Configure the server to handle identity assertion authentication

[Version 5 only]

 

Configure the server to handle identity assertion authentication

Important distinction between Version 5.x and Version 6 applications

Note: The information in this article supports version 5.x applications only that are used with WebSphere Application Server Version 6. The information does not apply to version 6 applications.

Use this task to configure identity assertion authentication. The purpose of identity assertion is to assert the authenticated identity of the originating client from a Web service to a downstream Web service. Do not attempt to configure identity assertion from a pure client.

For the downstream Web service to accept the identity of the originating client (user name only), supply a special trusted BasicAuth credential that the downstream Web service trusts and can authenticate successfully. You must specify the user ID of the special BasicAuth credential in a trusted ID evaluator on the downstream Web service configuration. For more information on trusted ID evaluators, see Trusted ID evaluator. The server side passes the special BasicAuth credential into the trusted ID evaluator, which returns true or false that this ID is trusted. Once it is trusted, the user name of the client is mapped to the credential, which is used for authorization.

Complete the following steps to configure the server to handle identity assertion authentication information:

  1. Launch an assembly tool. For more information on the assembly tools, see Assembly tools.

  2. Open the J2EE perspective by clicking Window > Open perspective > Other > J2EE .

  3. Click EJB Projects > application_name > ejbModule > META-INF .

  4. Right-click the webservices.xml file, and click Open with > Web services editor .

  5. Click the Extensions tab, which is located at the bottom of the Web services editor within the assembly tool.

  6. Expand the Request receiver service configuration details >
    Login configuration     section. The options you can select are:

    • BasicAuth

    • Signature

    • ID assertion

    • Lightweight Third Party Authenticatnon (LTPA)

  7. Select IDAssertion to authenticate the client using the identity assertion data provided. The user ID of the client must be in the target user registry configured in WebSphere Application Server global security. You can select global security in the administrative console by clicking Security > Global security .

    You can select multiple login configurations, which means that different types of security information can be received at the server. The order in which the login configurations are added determines the processing order when a request is received. Problems can occur if you have multiple login configurations added that have common security tokens. For example, ID assertion contains a BasicAuth token, which is the trusted token. For ID assertion to work properly, list ID assertion ahead of BasicAuth in the list or BasicAuth processing overrides ID assertion processing.

  8. Expand the IDAssertion section and select both the ID Type and the Trust Mode.

    1. For ID Type, the options are:

      • Username

      • Distinguished name (DN)

      • X509certificate

      These choices are just preferences and are not guaranteed. Most of the time the Username option is used. You must choose the same ID Type as the client.

    2. For Trust Mode, the options are:

      • BasicAuth

      • Signature

      The Trust Mode refers to the information sent by the client as the trusted ID.

      1. If you select BasicAuth , the client sends basic authentication data (user ID and password). This basicauth data is authenticated to the configured user registry. When the authentication occurs successfully, the user ID must be part of the trusted ID evaluator trust list.

      2. If you select Signature , the client signing certificate is sent. This certificate must be mappable to the configured user registry. For Local OS , the common name (CN) of the distinguished name (DN) is mapped to a user ID in the registry. For Lightweight Directory Access Protocol (LDAP) , the DN is mapped to the registry for the ExactDN mode. If it is in the CertificateFilter mode, attributes are mapped accordingly. In addition, the user name from the credential generated must be in the Trusted ID Evaluator trust list.

 

What to do next

For more information on getting started with the Web Services Editor within an assembly tool, see Configuring the server security bindings using an assembly tool.

After you specify how the server handles identity assertion authentication information, specify how the server validates the authentication information. See Configuring the server to validate identity assertion authentication information for more information.

Related concepts
Trusted ID evaluator

Related tasks
Configuring the server to validate identity assertion authentication information
Configuring the server security bindings using an assembly tool


Searchable topic ID: twbs_confsvridassertmeth