Single Sign-On (SSO) Components

Gatekeeper

The Gatekeeper is a servlet filter that rejects incoming messages that lack proper user credentials. The Gatekeeper acts an agent that sits in front of Application Repository and SBM Application Engine (each has its own gatekeeper), allowing requests to pass through if they have the proper authentication, or rejecting them if they do not.

Security Server

The Security Server (also known as the Identity Provider or "IDP") presents a login page that requests credentials. Every login request comes through the Security Server to challenge the user for credentials.

The Security Server also receives requests for security tokens and issues them if the requesting user is properly authenticated. The Security Server generates and signs security tokens (also known as SAML tokens) with its own private key for authenticated users. There are two entities within the Security Server: the Identity Attribute Service (IDAS) and the Context Provider.

Identity Attribute Service (IDAS)
The Identity Attribute Service is an abstraction layer that contacts the authentication source (in conjunction with the Context Provider) to authenticate a user's credentials and return verification to the Security Server. The IDAS allows the Security Server to operate with identity stores on a high level, so that the Security Server does not have to know a particular LDAP directory and its structure or the SBM Application Engine and its structure.
Context Provider
The Context Provider is an adapter to an authentication source, such as an LDAP directory. The authentication source could be LDAP or SBM internal passwords within the SBM Application Engine database. SBM supplies LDAP and SBM Application Engine context providers as part of the installation.

Identity Store

The Identity Store is the actual LDAP directory or database that holds the user identity (ID and password).