Operating Systems: i5/OS
             Personalize the table of contents and search results

 

Configure the server to handle identity assertion authentication

 

The purpose of identity assertion is to assert the authenticated identity of the originating client from a Web service to a downstream Web service. You can configure identity assertion authentication for the server. Do not attempt to configure identity assertion from a pure client.

 

Overview

There is an important distinction between V5.x and V6.0.x and later applications. The information in this article supports V5.x applications only that are used with WebSphere Application Server V6.0.x and later. The information does not apply to V6.0.x and later applications.

For the downstream Web service to accept the identity of the originating client (user name only), supply a special trusted BasicAuth credential that the downstream Web service trusts and can authenticate successfully. You must specify the user ID of the special BasicAuth credential in a trusted ID evaluator on the downstream Web service configuration. For more information on trusted ID evaluators, see Trusted ID evaluator. The server side passes the special BasicAuth credential into the trusted ID evaluator, which returns true or false that this ID is trusted. After it is trusted, the user name of the client is mapped to the credential, which is used for authorization.

Complete the following steps to configure the server to handle identity assertion authentication information:

 

Procedure

  1. Launch an assembly tool. For more information on the assembly tools, see Assembly tools.

  2. Switch to the J2EE perspective. Click Window > Open Perspective > J2EE.

  3. Click EJB Projects > application_name > ejbModule > META-INF.

  4. Right-click the webservices.xml file, and click Open with > Web services editor.

  5. Click the Extensions tab, which is located at the bottom of the Web services editor within the assembly tool.

  6. Expand the Request receiver service configuration details > Login configuration section. The options you can select are:

  7. Select IDAssertion to authenticate the client using the identity assertion data provided.

    The user ID of the client must be in the target user registry or repository, which is configured on the Security > Secure administration, applications, and infrastructure panel in the administrative console for WebSphere Application Server. You can select multiple login configurations, which means that different types of security information can be received at the server. The order in which the login configurations are added determines the processing order when a request is received. Problems can occur if you have multiple login configurations added that have common security tokens. For example, ID assertion contains a BasicAuth token, which is the trusted token. For ID assertion to work properly, list ID assertion ahead of BasicAuth in the list or BasicAuth processing overrides ID assertion processing.

  8. Expand the IDAssertion section and select both the ID Type and the Trust Mode.

    1. For ID Type, the options are:

      • Username

      • Distinguished name (DN)

      • X509certificate

      These choices are just preferences and are not guaranteed. Most of the time the Username option is used. You must choose the same ID Type as the client.

    2. For Trust Mode, the options are:

      The Trust Mode refers to the information sent by the client as the trusted ID.

      1. If you select BasicAuth, the client sends basic authentication data (user ID and password). This basicauth data is authenticated to the configured user registry. When the authentication occurs successfully, the user ID must be part of the trusted ID evaluator trust list.

      2. If you select Signature, the client signing certificate is sent. This certificate must be mappable to the configured user registry. For Local OS, the common name (CN) of the distinguished name (DN) is mapped to a user ID in the registry. For Lightweight Directory Access Protocol (LDAP), the DN is mapped to the registry for the ExactDN mode. If it is in the CertificateFilter mode, attributes are mapped accordingly. In addition, the user name from the credential generated must be in the Trusted ID Evaluator trust list.

 

What to do next

For more information on getting started with the Web Services Editor within an assembly tool, see Configuring the server security bindings using an assembly tool.

After you specify how the server handles identity assertion authentication information, specify how the server validates the authentication information. See the task for configuring the server to validate identity assertion authentication information.

}

 

Related concepts


Trusted ID evaluator

 

Related tasks


Configuring the server to validate identity assertion authentication information
Configuring the server security bindings using an assembly tool
Securing Web services for V5.x applications using identity assertion authentication