Reusing group information

During the authentication of a user, IBM WebSphere Application Server stores information about which groups users belong to. This information is static for the authentication session of the user. In addition, it can be provided by an External Security Manager via a Trust Association Interceptor. In this case IBM WAS does not load the information on its own. IBM WebSphere Portal can participate in this flow and reuse the information from the WAS security context instead of retrieving it from the LDAP server. This function is also referred to as group assertion or WAS group assertion.

To prevent modifying existing behavior of environment or losing existing group information, WebSphere Portal does not reuse group information by default. For this reason configure WebSphere Portal to reuse group information from the WAS security context. You can choose to reuse group information for user management or for access control.

The recommended option is for user management, as this case will provide the performance and functional enhancements. The second option for access control is used in very specific scenarios, typically as directed by IBM Support or IBM technical documentation. Please do not combine both options as this will lead to high CPU load on system.

To reuse group information:

  1. Log on to the WAS administrative console (or Deployment Manager if in a cluster).

  2. Navigate to Resources -> Resource Environment -> Resource Environment Providers.

  3. Choose the appropriate option(s) to reuse group information:

    • To reuse group information for user management, the first option used typically as an enhancement, do the following:

      1. Select the WP_PumaStoreService resource environment provider.

      2. Select Custom properties.

      3. Click New.

      4. Enter store.puma_default.filter.assertionFilter.classname in the Name field.

      5. Enter com.ibm.wps.um.AssertionFilter in the Value field.

      6. Click Apply.

      7. Click Save to save the changes to the master configuration.

    • To reuse group information for access control, the second option used in very specific scenarios, do the following:

      1. Select the WP PACGroupManagementService resource environment provider.

      2. Select Custom properties.

      3. Click New.

      4. Enter accessControlGroupManagement.useWSSubject in the Name field.

      5. Enter true in the Value field.

      6. Click Apply.

      7. Click Save to save the changes to the master configuration.

  4. Log out of the administrative console.

  5. Restart the WebSphere_Portal server.


Parent

Users and groups

  274130 Oct 1, 2010 10:15:35 AM


+

Search Tips   |   Advanced Search