idBUS Architecture

identicentric's idBUS is the industry's first identity product to expose 100% of its functionality using SOAP web services. This highly standardized architecture, built from the ground up on J2EE technology, allows full interoperability between a wide variety of client platforms.

Foundation

The idBUS architecture starts with two technologies that are fundamental to the product's web service underpinnings: WSDL and XSD. Unlike other identity technologies, idBUS is designed from the ground up around the assertion that a durable service contract is critical to the success of any integration. This means that all entities managed by idBUS are described by a well defined, declarative content model.

Of course sustainability is always a concern when employing a structured content model. Yet, the worlds most scalable content system, the World Wide Web, was developed around a "must ignore" pattern. This model ensures that clients and servers only process data that they are interested in, and ignore everything else. Following suit, identicentric has performed pioneering work the area of extensible and versionable XML schema using a "must ignore" pattern. The effect of this work manifests itself in a rare, but valuable, balance: an extensible, loosely coupled architecture with tight data bindings.

Functionality

idBUS builds upon the flexibility and cross-platform nature of SOAP, and adds additional capabilities for ease of use. For example, idBUS employs a unique system that automates state change recognition between service calls on managed objects. This, combined with full support for proxy/stub generation on .NET and Java platforms, frees developers from managing APIs, object state, XML, and invocations. The move towards true object oriented style is much more natural for most programmers and eliminates many integration burdens.

Extensibility

idBUS completely de-couples the service interface from the underlying processing and functionality. This design provides a highly configurable and extensible system for service processing. Every service in the idBUS system is decomposed into a set of individual procedures. Reusable commands are linked together to form chains, where each "plug-in" is responsible for a different task. For example, the processing chain for a service that performs group or role entitlement verification might look something like this:

Authentication of the incoming service caller
Authorization of the caller's permission to invoke the service
Resolution of incoming username to a back-end identity record in an central identity store
Resolution of the input group/role identifier to the back-end entitlement store
First pass lookup to determine direct membership
Optional resolution to determine indirect membership via inherence or recursive relationships
Conversion of results into output format

Because each step in the idBUS service chain is independent it is possible to configure the system in an infinite number of creative ways. Furthermore, this model allows custom plug-ins to be inserted anywhere within the service chain to implement custom business or domain logic.

Security

idBUS uses established standards to ensure the security of its exposed services. Client authentication is enabled using WS-Security or HTTP Basic. The underlying security subsystem is built around JAAS for credential processing, service authorization, and property level access control. Requirements for transport level security and service provider authentication are met through deployment on an SSL protected application server platform.

Performance

In some circles XML web services have a reputation for being slow and cumbersome. But idBUS uses a high performance document/literal SOAP bindings and SAX XML processor to speed service response times. Many idBUS functions have been verified as capable of processing tens-of-thousands of operations per minute, on even modest hardware, with average response times under 1/10th of a second.

System Requirements

The following table summarizes idBUS deployment requirements:

JVM	JDK 1.4.1 or higher. JDK 1.5.x recommended
Platform	Minimum: Single server Single processor 512 MB free RAM 200 MB free disk Recommended: Multi-server (for redundancy) Multi-processor systems 1 GB free RAM 200 MB free disk
Application Servers	idBUS is deployed as a standard Web Application Archive(WAR) file into any J2EE compliant application server. For that reason, a very wide range of deplyoment platforms are supported including: BEA Weblogic Application Server IBM Websphere Application Server Oracle Application Server JBoss Apache Tomcat
Directory Servers	idBUS uses LDAP v3 for connectivity to directory environments. Thus, a broad number of directory platforms are supported, including: Sun JES Directory Server Oracle Virtual Directory Engine Active Directory 2000 / 2003 Active Directory Application Mode (ADAM) Novell eDirectory IBM Tivoli Directory Server Redhat Fedora Directory Server