Policy Agents: An Integral Part of the Global Sign-On Process
Policy Agents are programs (residing on servers hosting protected resources) that intercept every incoming request for a protected resource and coordinate with session and authentication services to enable the sign-on process. This enforcement of assigned policies (authorization) is an integral part of SSO and CDSSO sessions.
Figure 3. Policy Agents
Web Agents enforce a URL-based policy for C applications, while EE/Java Agents enforce URL-based policy and J2EE-based policy for Java applications within J2EE containers.
Installing OpenSSO
OpenSSO supports different data stores for identity—including LDAP—for storing realm configurations, authentication properties, authorization policies, and data pertaining to FAM. Complete the following steps to install the necessary components:
- Download and install Sun Directory Server 5.2.
- In the Directory Server, create a new suffix (for example,
dc=opensso,dc=java,dc=net).
- Download an IDE and J2EE Application Server as needed.
- Download the OpenSSO stable build (the file is called
openSSO V1 Build 3 Zip). Then unzip opensso.zip and extract opensso.war.
- Install all the required software before deployment.
- Deploy the Web Application (
opensso.war). This step will vary based upon the IDE and application server you are using.
OpenSSO supplies a browser-based console (Access Manager Console) and two command line interfaces (amadm and famadm) for the purposes of configuring and managing FAM. Local bootstrapping and server configuration is provided in the AMConfig.properties file. Examples of various aspects of access management and federation could be found at (http://host:port/uri/samples/)
Configuring FAM
First, access FAM via http://localhost:9080/fam/welcome.jsp. Here, you'll use your own values for host and port in the URL, an initial page for configuration is displayed that lets you configure a data store. In 'Configuration Store Settings,' select the 'Director Server' option and enter the LDAP port number, along with the new root suffix you created (in Step 2), so that all the data required for OpenSSO resides in one place.
Access Manager Console
After the configurator has run successfully, you'll see the login page (http:/localhost:9080/fam/UI/Login) for the Access Manager Console. A FAM deployment provides two users (anonymous and amAdmin), and a default realm which corresponds to the top dc of the root domain used during LDAP installation—in this case it is opensso. Login as amAdmin and see that both users have administrative privileges.
Figure 4. The Federated Access Manger Main Page
The Access Manager Console allows administrators with different levels of access to manage Realms, Organizations, identity objects (Users, Groups, Roles and Agents) to and from realms, and establish enforcement Policies that protect and limit access to realms' resources. It also allows you to configure Authentication Configuration, Federation, Web Services and to delete Sessions.
Managing Realms
A realm is a basic administrative unit consisting of a group of authentication properties and authorization policies relating to a user or group of users. The realms form a hierarchy starting with the default root realm (opensso) created at initialization. Realms are displayed under the Access Control tab and enable you to configure properties for Authentication, Services, Data Stores, Privileges, Policies, and Subjects. Realm data is stored in a proprietary information tree that Access Manager creates with the data store you specified during configuration.
Figure 5. Realm Attributes
To create a new realm, Select New from the Realms list under the Access Control tab. Enter a name (Test Realm) for the Realm and select the parent realm under which the new realm will exist. Note that Parent textbox displays the available realms including the default realm. For Realm Status choose a status of active or inactive. Choosing inactive disables user access when logging in. You can add alias names for the DNS name for the realm under Realm/DNS Aliases. This attribute only accepts "real" domain aliases.
Figure 6. The Realms Page
Managing Subjects
A subject defines users, collections of users (group), and Agents. The Subject tab enables basic identity management with in a realm. You can create and delete users in groups and you can add or remove them from roles and/or groups related to a realm via the User and Group tabs. The Agent tab allows you to store authentication and other profile information about a specific agent that is protecting the resource.
Figure 7. Subjects Page
To create a new user or a group, choose the realm for which you would like to create a user/group and click the Subjects tab. Click on the User tab if you wish to create a User or Group tab for groups or Agent tab to create an agent.
Figure 8. Creating a New User
Managing Policies
A policy is a rule that describes who is authorized to access a resource. Through the Policies tab, you can manage policies. You can create two types of Access Manager policies: normal policies and referral policies. A normal policy consists of rules, subjects, conditions, and response providers. A referral policy controls the policy delegation when an administrator may need to delegate one realm's policy definitions and decisions to another realm. It consists of one or more rules and one or more referrals.
Figure 9. The Policy Page
To create a new Policy, choose the realm for which you would like to create a policy and click the Policies tab. Click New Policy from the Policies list and add a name (TestPolicy) and a description for the policy. If you wish the policy to be active, select yes in the Active attribute. Add Rules and Subjects (amAdmin) and note that Conditions and Response providers are optional. For Rules, a service type (Discovery or Liberty Personal Profile or URL Policy Agent) has to be selected that defines the actions. For example, following screenshot shows the configuration parameters for URL policy agent.
Figure 10. Rule Description
New on the Java Boutique:
New Review:
Time Management Made Easy with the Quartz Enterprise Job Scheduler
Why not just use the Java timer API? This open source scheduling
API boasts simplicity, ease-of-integration, a well-rounded feature
set, and it's free!
New Applet:
Reverse Complement
Reverse Complement is a simple applet that converts DNA or RNA
sequences into three useful formats.
Elsewhere on internet.com:
WebDeveloper Java
Lots of Java information on webdeveloper.com
WDVL Java
Thorough Java resource at the Web Developer's Virtual Library.
ScriptSearch Java
Hundreds of free Java code files to download.
jGuru: Your View of the Java Universe
Customizable portal with online training, FAQs, regular news updates, and tutorials.
| 
