Putting Liberty to work

Sun ONE Identity Server 6.0 builds powerful cross-domain authentication on Liberty Alliance spec

The Internet Edition is designed for a heavier load of up to 5 million  identities, and to operate outside a firewall. This configuration will be similar to the Enterprise Edition, but with a meatier server platform, approximating two more Sun Fire 280R UltraSPARC III servers and a StorEdge containing 150GB of storage or more. This offering will break down to a per-user cost of $3 to $5, again excluding hardware and ancillary service costs.

We couldn’t get Sun to send us a million dollars worth of preconfigured hardware, so we had to install our version of Sun ONE Identity Server 6.0 on a Sun Ultra 10 (UltraSPARC IIi 300MHz) with 512MB of RAM and dual Ultra SCSI 18.3GB hard disks running Solaris 9 with Apache's 32-bit Web server installed. We installed Sun ONE Directory Server on a Netra T1405 running four UltraSPARC II 440MHz CPUs with 1GB of RAM and dual 18GB SCSI hard disks. Needless to say, though all our components worked just fine, your performance is likely to vary dramatically.

Because we had no Liberty authentication domain to access, we chose to set up Identity Server in its enterprise mode. That meant connecting our Sun server to a workstation running Solaris 8, a Compaq Proliant 1600 running Windows NT Server 4.0 in a separate domain, and a Compaq Proliant 800 running Novell Netware 5, also running in its own domain and configured with an NDS tree. It also meant paying attention to four core Identity Server services — authentication, logging, single sign-on, and session services—as well as whether to build a directory service from scratch or configure Identity Server against an existing Sun ONE Directory Server installation.

Identity Server’s authentication service is just what you’d expect, aimed at verifying the identity of users trying to access network resources. These services use a number of pluggable modules, depending on your network configuration and which authentication mechanisms you plan to employ.

The logging service is also what you’d expect, writing information to individual log files or to a log database for central administration. This data is then used by the Identity Server as well as by administrators via the Identity Server administration console. Session services are basically engine services designed to manage sessions and validity times; this data is used to manage SSO (Single Sign-On) tokens.

It gets interesting during implementation with SSO. This service uses tokens to move authentication information between trusted applications. You’ll find Sun has provided Java validation APIs, agents to allow authentication with a variety of application server platforms, and several identity management services.

All these default services are defined via XML and require varying degrees of configuration during implementation. We chose to enable administration, core, LDAP, membership, Unix, and NT services, while ignoring anonymous, certificate-based, SafeWord, and RADIUS services. We also paid special attention to the policy configuration, client detection, platform, naming, and logging services. And while we didn’t get a chance to look at it, developers will be especially interested in the SAML (Security Assertion Markup Language) service, which is used to define the framework for communication between authentication services.

Maneuvering within Identity Server 6.0 is surprisingly straightforward. Most tasks are handled by an administration console broken down into four tabs: Identity Management, Service Configurations, Current Sessions, and Federated Management.