+

Search Tips   |   Advanced Search

Configure transient users

In addition to the basic OpenID authentication option, we can give users, who are trusted and verified from an identity provider, access to IBM WebSphere Portal. These trusted and verified users do not require a local, registered Portal user account.

Facebook and Google users can authenticate with the WebSphere Portal server instance with their identity provider credentials. They are granted access to certain data within WebSphere Portal without having a local account. We can grant the same access to all identity providers or we can configure different access rights based on the identity provider. With this option you, can provide a personalized view to unregistered users while still providing benefits to fully registered users.

  1. Run...

      cd WP_PROFILE\ConfigEngine
      ./ConfigEngine.sh enable-transient-user -DWasUserId=username -DWasPassword=foo

    Cluster note: Complete this step only on the primary node.

    Add the following parameters to customize the task for the business requirements:

      -Dtransparent.suffix

      DN suffix used for transient users. The suffix must NOT match the current suffixes for fully registered users. The default value is o=transparent.

      -Dtransparent.prefix

      Prefix used for transient users. For example, to set the RDN attribute, set this value to cn.

    If we entered the wrong value in the transparent.suffix parameter:

    1. Log on to WAS admin console as the administrator and go to...

        Security | Global Security | User account repository | Available realm definitions | Federated repositories | Configure

    2. Go to Repositories in the realm

    3. Click the link in the Base Entry column for the transientidp repository identifier, for example...

        o=transparent

    4. Replace the value in the following fields with the new value:

      • Distinguished name of a base entry that uniquely identifies this set of entries in the realm For example...

          o=transparent

      • Distinguished name of a base entry in this repository For example...

          o=transparent

    5. Click OK.

    6. Save the changes.

    7. Stop and restart the WebSphere_Portal server.

    To create group objects for external providers to assign different access rights:

    After running the enable-transient-user task, all identified users are identified with the all authenticated group and do not have explicit groups.

    1. Log on to WAS admin console as the administrator and go to...

        Security | Global Security | | User account repository | Available realm definitions | Federated repositories | Configure | Repositories in the realm | transientidp | New

    2. Add the following information:

      • Name: buildgroupsfor

      • Value: Enter the list of supported Identity Providers to build groups for; for example: facebook Google. The items in the list must be separated by a space. The Identity Providers are case-sensitive and must match what we entered for the idp.providerlist and openid.servicenames parameters.

    3. Click OK.

    4. Save the changes.

    5. Stop and restart the WebSphere_Portal server.

    To mark transient identity provider users as external:

    Information: After running the enable-transient-user task, the system builds internal groups for each identity provider. Use these groups in the Resource Permissions portlet in the Portal Administration menu. Use the Resource Permissions portlet to build a set of pages and portlets that transient users can see and use.

    We can also combine transient users with the external user feature in WebSphere Portal. We can identify a group of external or transient users with a database suffix. All external and transient users are then granted a special virtual principle in the access control. Use this virtual principle to grant a general set of access rights to these users.

    1. Log on to WAS admin console as the administrator and go to...

        Resources | Resource Environment | Resource Environment providers | WP PumaStoreService | Custom properties

    2. Add the parentDN.externalUsers property with value we entered for transparent.suffix. If you did not enter a value in transparent.suffix, type o=transparent.

    3. Save the changes.

    4. Stop and restart the WebSphere_Portal server.

  2. To load user attributes during authentication:

    Transient users do not have attributes that are stored locally. Therefore, it is helpful to load attributes from the Identity Provider during authentication.

    To allow transient users to create or modify pages, we must map a short name to the users. The attribute used for the short name is the User default search attribute. If we do not know the attribute name, we can find it defined in the PumaStoreService Resource Environment provider. The most common values are uid and cn.

    1. Log on to WAS admin console as the administrator and go to...

        Security | Global security | Web and SIP Security | Trust association | Interceptors

    2. Select com.ibm.portal.auth.tai.OpenidTAI.

    3. Add the following new properties for OpenID:

      • provider.openid.loadattributes=provider|method;provider2|method

        method can either be openid.sreg or openid.ax depending on the type of OpenID the Identity Provider supports.

      • The following properties must be entered as one line.

        • provider.openid.loadattributes.provider=portalattributename|

        • idpattributename;portalattributename2|idpattributename2

      • The following properties must be entered as one line.

        • provider.openid.loadattributes.provider2=portalattributename|

        • idpattributename;portalattributename2|idpattributename2

      For example, we might add the following new properties for OpenID:

      • provider.openid.loadattributes=google|openid.ax;yahoo|openid.ax

      • The following properties must be entered as one line.

        • provider.openid.loadattributes.google=cn|

        • http://axschema.org/namePerson/first;sn|

        • http://axschema.org/namePerson/last;ibm-primaryEmail|

        • http://axschema.org/contact/email

    4. Add the following new property for Facebook:

      • The following properties must be entered as one line.

        • provider.facebook.loadattributes=portalattributename|

        • idpattributename;portalattributename2|idpattributename2

      For example, we might add the following new property for Facebook:

      • The following properties must be entered as one line.

        • provider.facebook.loadattributes=sn|

        • first_name;cn|last_name;uid|name

    5. Save the changes.

    6. Stop and restart the WebSphere_Portal server.


Parent Integrate with OpenID authentication