The purpose of identity assertion is to
assert the authenticated identity of the originating client from a
web service to a downstream web service. You can configure identity
assertion authentication for the server. Do not attempt to configure
identity assertion from a pure client.
About this task
Important: There is an important distinction
between Version 5.x and Version 6.0.x and later applications.
The information supports Version 5.x applications only that
are used with WebSphere® Application Server Version 6.0.x and
later. The information does not apply to Version 6.0.x and
later applications.
For the downstream
web service to accept the identity of the originating client (user
name only), you must supply a special trusted BasicAuth credential
that the downstream web service trusts and can authenticate successfully.
You must specify the user ID of the special BasicAuth credential in
a trusted ID evaluator on the downstream web service configuration.
For more information on trusted ID evaluators, see Trusted ID evaluator.
The server side passes the special BasicAuth credential into the trusted
ID evaluator, which returns true or false that this
ID is trusted. After it is trusted, the user name of the client is
mapped to the credential, which is used for authorization.
Complete
the following steps to configure the server to handle identity assertion
authentication information:
Procedure
- Launch an assembly tool.
For more information,
see the related information on Assembly Tools.
- Switch to the Java™ Platform,
Enterprise Edition (Java EE)
perspective. Click .
- Click .
- Right-click the webservices.xml file,
and click .
-
Click the Extensions tab, which is located at the end of the web
services editor within the assembly tool.
- Expand the section.
The options you can select are:
- BasicAuth
- Signature
- ID assertion
- LTPA (Lightweight Third Party Authentication)
- Select IDAssertion to authenticate
the client using the identity assertion data provided.
The
user ID of the client must be in the target user registry or repository,
which is configured on the panel in the
administrative console for WebSphere Application Server.
You can select multiple login configurations, which means that different
types of security information can be received at the server. The order
in which the login configurations are added determines the processing
order when a request is received. Problems can occur if you have multiple
login configurations added that have common security tokens. For example,
ID assertion contains a BasicAuth token, which is the trusted token.
For ID assertion to work properly, you must list ID assertion ahead
of BasicAuth in the list or BasicAuth processing overrides ID assertion
processing.
- Expand the IDAssertion section and
select both the ID Type and the Trust
Mode.
- For ID Type, the options are:
- Username
- DN (distinguished name)
- X509certificate
These choices are just preferences and are not guaranteed. Most
of the time the Username option is used. You must choose the same
ID Type as the client.
- For Trust Mode, the options are:
The Trust Mode refers to the information sent by the client as
the trusted ID.
- If you select BasicAuth, the client sends
basic authentication data (user ID and password). This BasicAuth data
is authenticated to the configured user registry. When the authentication
occurs successfully, the user ID must be part of the trusted ID evaluator
trust list.
- If you select Signature, the client signing
certificate is sent. This certificate must be mappable to the configured
user registry. For Local OS, the common name
(CN) of the distinguished name (DN) is mapped to a user ID in the
registry. For Lightweight Directory Access Protocol (LDAP),
the DN is mapped to the registry for the ExactDN mode. If it is in
the CertificateFilter mode, attributes are mapped accordingly. In
addition, the user name from the credential generated must be in the
Trusted ID Evaluator trust list.
What to do next
For more information on getting started with the Web Services
Editor within an assembly tool, see Configuring the server security bindings using an assembly tool.After you
specify how the server handles identity assertion authentication information,
you must specify how the server validates the authentication information.
See the task for configuring the server to validate identity assertion
authentication information.