h3. Overview

Identity and Access Management is widely considered to be a highly technical domain, with an implementation that's out of reach for most folks. The process of setting up a system for identity and access management has a well-earned reputation for technical difficulty, inconvenience, and errors; all in pursuit of an end product that most users dislike and avoid.

Unless you're a Subject Matter Expert (SME) or a technical architect, you're going to have some trouble setting up a process that will then be really difficult to use. Sounds great, doesn't it? Commercial identity and access management packages offer web-based facilities to set up their products; but without an intimate knowledge of the product's inner structure, the overall set up and roll-out experience is tedious and error-prone.

We're not happy with this state of affairs. We're changing things, and we think you'll like what we've accomplished. First, we put together a top-notch identity management platform, delivering JOSSO2 by incorporating JOSSO and the Atricore Identity Bus; and now we've added ease of use. Usability translates to productivity. Get the less technically savvy people on board with your identity solutions, and you will significantly accelerate time-to-value for enabling federated identity settings.

Enter Point-and-Click Internet Single Sign On (SSO). Simply "draw" your Internet SSO setting, and bring it to life in a snap. Work at the architecture level. Say goodbye to the tens of forms you've had to complete in order to get your connections with partner sites up and running. You won't need to edit manually or deal with obscure configuration files.

Whereas JOSSO1 provides a command line console for provisioning SSO support onto the target environment, users are still required to deal with XML descriptors in order to fine tune the implementation. This introduces a high entry barrier for non-technically savvy users due to the learning curve concerning JOSSO and the constructs used to setup the product in order to realize the single sign-on usage scenarios. Moreover, the people responsible of the identity architecture do not have visibility or control of the federated single sign-on setting, having to rely on more technical people - usually non-SME experts - in order to bring this to life. Consequently, the chances of miscommunication increase significantly posing a risk to the identity and access management project.

Through the Identity Appliance Modeler, the Identity Architect is now in full control of how the high-level identity architecture is mapped to something that actually executes. The identity architecture definition can be carried out in a purely visual fashion, hence remove the typical entry barrier required for engaging in delivering Internet SSO.

Let's have a look at how the identity appliance modeler looks like :

{highslide-expand:/confluence/download/attachments/18546744/modeler_overview.png|/confluence/download/attachments/18546744/modeler_overview_thumb.png}
{highslide-expand}

The action bar offers identity appliance-related operations. These are mainly concerned with managing the workspace within which an identity appliance model is bootstrapped and edited. For instance, an identity appliance can be scaffolded by clicking on the "New" button, or we can continue working on an existing appliance by selecting it and clicking on the "Open" button.

The palette encompasses four drawers; The "Entities" drawer hosts the items for specifying the actors of the identity architecture, namely the Identity Provider and Service Provider. The "Identity Sources" drawer hosts the items for specifying the specific storage mechanism than those can leverage for backing authentication and authorization processes. The "Execution Environments" drawer hosts the items for specifying the application platform on which service providers can execute. Finally, the connections drawer hosts the items for connecting the building blocks of the identity architecture together.

In order to add an element to an existing identity appliance model, you need to click on one of the items from the palette and then drop it onto the diagram canvas.
Connecting two elements is achieved by dragging onto the diagram an item of the connection type, and selecting the source and target elements you wish to associate.

Editing is achieved by clicking the element we want to edit from the diagram canvas and selecting the field you wish to update within the property sheet section.
Removal is achieved by clicking on the red cross that appears each time you roll over an element of the diagram.

h3. Identity Appliance Lifecycle Management

The Identity Architect is also put in control of transforming the identity architecture model into a fully executing artifact. As in the identity appliance modeler, this process is carried out in a point-and-click fashion.
The Identity Appliance Lifecycle Management screen offers a grid-based layout, within which columns represents the different states the identity appliance artifact can be in.

Switching of the identity appliance from one state to another state is achieved by dragging the identity appliance item from the column representing the source state, and dropping it to the column representing the target state. For instance, in order to build an identity appliance select and drag the corresponding item from the "Saved" column and drop it on the "Staged" column.
Additionally, an identity appliance in the "Deployed" state can be started and stopped through the buttons on the right of the item.

{highslide-expand:/confluence/download/attachments/18546744/lifecycle_overview.png|/confluence/download/attachments/18546744/lifecycle_overview_thumb.png}
{highslide-expand}


h3. Account & Entitlement Management

JOSSO2 is bundled with an out-of-the-box identity store - known as Identity Vault - onto which user account and entitlements can be provisioned. Identity Vaults can be bound to both Identity and Service Provider entities. The identity vault is built on Apache Derby relational database system.

Both accounts and groups can be provisioned. Accounts can also be associated to one or more groups in order to serve as the input for role-based access control (RBAC).

h4. User Accounts

Clicking on the "Manage Users" button displays the screen through which complete lifecycle of user accounts can be managed, mainly provisioning, detail editing, entitlement association and de-provisioning.

Let's have a look at how the account management screen is structured :

{highslide-expand:/confluence/download/attachments/18546744/account_mgmt_view.png|/confluence/download/attachments/18546744/account_mgmt_view_thumb.png}
{highslide-expand}

h4. Groups

Clicking on the "Manage Groups" button displays the screen through which the full lifecycle of group records can be managed. Groups serve as the means to determine the entitlements users.

Let's have a look at how the account management screen is structured :

{highslide-expand:/confluence/download/attachments/18546744/group_mgmt_view.png|/confluence/download/attachments/18546744/group_mgmt_view_thumb.png}
{highslide-expand}