WAS v8.5 > Develop applications > Develop web services - Security (WS-Security) > Configure Web Services Security during application assembly > Configure identity assertion for v5.x web services with an assembly tool

Configure the server to handle identity assertion authentication

The purpose of identity assertion is to assert the authenticated identity of the originating client from a web service to a downstream web service. We can configure identity assertion authentication for the server. Do not attempt to configure identity assertion from a pure client. There is an important distinction between v5.x and v6.0.x and later applications. The information in this article supports v5.x applications only used with WebSphere Application Server v6.0.x and later. The information does not apply to v6.0.x and later applications.

For the downstream web service to accept the identity of the originating client (user name only), supply a special trusted BasicAuth credential the downstream web service trusts and can authenticate successfully. Specify the user ID of the special BasicAuth credential in a trusted ID evaluator on the downstream web service configuration. For more information on trusted ID evaluators, see Trusted ID evaluator. The server side passes the special BasicAuth credential into the trusted ID evaluator, which returns true or false that this ID is trusted. After it is trusted, the user name of the client is mapped to the credential, which is used for authorization.

To configure the server to handle identity assertion authentication information:

  1. Launch an assembly tool. For more information, see the related information on Assembly Tools.
  2. Switch to the Java EE perspective. Click Window > Open Perspective > J2EE.

  3. Click EJB Projects > application_name > ejbModule > META-INF.
  4. Right-click the webservices.xml file, and click Open with > Web services editor.

  5. Click the Extensions tab, located at the bottom of the web services editor within the assembly tool.

  6. Expand the Request receiver service configuration details > Login configuration section. The options we can select are:

  7. Select IDAssertion to authenticate the client using the identity assertion data provided.

    The user ID of the client must be in the target user registry or repository, which is configured on the Security > Global security panel in the dmgr console for WAS. We can select multiple login configurations, which means that different types of security information can be received at the server. The order in which the login configurations are added determines the processing order when a request is received. Problems can occur if we have multiple login configurations added that have common security tokens. For example, ID assertion contains a BasicAuth token, which is the trusted token. For ID assertion to work properly, you must list ID assertion ahead of BasicAuth in the list or BasicAuth processing overrides ID assertion processing.

  8. Expand the IDAssertion section and select both the ID Type and the Trust Mode.

    1. For ID Type, the options are:

      • Username
      • DN (distinguished name)
      • X509certificate

      These choices are just preferences and are not guaranteed. Most of the time the Username option is used. You must choose the same ID Type as the client.

    2. For Trust Mode, the options are:

      The Trust Mode refers to the information sent by the client as the trusted ID.

      1. If you select BasicAuth, the client sends basic authentication data (user ID and password). This BasicAuth data is authenticated to the configured user registry. When the authentication occurs successfully, the user ID must be part of the trusted ID evaluator trust list.

      2. If you select Signature, the client signing certificate is sent. This certificate must be mappable to the configured user registry. For Local OS, the common name (CN) of the distinguished name (DN) is mapped to a user ID in the registry. For LDAP, the DN is mapped to the registry for the ExactDN mode. If it is in the CertificateFilter mode, attributes are mapped accordingly. In addition, the user name from the credential generated must be in the Trusted ID Evaluator trust list.

For more information on getting started with the Web Services Editor within an assembly tool, see Configure the server security bindings using an assembly tool.

After we specify how the server handles identity assertion authentication information, specify how the server validates the authentication information. See the task for configuring the server to validate identity assertion authentication information.


Related concepts:

Trusted ID evaluator
Development and assembly tools


Related


Configure the server to validate identity assertion authentication information
Configure the server security bindings using an assembly tool


+

Search Tips   |   Advanced Search