Configure the server to handle identity assertion authentication

Use this task to configure identity assertion authentication.  The purpose of identity assertion is to assert the authenticated identity of the originating client from a Web service to a downstream Web service. Do not attempt to configure identity assertion from a pure client.

For the downstream Web service to accept the identity of the originating client (user name only), supply a special trusted BasicAuth credential that the downstream Web service trusts and can authenticate successfully. You must specify the user ID of the special BasicAuth credential in a trusted ID evaluator on the downstream Web service configuration. For more information on trusted ID evaluators, see Trusted ID evaluators. The server side passes the special BasicAuth credential into the trusted ID evaluator, which returns true or false that this ID is trusted. Once it is trusted, the user name of the client is mapped to the credential, which is used for authorization.

Complete the following steps to configure the server to handle identity assertion authentication information...

1. Launch the Assembly Toolkit.

2. Open the J2EE perspective by clicking Window > Open Perspective > Other > J2EE.

3. Select the Web services-enabled Enterprise JavaBean (EJB) or Web module.

4. In the Project Navigator window, locate the META-INF directory for an EJB module or the WEB-INF directory for a Web module.

5. Right-click the webservices.xml file, and click Open With > Web Services Editor.

6. Click the Security Extensions tab, which is located at the bottom of the Web services editor within the Assembly Toolkit.

7. Expand the Request Receiver Service Configuration Details > Login Configuration section.The options you can select are: 

   • BasicAuth

   • Signature

   • ID assertion

   • Lightweight Third Party authentication (LTPA)

8. Select IDAssertion to authenticate the client using the identity assertion data provided. The user ID of the client must be in the target user registry configured in WAS global security. You can select global security in the administrative console by clicking Security > Global security.

   You can select multiple login configurations, which means that different types of security information can be received at the server.  The order in which the login configurations are added determines the processing order when a request is received. Problems can occur if you have multiple login configurations added that have common security tokens. For example, ID assertion contains a BasicAuth token, which is the trusted token.  For ID assertion to work properly, list ID assertion ahead of BasicAuth in the list or BasicAuth processing overrides ID assertion processing.

9. Expand the IDAssertion section and select both the ID Type and the Trust Mode.

   1. For ID Type, the options are...

      • Username

      • Distinguished name (DN)

      • X509certificate

      These choices are just preferences and are not guaranteed.  Most of the time the Username option is used.  You must choose the same ID Type as the client.

   2. For Trust Mode, the options are:

      • BasicAuth

      • Signature

      The Trust Mode refers to the information sent by the client as the trusted ID.

      1. If you select BasicAuth, the client sends basic authentication data (user ID and password). This basicauth data is authenticated to the configured user registry. When the authentication occurs successfully, the user ID must be part of the trusted ID evaluator trust list.

      2. If you select Signature, the client signing certificate is sent. This certificate must be mappable to the configured user registry.  For Local OS, the common name (CN) of the distinguished name (DN) is mapped to a user ID in the registry.  For LDAP, the DN is mapped to the registry for the ExactDN mode. If it is in the CertificateFilter mode, attributes are mapped accordingly. In addition, the user name from the credential generated must be in the Trusted ID Evaluator trust list.

For more information on getting started with the Web Services Editor within the Assembly Toolkit , see Configuring the server security bindings using the Assembly Toolkit.

After you specify how the server handles identity assertion authentication information, specify how the server validates the authentication information. See Configuring the server to validate identity assertion authentication information for more information.

 

See Also

Trusted ID evaluator
Securing Web services using identity assertion authentication
Configuring the server to validate identity assertion authentication information
Configuring the server security bindings using the Assembly Toolkit

 

---