Identity assertions with trust validation
Application and system providers can perform identity assertion with trust validation using the JAAS login framework. Trust validation is performed in one login module and credential creation in another. These two custom login modules are used to create a JAAS login configuration that performs a login to an identity assertion.
Two custom login module are required:
- A user-implemented trust association login module. This login module performs whatever trust verification the user requires. When trust is verified, the trust verification status and the login identity must be placed in a map in the share state of the login module to enable the credential creation login module to use that information. The map must be stored in the property...
com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state
State maps contain the following information:
com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trusted True = trusted. False = not trusted. com.ibm.wsspi.security.common.auth.module.IdenityAssertionLoginModule.principal Principal of the identity. com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates Certificate of the identity
- The com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule module performs the credential creation. It requires that the trust state information be in the login context's shared state. This login module is protected by the Java 2 security runtime permissions for the following:
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.initialize
- com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.login
IdentityAssertionLoginModule searches for the trust information in the shared state property
com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.state
This is a map containing the trust status and the identity used to login. The map includes the following:
com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.trusted True = trusted. false = not trusted. com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.principal Principal of the identity necessary to login. com.ibm.wsspi.security.common.auth.module.IdentityAssertionLoginModule.certificates Array of a certificate chain that includes the identity necessary to login.
A WSLoginFailedException is returned if the state, trust, or identity information is missing. The login module then performs a login of the identity. The subject now contains the new identity.
Enable identity assertion with trust validation using JAAS