The purpose of identity assertion is to assert
the authenticated identity of the originating client from a Web service to
a downstream Web service. You can configure identity assertion authentication
for the server. Do not attempt to configure identity assertion from a pure
client.
About this task
Important: There is an important distinction between
Version 5.x and Version 6.0.x and later applications. The information
in this article supports Version 5.x applications only that are used
with WebSphere Application Server Version 6.0.x and later. The information
does not apply to Version 6.0.x and later applications.
For
the downstream Web service to accept the identity of the originating client
(user name only), you must supply a special trusted BasicAuth credential that
the downstream Web service trusts and can authenticate successfully. You must
specify the user ID of the special BasicAuth credential in a trusted ID evaluator
on the downstream Web service configuration. For more information on trusted
ID evaluators, see Trusted ID evaluator. The server side passes the special BasicAuth credential
into the trusted ID evaluator, which returns true or false that
this ID is trusted. After it is trusted, the user name of the client is mapped
to the credential, which is used for authorization.
Complete the following
steps to configure the server to handle identity assertion authentication
information:
Procedure
- Launch an assembly tool. For more information on the
assembly tools, see Assembly tools.
- Switch to the Java 2 Platform, Enterprise Edition (J2EE) perspective.
Click Window > Open Perspective > J2EE.
- Click EJB Projects > application_name > ejbModule
> META-INF.
- Right-click the webservices.xml file, and click Open
with > Web services editor.
- Click the Extensions tab, which is located at the bottom of the
Web services editor within the assembly tool.
- Expand the Request receiver service configuration details >
Login configuration section. The options you can select are:
- BasicAuth
- Signature
- ID assertion
- Lightweight Third Party Authentication (LTPA)
- Select IDAssertion to authenticate the client using the
identity assertion data provided.
The user ID of the client must be in the target user registry
or repository, which is configured on the Security > Secure administration,
applications, and infrastructure panel in the administrative console for
WebSphere Application Server. You can select multiple login configurations,
which means that different types of security information can be received at
the server. The order in which the login configurations are added determines
the processing order when a request is received. Problems can occur if you
have multiple login configurations added that have common security tokens.
For example, ID assertion contains a BasicAuth token, which is the trusted
token. For ID assertion to work properly, you must list ID assertion ahead
of BasicAuth in the list or BasicAuth processing overrides ID assertion processing.
- Expand the IDAssertion section and select both the ID
Type and the Trust Mode.
- For ID Type, the options are:
- Username
- Distinguished name (DN)
- X509certificate
These choices are just preferences and are not guaranteed. Most of the
time the Username option is used. You must choose the same ID Type as the
client.
- For Trust Mode, the options are:
The Trust Mode refers to the information sent by the client as the trusted
ID.
- If you select BasicAuth, the client sends basic authentication
data (user ID and password). This basicauth data is authenticated to the configured
user registry. When the authentication occurs successfully, the user ID must
be part of the trusted ID evaluator trust list.
- If you select Signature, the client signing certificate is sent.
This certificate must be mappable to the configured user registry. For Local
OS, the common name (CN) of the distinguished name (DN) is mapped to a
user ID in the registry. For Lightweight Directory Access Protocol (LDAP),
the DN is mapped to the registry for the ExactDN mode. If it is in the CertificateFilter
mode, attributes are mapped accordingly. In addition, the user name from the
credential generated must be in the Trusted ID Evaluator trust list.
What to do next
For more information on getting started with the Web Services Editor
within an assembly tool, see
Configuring the server security bindings using an assembly tool.
After you specify how the server handles identity assertion
authentication information, you must specify how the server validates the
authentication information. See the task for configuring the server to validate
identity assertion authentication information.