Authentication, mapping, and authorization with TFIM V6.1 and TAM

Use IBM® Integration Bus, Tivoli® Federated Identity Manager (TFIM) V6.1, and Tivoli Access Manager (TAM) to control authentication, mapping, and authorization.

Note: Support for TFIM V6.1 is included for compatibility with previous versions of IBM Integration Bus. If possible, upgrade to TFIM V6.2 and refer to the information in Authentication, mapping, and authorization with TFIM V6.2 and TAM.

IBM Integration Bus makes a single TFIM WS-Trust call for an input node that is configured with a TFIM security profile, which means that a single module chain must be configured to perform all the required authentication, mapping, and authorization operations.

The following diagram shows the configuration of IBM Integration Bus, TFIM, and TAM to enable authentication, mapping, and authorization of an identity in a message flow:

The image is described in the text.

The numbers in the preceding diagram correspond to the following sequence of events:

  1. A message enters a message flow.
  2. A WS-Trust request is issued by the integration node, with these properties:
    • RequestType = Validate
    • Identity = Token(s) from input message
    • Issuer = Issuer from input message
    • AppliesTo Address = "Broker.IntegrationServer.FlowName"
    • PortType = "FlowName"
    • Operation = "MessageFlowAccess"
  3. TFIM selects a module chain to process the WS-Trust request, based on the AppliesTo Address and Issuer properties of the request.
  4. A module chain can perform authentication if it includes a module (such as a UsernameTokenSTSModule or X509STSModule) in validate mode.
  5. A module chain can perform mapping by using an XSLTransformationModule in mapping mode to manipulate the identity information.
  6. A module chain can perform authorization by using an AuthorizationSTSModule in other mode. The module chain must be configured with a Protected Object Root value.
  7. The AuthorizationSTSModule performs the authorization check by making a request to TAM with these properties:
    • Action = "i" (invoke)
    • Action Group = "WebService"
    • Protected Object = "ProtectedObjectRoot.FlowName.MessageFlowAccess"

      where "i" and "WebService" are default values used by an AuthorizationSTSModule; and FlowName and MessageFlowAccess are the WS-Trust request PortType and Operation values.

  8. TAM processes the authorization request by:
    1. Finding the Access Control Lists (ACLs) associated with protected object "<ProtectedObjectRoot>.<FlowName>.MessageFlowAccess".
    2. Checking whether or not the ACLs grant action "i" on action group "WebService" to the user (with the user either named directly, or by membership of a named group).
  9. The WS-Trust reply is returned to the integration node. If this action is the result of a mapping request, the WS-Trust reply contains the mapped identity token.