a trusted environment, all managed by the Liberty Alliance’s federated authentication service. Thereafter, that user can roam to any Web site within that authentication domain and access resources without having to be re-authenticated. What’s nice about the Liberty implementation is that it’s cross-platform via Java and XML, and it doesn’t require user authentication information to be stored in a central repository.

Thus, a user could have basic username and password information stored on one server while having credit card information stored on another, yet still allow another application within the authentication domain to access both sets of data when needed. This means no single entity will have control over all user information, and no impediments to businesses retaining the information they need for effective customer relationship management.

Sun ONE Identity Server is not a stand-alone product, but is comprised of several Sun ONE agents, service technologies, and servers. Digging into an Identity Server box, you’ll find that you’ve purchased a number of Sun ONE technologies, including Sun ONE Directory Server 5.1, Identity Server Policy and Management Service, the Identity Server Console, Identity Server Schema, the Cross-Domain Single Sign-On component, and Common Domain Services.

Although you can download the base software in demo mode, as we did, actual customers will work with Sun on both a hardware and software basis. Sources say Sun will most likely sell the software in two turnkey configurations, Enterprise Edition and Internet Edition. The Enterprise Edition is intended to manage up to 50,000 user identities within firewall boundaries, and will include a hardware configuration equivalent to two Sun Fire 280R UltraSPARC III servers and a 72GB Sun StorEdge D2 storage array. Software will be preconfigured and include the pieces listed above as well as Solaris 8 or 9. Pricing in this configuration should break out to around $10 to $15 per user, excluding hardware, on-site consulting, and training costs.