IBM Security Access Manager - Global single sign-on principal mapping

IBM Security Access Manager - Global single sign-on principal mapping

Use the JACC provider for IBM Security Access Manager (ISAM) to manage authentication to enterprise information systems (EIS) located within the WebSphere Application Server security domain, including...

databases
transaction processing systems
message queue systems

Authentication is achieved using the global single sign-on (GSO) principal mapper JAAS login module for Java EE Connector Architecture resources.

Note that if we are only using ISAM for authentication to WebSphere Application Server via WebSEAL, configuring JACC is not required.
With GSO principal mapping, a special-purpose JAAS login module inserts a credential into the subject header (iv-creds). This credential is used by the resource adapter to authenticate to the EIS. The JAAS login module used is configured on a per-connection factory basis. The default principal mapping module retrieves the user name and password information from XML configuration files. The JACC provider for ISAM bypasses the credential stored in the Extensible Markup Language (XML) configuration files and uses the ISAM global sign-on (GSO) database instead to provide the authentication information for the EIS security domain.

WAS provides a default principal mapping module that associates user credential information with EIS resources. The default mapping module is defined in the WAS administrative console on the Application login panel. To access the panel, click...
Security > Global security > Java Authentication and Authorization Service > Application logins

DefaultPrincipalMapping and authDataAlias

The mapping module name is DefaultPrincipalMapping.

The EIS security domain user ID and password are defined under each connection factory by an authDataAlias attribute. The authDataAlias attribute does not contain the user name and password; this attribute contains an alias that refers to a user name and password pair defined elsewhere.

The ISAM principal mapping module uses the authDataAlias attribute to determine the GSO resource name and the user name required to perform the lookup on the ISAM GSO database. The ISAM Policy Server retrieves the GSO data from the user registry.

ISAM stores authentication information on the ISAM GSO database against a resource and user name pair.

Related:

Single sign-on for authentication using LTPA cookies
Configure global sign-on principal mapping