Identity Server is the central authentication and identity access point for all other services. It is responsible for authenticating users and distributing role information to facilitate authorization decisions. It also provides the Liberty Alliance Web Service Framework to distribute identity information.
Identity Server always operates as an identity provider and can optionally be configured to run as an identity consumer (also known as a service provider), by using Liberty, SAML 1.1, SAML 2.0, or OAuth protocols. As an identity provider, Identity Server validates authentications against the supported identity user store. It is the heart of the user’s identity federations or account linkage information.
In an Access Manager configuration, Identity Server is responsible for managing the following tasks:
Authentication: Verifies user identities through various forms of authentication, both local (user supplied) and indirect (supplied by external providers). The identity information can be some characteristic attribute of the user, such as a role, e-mail address, name, or job description. Advanced authentication mechanisms include Time-Based One-Time Password (TOTP), social authentication using external OAuth providers, and risk-based authentication.
Identity Stores: Links to user identities stored in eDirectory, Microsoft Active Directory, or Sun ONE Directory Server.
Identity Federation: Enables user identity federation and provides access to Liberty-enabled services.
Account Provisioning: Enables service provider account provisioning, which automatically creates user accounts during a federation request.
Custom Attribute Mapping: Allows you to define custom attributes by mapping Liberty Alliance keywords to LDAP-accessible data, in addition to the available Liberty Alliance Employee and Person profiles.
SAML Assertions: Processes and generates SAML assertions. Using SAML assertions in each Access Manager component protects confidential information by removing the need to pass user credentials between the components to handle session management.
Single Sign-On and Logout: Enables users to log in only once to gain access to multiple applications and platforms. Single sign-on and single logout are primary features of Access Manager and are achieved after the federation and trust model is configured among trusted providers and the components of Access Manager.
Identity Integration: Provides authentication and identity services to Access Gateways that are configured to protect web servers. Access Gateway and other Access Manager components include an embedded service provider that is trusted by Access Manager Identity Servers.
Roles: Provides RBAC (role-based access control) management. RBAC is used to provide a convenient way to assign a user to a particular job function or set of permissions within an enterprise to control access. Identity Server establishes the active set of roles for a user session each time the user is authenticated. Roles can be assigned to particular subsets of users based on the constraints outlined in a role policy. The established roles can then be used in authorization policies to form the basis for granting and restricting access to particular web resources.