+

Search Tips   |   Advanced Search

 

Mapping user Ids from client to server for SPNEGO

 

You can use a system programming interface to customize the behavior of the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) trust association interceptor (TAI) by implementing arbitrary mappings of the end-user's identity, which is retrieved from Microsoft Active Directory to the identity that is used in the WAS security registry. We need to perform some administrative tasks in the WebSphere Application Server environment to use SPNEGO TAI and to ensure that the requester's identity matches the identity in the WAS user registry.

 

Overview

In the simplest deployment of the SPNEGO TAI, it is assumed that the requester's identity in the WAS user registry is identical to the identity retrieved. This is the case when Microsoft Windows Active Directory server is the lightweight directory access protocol (LDAP) server used in WAS. This is default behavior of the SPNEGO TAI.

You do not need to use this simple deployment of the SPNEGO TAI. WAS can use a different registry, such as a local OS, LDAP, or custom registry instead of the Microsoft Active Directory. If WAS uses a different registry than the Microsoft Active Directory, then a mapping from the Microsoft Windows user Id to a WebSphere Application Server user Id is necessary.

 

Procedure

  1. Configure the Web browser to use SPNEGO.

  2. Configure JVM properties and custom SPNEGO TAI properties.

  3. Enable the SPNEGO TAI.

  4. Use the custom login module to perform any custom mapping of user Ids from the user registry to the user registry of WAS. The custom login module is a plug-in mechanism that is defined for authenticating incoming and outgoing requests in WAS. The custom login module is inserted before the ltpaLoginModule and maps the name in the com.ibm.wsspi.security.tai.TAIResult (which was returned to the Web authenticator) to the corresponding name in the user registry. The ltpaLoginModule then uses the mapped identity to create a WSCredential.

    The custom login module can also supply the full set of security attributes in the javax.security.auth.Subject in the com.ibm.wsspi.security.tai.TAIResult to fully assert the mapped identity. When the identity is fully asserted, the wsMapDefaultInboundLoginModule maps those security attributes to a WSCredential.

 

Results

Use the custom login module, Microsoft Active Directory identities are mapped to the WAS's security registry.

 

Related concepts


Single sign-on for HTTP requests using SPNEGO

 

Related tasks


Configure WAS environment to use SPNEGO

 

Related Reference


SPNEGO TAI custom configuration attributes
Custom login module development for a system login configuration