Configuring transient users

In addition to the basic OpenID authentication option, you can give users, who are trusted and verified from an identity provider, access to IBM® WebSphere® Portal. These trusted and verified users do not require a local, registered Portal user account.

Before you begin

Before enabling the transient user feature, you must verify that your security configuration is a federated user registry. If you configured the stand-alone user registry, you must change to the federated user registry. To locate the proper instructions, navigate to Securing > Managing user data and then select the Managing your user registry option for your operating system. Then select Changing from a stand-alone repository to a federated respository. For example, federated.primaryAdminID=PortaladminuserID.

About this task

Facebook and Google users can authenticate with the WebSphere Portal server instance using their identity provider credentials. They are granted access to certain data within WebSphere Portal without having a local account. You can grant the same access to all identity providers or you can configure different access rights depending on the identity provider. With this option you, can provide a personalized view to unregistered users while still providing benefits to fully registered users.

Complete the following steps to configure transient users:

Procedure

  1. Run the following task from the wp_profile_root\ConfigEngine directory with the appropriate parameters:
    Cluster note: Complete this step only on the primary node.
    • AIX®: ./ConfigEngine.sh enable-transient-user -DWasUserId=username -DWasPassword=password
    • IBM i: ConfigEngine.sh enable-transient-user -DWasUserId=username -DWasPassword=password
    • Linux: ./ConfigEngine.sh enable-transient-user -DWasUserId=username -DWasPassword=password
    • Solaris: ./ConfigEngine.sh enable-transient-user -DWasUserId=username -DWasPassword=password
    • Windows: ConfigEngine.bat enable-transient-user -DWasUserId=username -DWasPassword=password
    Add the following parameters to customize the task for your business requirements:
    -Dtransparent.suffix
    Set this value to a dn suffix that is used for transient users. This suffix must NOT match your current suffixes for fully registered users. The default value is o=transparent
    -Dtransparent.prefix
    Set this value to a prefix that is used for transient users. For example, if you want to set the RDN attribute, set this value to cn.
    Note: Complete the following steps if you entered the wrong value in the transparent.suffix parameter:
    1. Log on to WebSphere Integrated Solutions Console as the administrator.
    2. Go to Security > Global Security.
    3. Go to User account repository > Available realm definitions and select Federatedrepositories.
    4. Click Configure.
    5. Go to Repositories in the realm and click the link in the Base Entry column for the transientidp repository identifier, for example, o=transparent.
    6. Replace the value in the following fields with the new value:
      • Distinguished name of a base entry that uniquely identifies this set of entries in the realm for example,o=transparent.
      • Distinguished name of a base entry in this repository for example,o=transparent
    7. Click OK.
    8. Save your changes.
    9. Stop and restart the WebSphere_Portal server.
  2. Optional: Complete the following steps to create group objects for external providers to assign different access rights:
    Important: After running the enable-transient-user task, all identified users are identified with the all authenticated group and do not have explicit groups.
    1. Log on to WebSphere Integrated Solutions Console as the administrator.
    2. Go to Security > Global Security.
    3. Go to User account repository > Available realm definitions and select Federatedrepositories.
    4. Click Configure.
    5. Go to Repositories in the realm and click transientidp in the Repository Identifier column.
    6. Click New and add the following information:
      • Name: buildgroupsfor
      • Value: Enter the list of supported Identity Providers you want to build groups for; for example: facebook myOpenID Google. The items in the list must be separated by a space. The Identity Providers are case-sensitive and should match what you entered for the idp.providerlist and openid.servicenames parameters.
    7. Click OK.
    8. Save your changes.
    9. Stop and restart the WebSphere_Portal server.
  3. Optional: Complete the following steps to mark transient identity provider users as external:
    Information: After running the enable-transient-user task, the system builds internal groups for each identity provider. You can use these groups in the Resource Permissions portlet in the Portal Administration menu. Use the Resource Permissions portlet to build a set of pages and portlets that transient users can see and use.

    You can also combine transient users with the external user feature in WebSphere Portal. You can identify a group of external or transient users with a database suffix. All external and transient users are then granted a special virtual principle in the access control. This virtual principle allows you to grant a general set of access rights to these users.

    1. Log on to WebSphere Integrated Solutions Console as the administrator.
    2. Go to Resources > Resource Environment > Resource Environment providers.
    3. Search for WP PumaStoreService and then click Custom properties.
    4. Add the parentDN.externalUsers property with value you entered for transparent.suffix. If you did not enter a value in transparent.suffix, type o=transparent.
    5. Save your changes.
    6. Stop and restart the WebSphere_Portal server.
  4. Complete the following steps to load user attributes during authentication:
    Note: Transient users do not have attributes stored locally. Therefore, it is helpful to load attributes from the Identity Provider during authentication.
    Note: If you want to allow transient users to create or modify pages you must map a short name to the users. The attribute used for the short name is the User default search attribute. If you do not know the attribute name, you can find it defined in the PumaStoreService Resource Environment provider. The most common values are uid and cn.
    1. Log on to WebSphere Integrated Solutions Console as the administrator.
    2. Go to Security > Global security > Web and SIP Security > Trust association > Interceptors.
    3. Select com.ibm.portal.auth.tai.OpenidTAI.
    4. Add the following new properties for OpenID:
      • provider.openid.loadattributes=provider|method;provider2|method
        Note: method can either be openid.sreg or openid.ax depending on the type of OpenID your Identity Provider supports.
      • The following properties must be entered as one line.
        • provider.openid.loadattributes.provider=portalattributename|
        • idpattributename;portalattributename2|idpattributename2
      • The following properties must be entered as one line.
        • provider.openid.loadattributes.provider2=portalattributename|
        • idpattributename;portalattributename2|idpattributename2
      For example, you might add the following new properties for OpenID:
      • provider.openid.loadattributes=google|openid.ax;yahoo|openid.ax
      • The following properties must be entered as one line.
        • provider.openid.loadattributes.google=cn|
        • http://axschema.org/namePerson/first;sn|
        • http://axschema.org/namePerson/last;ibm-primaryEmail|
        • http://axschema.org/contact/email
    5. Add the following new property for Facebook:
      • The following properties must be entered as one line.
        • provider.facebook.loadattributes=portalattributename|
        • idpattributename;portalattributename2|idpattributename2
      For example, you might add the following new property for Facebook:
      • The following properties must be entered as one line.
        • provider.facebook.loadattributes=sn|
        • first_name;cn|last_name;uid|name
    6. Save your changes.
    7. Stop and restart the WebSphere_Portal server.