DocTeger

OpenSSO Technical Information

And a Spoonful of Music

To Make the Medicine Go Down

Federated Access Manager Supported Data Stores and Operations

THIS INFORMATION IS STILL BEING UPDATED AND MAY CHANGE BEFORE THE FALL 2008 FEDERATED ACCESS MANAGER 8.0 RELEASE.

Federated Access Manager contains a lot of data and supports a number of products in which to store it. The following sections contain information regarding this support and the specific operations that can be performed on the data by each product.

1. Directory Support
2. Supported Identity Data Store Operations
3. Notification Support

Directory Support

The table below lists the directories supported for the different types of data.

	Sun Directory Server	Active Directory	IBM Tivoli Directory	LDAP v3 server (other)
User Data Store	Yes	Yes	Yes	No
Configuration Data Store*	Yes	No	No	No
AM SDK (legacy)	Yes	No	No	No
LDAP Authentication	Yes	Yes	Yes	Yes
Membership Authentication	Yes	No	No	No
AD Authentication	N/A	Yes**	N/A	N/A
Policy Subjects and Policy LDAPFilter Condition	Yes	Yes	Yes	Yes
Password Reset	Yes (with AM SDK only)	No	No	No
Account Lockout	Yes	No	No	No
Certificate Authentication	Yes	Yes`	Yes	Yes
MSISDN Authentication	Yes	Yes	Yes	Yes
Data Store Authentication (through LDAPv3 identity data store)	Yes	Yes	Yes	Yes

* OpenDS can be configured as the embedded configuration data store during your initial Federated Access Manager configuration. It can not be configured as an external configuration data store as the Sun Directory Server can. OpenDS is not currently supported as a user data store.

** There are some limitations.

As a side note, authentication also supports the JDBC repository through the JDBC authentication module.

Supported Identity Data Store Operations

IDRepo is the interface to provide basic management for user, group, role and agent entities. This interface allows support for any identity data repository with the development of a plug-in. Although currently limited to three directories, it can be expanded to include any LDAPv3 directory (like OpenLDAP or Novell Directory), a Java Database Connectivity (JDBC) directory, flat files, and others.

The matrix below specifies current support through the IDRepo interface. We have a specific implementation for each supported identity repository. The default implementation of this interface can be used and is supported for any LDAPv3 repository.

The following table lists operations supported by each data store type.

	Sun DS LDAP v3	IBM Tivoli LDAP v3	AD LDAP v3	LDAP v3 (generic)	AM SDK (legacy)
User Create	Yes	Yes	Yes*	No	Yes
User Modify	Yes	Yes	Yes*	No	Yes
User Delete	Yes	Yes	Yes*	No	Yes
Role create	Yes	Yes	No	No	Yes
Role Modify	Yes	Yes	No	No	Yes
Role Delete	Yes	Yes	No	No	Yes
Role Assignment	Yes	Yes	No	No	Yes
Role Evaluation for membership	Yes	Yes	No	No	Yes
Group Create	Yes	Yes	No	No	Yes
Group Modify	Yes	Yes	No	No	Yes
Group Delete	Yes	Yes	No	No	Yes
Group Assignment	Yes	Yes	No	No	Yes
Group evaluation for membership	Yes	Yes	Yes	No	Yes
Federation Attributes	Yes	Yes	Yes	No	Yes

* Needs some fixes.

Notification Support

Data changes in directories need to be propagated to OpenSSO in a timely manner. The data in OpenSSO is updated in two ways:

1. Polling of the directories
2. Notifications from the directories

For notification, Federated Access Manager subscribes to persistent search notifications provided by the directories. For polling, it provides configurable parameters to specify the time intervals. When multiple instances of Federated Access Manager are running, the configuration data changes can also be propagated to those instances.

And now watch how the dancers support Goldie Hawn as she sings Star, the title tune from the 1960s film musical biography about Gertrude Lawrence and starring an excellently-cast Julie Andrews.

Posted at 10:52AM Jul 02, 2008 by Michael Teger in Sun  |  Comments[0]