Identity assertions with trust validation
If we want an application or system provider to perform an identity assertion with trust validation, it can be accomplished by use of the JAAS login framework, where trust validation is performed in one login module and credential creation in another. These two custom login modules are used to create a JAAS login configuration that performs a login to an identity assertion.
Two custom login module are required:
- A user-implemented trust association login module. This login module performs whatever trust verification the user requires. When trust is verified, the trust verification status and the login identity must be placed in a map in the share state of the login module to enable the credential creation login module to use that information. The map must be stored in the com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state property. State maps contain the following information:
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trusted - set to true, if trusted, and false, if not trusted.
- com.ibm.wsspi.security.common.auth.module.IdenityAssertionLoginModule.principal - contains the principal of the identity.
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates - contains the certificate of the identity
- The com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule module performs the credential creation. It requires that the trust state information be in the login context's shared state. This login module is protected by the Java 2 security runtime permissions for the following:
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.initialize
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.login
IdentityAssertionLoginModule searches for the trust information in the shared state property, com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state. This is a map containing the trust status and the identity used to login. The map includes the following:
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trusted - if set to true it is trusted, false if not trusted.
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.principal - if a principal is used, it contains the principal of the identity necessary to login.
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates - if a certificate is used, it contains an array of a certificate chain that includes the identity necessary to login.
A WSLoginFailedException is returned if the state, trust, or identity information is missing. The login module then performs a login of the identity. The subject now contains the new identity.
Related tasks
Enable identity assertion with trust validation using JAAS