Access Manager SDK and Client SDK: Differences
By docteger on Oct 11, 2007
FYI. The Access Manager Client SDK is aimed at applications that use identity APIs at run-time. This includes applications that contain functionality for authentication, SSO, policy evaluation (fine grain policy enforcement) and obtaining and setting user attributes, roles, etc. The Client SDK is not aimed at applications that perform management of policies (creations, deletions, etc.) or identities. From a deployment point of view, the Client SDK offers the following advantages over full SDK:
- The Client SDK does not require administrator credentials (amadmin, dsameuser, etc.).
- The Client SDK uses only http/https and communicates only with Access Manager. It does not require
serverconfig.xmland does not use LDAP.
- Because of this, applications using the Client SDK can be deployed in DMZs and a firewall can be placed between the applications and Access Manager.
- Because of this, the three persistent search connection used by the full SDK is not needed. This reduces the load and improves performance on Directory Server. This allows the Client SDK to have 100s of applications rather than the 10s of them supported by the full SDK.
- The Client SDK is smaller - approximately 1M as compared to the ~10M size of the full SDK.
- The Client SDK is better suited for J2EE war deployment, requiring only a single jar (
amclientsdk.jar) and the
AMConfig.propertiesfile within the Access Manager WAR.
- Policy Management: Policy Management requires a number of plugins (Subject, Resource, Conditions, etc.). These are not included. For this reason, the server side
com.sun.identity.policy.PolicyEvaluatorwould not be supported.
- Federation/Liberty: The Liberty APIs are not supported in the Client SDK.