Global single sign-on principal mapping for authentication
Use the Java Authorization Contract for Containers (JACC) provider for TAM to manage authentication to enterprise information systems (EIS) such as...
- transaction processing systems
- message queue systems
...that are located within the WAS security domain.
With GSO principal mapping, a special-purpose JAAS login module inserts a credential into the subject header. This credential is used by the resource adapter to authenticate to the EIS.
The default principal mapping module retrieves the user name and password information from XML configuration files. The JACC provider for TAM bypasses the credential that is stored in the XML configuration files and uses the TAM GSO database instead to provide the authentication information for the EIS security domain.
WAS provides a default principal mapping module that associates user credential information with EIS resources. The default mapping module is defined in the WAS admin console on the Application login panel. To access the panel, click...Security | Global security | Java Authentication and Authorization Service Application logins
The mapping module name is DefaultPrincipalMapping.
The EIS security domain user ID and password are defined under each connection factory by an authDataAlias attribute. The authDataAlias attribute does not contain the user name and password; this attribute contains an alias that refers to a user name and password pair that is defined elsewhere.
The TAM principal mapping module uses the authDataAlias attribute to determine the GSO resource name and the user name that is required to perform the lookup on the TAM GSO database. The TAM Policy Server retrieves the GSO data from the user registry.
TAM stores authentication information on the TAM GSO database against a resource and user name pair.
GSO principal mapping architecture
Related conceptsSingle sign-on for authentication using LTPA cookies
Set global sign-on principal mapping