Configuring authorization with TFIM V6.1

You can configure a message flow to perform authorization on an identity by using Tivoli® Federated Identity Manager (TFIM) V6.1.

Before you begin

Before you configure a message flow to perform authorization with TFIM V6.1:

Check that an appropriate security profile exists, or create a new security profile. See Creating a security profile for TFIM V6.1.
Define the required users and groups in TFIM.

About this task

Note: Support for TFIM V6.1 is included for compatibility with previous versions of IBM® Integration Bus. If possible, upgrade to TFIM V6.2 and follow the instructions in Configuring authorization with a WS-Trust v1.3 STS (TFIM V6.2).

The integration node security manager issues an authorization request to the TFIM trust service with the following three parameters, which select the TFIM module chain to be used:

Issuer = Properties.IdentitySourceIssuedBy
Applies To = The Fully Qualified Name of the Flow: <integrationNodeName>.<Integration Server Name>.<Message Flow Name>
Token = Properties.IdentitySourceToken

Authorization is performed with TFIM using an instance of the TFIM AuthorizationSTSModule in the selected module chain. The TFIM AuthorizationSTSModule must be set with Mode = Other. This AuthorizationSTSModule authorizes a user by checking an Access Control List (ACL) from Tivoli Access Manager (TAM). TFIM performs the authorization check by verifying that the action "i" (invoke) has been granted in an ACL for the WebService action group.

The ACL is found starting from the root of the TAM object space using a path formed from the Authorization module Web service protected object name parameter, followed by the Port Type and Operation Name from the authorization request. When the integration node makes an authorization request to TFIM, the Port Type and Operation Name parameters have the following values:

PortType:<Message flow name>
Operation "MessageFlowAccess"

Therefore, the ACL is found at this location in the TAM object space:


/<WSProtectedObjectName>.<MessageFlowName>."MessageFlowAccess"

For more information about this process and the parameters, see Authentication, mapping, and authorization with TFIM V6.1 and TAM.

Steps for enabling TFIM authorization:

Procedure

To enable an existing message flow to perform authorization with TFIM, use the BAR editor to select a security profile that has authorization enabled.

You can set a security profile on a message flow or on individual input nodes. If no security profile is set for the input nodes, the setting is inherited from the setting on the message flow.

Switch to the Integration Development perspective.
In the Application Development view, right-click the BAR file, then click Open with > BAR Editor.
Click the Manage and Configure tab.
Click the flow or node on which you want to set the security profile.
The properties that you can configure for the message flow or for the node are displayed in the Properties view.
In the Security Profile Name field, select a security profile that has authorization enabled.
Save the BAR file.

What to do next

For a SOAPInput node to use the identity in the WS-Security header (rather than an underlying transport identity) an appropriate policy set and bindings must also be defined and specified. For more information, see Policy sets.

In addition to configuring IBM Integration Bus to perform authorization with TFIM, you must configure TFIM and TAM. For information about how to do this, see the following topics:

For further information on how to configure TFIM, see the IBM Tivoli Federated Identity Manager product documentation online.