Configure transient users

In addition to the basic OpenID authentication option, we can give userswho are trusted by the identity provider, access to IBM WebSphere Portal. These trusted and verified users do not require a local, registered Portal user account.

Before enabling the transient user feature, verify the security configuration is a federated user registry. If we configured the stand-alone user registry, you must change to the federated user registry. To locate the proper instructions, navigate to Securing > Managing user data and then select the Managing the user registry option for the operating system. Then select Changing from a stand-alone repository to a federated respository.

For example, federated.primaryAdminID=PortaladminuserID.

Facebook and Google users can authenticate with the WebSphere Portal server instance using their identity provider credentials. They are granted access to certain data within WebSphere Portal without having a local account. We can grant the same access to all identity providers or we can configure different access rights depending on the identity provider. With this option you, can provide a personalized view to unregistered users while still providing benefits to fully registered users. To configure transient users:

1. Run the following task from the WP_PROFILE\ConfigEngine with the appropriate parameters:

   Cluster note: Complete this step only on the primary node.

   ./ConfigEngine.sh enable-transient-user -DWasUserId=username -DWasPassword=foo
   • Linux: ./ConfigEngine.sh enable-transient-user -DWasUserId=username -DWasPassword=foo
   • Solaris: ./ConfigEngine.sh enable-transient-user -DWasUserId=username -DWasPassword=foo

   Add the following parameters to customize the task for your business requirements:

   -Dtransparent.suffix

   Set this value to a dn suffix used for transient users. This suffix must NOT match the current suffixes for fully registered usersDefault is o=transparent

   -Dtransparent.prefix

   Set this value to a prefix used for transient users.

   For example, to set the RDN attribute, set this value to cn.

   Complete the following steps if you entered the wrong value in the transparent.suffix parameter:

   1. Log on to WAS admin console as the administrator and go to...
      Security | Global Security | User account repository | Available realm definitions | Federated repositories | Configure

   2. Go to Repositories in the realm and click the link in the Base Entry column for the transientidp repository identifier, for example, o=transparent.

   3. Replace the value in the following fields with the new value:

      • Distinguished name of a base entry that uniquely identifies this set of entries in the realm for example,o=transparent.

      • Distinguished name of a base entry in this repository for example,o=transparent

   4. Click OK.

   5. Save the changes.

   6. Stop and restart the WebSphere_Portal server.
   To create group objects for external providers to assign different access rights:

   Important: After running the enable-transient-user task, all identified users are identified with the all authenticated group and do not have explicit groups.

   1. Log on to WAS admin console as the administrator and go to...
      Security | Global Security | User account repository | Available realm definitions | Federated repositories | Configure | Repositories in the realm | transientidp

   2. Click New and add the following information:

      • Name: buildgroupsfor

      • Value: Enter the list of supported Identity Providers to build groups for; for example: facebook myOpenID Google. The items in the list must be separated by a space. The Identity Providers are case-sensitive and should match what you entered for the idp.providerlist and openid.servicenames parameters.

   3. Click OK.

   4. Save the changes.

   5. Stop and restart the WebSphere_Portal server.
   To mark transient identity provider users as external:

   Information: After running the enable-transient-user task, the system builds internal groups for each identity provider. We can use these groups in the Resource Permissions portlet in the Portal Administration menu. Use the Resource Permissions portlet to build has a set of pages and portlets that transient users can see and use.

   We can also combine transient users with the external user feature in WebSphere Portal. We can identify a group of external or transient users with a database suffix. All external and transient users are then granted a special virtual principle in the access control. This virtual principle allows us to grant a general set of access rights to these users.

   1. Log on to WAS admin console as the administrator and go to...
      Resources | Resource Environment | Resource Environment providers

   2. Search for WP PumaStoreService and then click Custom properties.

   3. Add the parentDN.externalUsers property with value you entered for transparent.suffix. If you did not enter a value in transparent.suffix, type o=transparent.

   4. Save the changes.

   5. Stop and restart the WebSphere_Portal server.

2. To load user attributes during authentication:

   Transient users do not have attributes stored locally. Therefore, it is helpful to load attributes from the Identity Provider during authentication.

   To allow transient users to create or modify pages you must map a short name to the users. The attribute used for the short name is the User default search attribute. If you do not know the attribute name, we can find it defined in the PumaStoreService Resource Environment provider. The most common values are uid and cn.

   1. Log on to WAS admin console as the administrator and go to...
      Security | Global security | Web and SIP Security | Trust association | Interceptors | com.ibm.portal.auth.tai.OpenidTAI

   2. Add the following new properties for OpenID:

      • provider.openid.loadattributes=provider|method;provider2|method

        method can either be openid.sreg or openid.ax depending on the type of OpenID your Identity Provider supports.

      • The following properties must be entered as one line.
        • provider.openid.loadattributes.provider=portalattributename|
        • idpattributename;portalattributename2|idpattributename2

      • The following properties must be entered as one line.

        • provider.openid.loadattributes.provider2=portalattributename|

        • idpattributename;portalattributename2|idpattributename2

      For example, we might add the following new properties for OpenID:

      • provider.openid.loadattributes=google|openid.ax;yahoo|openid.ax

      • The following properties must be entered as one line.

        • provider.openid.loadattributes.google=cn|

        • http://axschema.org/namePerson/first;sn|

        • http://axschema.org/namePerson/last;ibm-primaryEmail|

        • http://axschema.org/contact/email

   3. Add the following new property for Facebook:

      • The following properties must be entered as one line.

        • provider.facebook.loadattributes=portalattributename|

        • idpattributename;portalattributename2|idpattributename2

      For example, we might add the following new property for Facebook:

      • The following properties must be entered as one line.

        • provider.facebook.loadattributes=sn|
        • first_name;cn|last_name;uid|name

   4. Save the changes.

   5. Stop and restart the WebSphere_Portal server.

Parent: Integrate with OpenID authentication
Related:
Start and stop servers, dmgrs, and node agents
Change from a stand-alone repository to a federated repository on IBM i