Authentication, mapping, and authorization with TFIM V6.2 and TAM

You can use IBM® Integration Bus, Tivoli® Federated Identity Manager (TFIM) V6.2, and Tivoli Access Manager (TAM) to control authentication, mapping, and authorization.

IBM Integration Bus makes a single TFIM WS-Trust call for an input node or SecurityPEP node that is configured with a WS-Trust V1.3 STS security profile. As a result, a single module chain must be configured to perform all the required authentication, mapping, and authorization operations.

When you use a WS-Trust v1.3 STS for authentication, authorization, or mapping, a request is made to the trust service with the following parameters, which control the STS processing. If you are using TFIM V6.2, these parameters are used in the selection of the TFIM module chain:
Parameter Value
RequestType The type of request issued to the trust service. Valid values are:
Issue
This value can be specified when mapping is the only operation that is set to WS-Trust V1.3 STS in the security profile. It is not valid if WS-Trust V1.3 STS is specified for authentication or authorization.

The namespace qualified value is http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue, which shows in TFIM V6.2 as Issue Oasis URI.

Validate
This value must be set when the security profile also includes authentication or authorization (in addition to mapping) for the same WS-Trust V1.3 STS provider.

The namespace qualified value is http://docs.oasis-open.org/ws-sx/ws-trust/200512/Validate, which shows in TFIM V6.2 as Validate Oasis URI.
Issuer This value is determined by the effective setting of the IssuedBy property on the Basic tab of the SecurityPEP node or the Security tab of the input node.
AppliesTo This value is determined by the type of node:
MQInput or SCAInput node with MQ binding:
The WebSphere® MQ IRI of the node's input queue; for example: 
wmq://msg/queue/queue_name@queue_manager_name
HTTPInput, SOAPInput, or SOAPAsyncResponse node with HTTP binding:
The endpoint URL; for example: 
http://myflow/myInputNodePath
SecurityPEP node with a default (blank) WS-Trust AppliesTo address:
The URN for the message flow that contains the node; for example: 
urn:/integrationNodeName.integrationServerName.flowName
SecurityPEP node with WS-Trust AppliesTo address set on the Advanced tab of the node:
The URI value configured in the property. This value is typically the URL of the target service that is used when you invoke a mapping operation to obtain the required token for the following request node; for example: 
http://remotehost.ibm.com:9080/targetservice
You can also set the AppliesTo service name and AppliesTo port type properties on the Advanced tab of the node. The WS-Trust request includes these optional elements only when they are configured. These values are typically valid QNames; for example:
http://myservice.mycom.com:myservicename
When you set these properties in the SecurityPEP node, you must configure them in the TFIM module chain:
  • In the service name and port type TFIM properties, the information to the left of the colon must match the namespace URI of the WS-Addressing namespace that is used for the PortType and ServiceName elements in the WS-Trust request set by the integration node, which is: 
    http://www.w3.org/2005/08/addressing
  • The information to the right of the colon in the service name and port type TFIM properties must match the value configured on the SecurityPEP node. You can also configure a regular expression in TFIM to specify a match.

This section describes an authorization configuration that you can use to perform the authorization operation with TFIM V6.2 and TAM.

In the security profile, set the TFIM V6.2 endpoint for the authorization operation. When you create a module chain to be used by a security enabled input node or SecurityPEP node, and resolved by AppliesTo information, you must include the TFIM TAMAuthorizationSTModule to invoke TAM authorization.

The TAMAuthorizationSTSModule requires the following TFIM STS universal user context attributes:
PrincipalName
The username to be authorized. This username must exist in your TAM user repository.
ObjectName
The TAM object name of the resource on which an authorization check is to be made. Typically this is derived from the AppliesTo information that is passed by the message flow security manager from the security enabled input node or SecurityPEP node.
Action
The TAM action to be authorized; for example, x (eXecute).

The TAM Access Control List (ACL), which determines the authorization decision, is located in the TAM protected object space using the path that is set on the ObjectName attribute of the TFIM STS universal user context input to the TAMAuthorizationSTSModule module.

The following diagram shows the configuration of IBM Integration Bus, TFIM V6.2, and TAM to enable authentication, mapping, and authorization of an identity in a message flow:

The diagram is described in the preceding and following text.
The numbers in the preceding diagram correspond to the following sequence of events:
  1. A message enters a message flow.
  2. A WS-Trust request is issued by the integration node, with the RequestType, Issuer, and AppliesTo properties set.
  3. TFIM selects a module chain to process the WS-Trust request, based on the RequestType, Issuer, and AppliesTo properties of the request.
  4. A module chain can perform authentication if it includes a module in Validate mode that is appropriate to the token type that is being passed in the request from the message flow input message. For example, a Username and Password token can be authenticated using a UsernameTokenSTSModule .
  5. The module chain must perform some mapping by using an XSLTransformationModule in mapping mode to manipulate the identity information and to provide the required context attributes in the TFIM stsuser object for use by subsequent modules.
  6. A module chain can perform authorization in TAM by using the TAMAuthorizationSTSModule.
  7. The TAMAuthorizationSTSModule performs the authorization check by making a request to TAM with these properties:
    • Action = a (where a is the stsuser context action attribute). For example, x for eXecute could be set using the following code:
      <stsuuser:ContextAttributes>
    <!-- Action -->
    <stsuuser:Attribute name="Action" type="urn:ibm:names:ITFIM:stsmodule:tamazn">
      <stsuuser:Value>x</stsuuser:Value>
    </stsuuser:Attribute>
  </stsuuser:ContextAttributes>
    • Action Group = WebService
    • Protected Object = ProtectedObjectName (where ProtectedObjectName is the stsuser context action attribute). For example, x for eXecute could be set using the following code:
      <stsuuser:ContextAttributes>
    <!-- ObjectName -->
    <stsuuser:Attribute name="ObjectName" type="urn:ibm:names:ITFIM:stsmodule:tamazn">
      <stsuuser:Value>ProtectedObjectName</stsuuser:Value>
    </stsuuser:Attribute>
  </stsuuser:ContextAttributes>
      Typically, ProtectedObjectName is set conditionally from the AppliesTo information in the request.
  8. TAM processes the authorization request by:
    1. Finding the Access Control Lists (ACLs) associated with protected object ProtectedObjectName
    2. Checking whether the ACLs grant action a on action group WebService to the user (the user is named either directly or indirectly, through membership of a named group).
  9. The WS-Trust reply is returned to the integration node. If this action is the result of a mapping request, the WS-Trust reply contains the mapped identity token.