IBM Integration Bus, Version 9.0.0.8 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Configuring identity mapping with TFIM V6.1

Configure Tivoli® Federated Identity Manager (TFIM) V6.1 to map the incoming security token and, if required, to authenticate and authorize it.

Before you start:

Before you can configure a message flow to perform identity mapping, you need to check that an appropriate security profile exists, or create a new security profile. For information about security profiles, see Creating a security profile.

Note: Support for TFIM V6.1 is included for compatibility with previous versions of IBM Integration Bus. If possible, upgrade to TFIM V6.2 and follow the instructions in Configuring identity mapping with a WS-Trust V1.3 STS (TFIM V6.2).

To configure TFIM V6.1 to map the incoming security token, you need to create a custom module chain in TFIM, which performs the security operations. The TFIM configuration controls the token type that is returned from the mapping.

When you use TFIM for mapping, a request is made to the TFIM trust service with the following three parameters, which select the module chain:
  • Issuer = Properties.IdentitySourceIssuedBy
  • AppliesTo = The fully qualified name of the flow: Brokername.Integration Server Name.Message Flow Name
  • Token = Properties.IdentitySourceToken

The security manager invokes the security provider only once, even if it is set for additional security operations (such as authentication or authorization). As a result, when you are using TFIM V6.1, you must configure a single module chain to perform all the required authentication, mapping, and authorization operations.

For information on how to configure TFIM, see the IBM Tivoli Federated Identity Manager product documentation.

Follow these steps to enable an existing message flow to perform identity mapping.

Using the Broker Archive editor, select a security profile that has mapping enabled. You can set a security profile on a message flow or on individual input nodes. If no security profile is set for the input nodes, the setting is inherited from the setting on the message flow.
  1. In the Message Broker Toolkit, right-click the BAR file, then click Open with > Broker Archive Editor.
  2. Click the Manage and Configure tab.
  3. Click the flow or node on which you want to set the security profile. The properties that you can configure for the message flow or for the node are displayed in the Properties view.
  4. In the Security Profile Name field, enter the name of a security profile that has mapping enabled.
  5. Save the BAR file.
Parent topic: Configuring identity mapping
Related concepts:
Identity
Authentication and validation
Identity mapping
Authorization
Identity and security token propagation
Security profiles
Security exception processing
Related tasks:
Configuring the extraction of an identity or security token
Configuring identity authentication and security token validation
Creating a security profile
Creating a security profile for LDAP
Creating a security profile for TFIM V6.1
Configuring authorization
Configuring a message flow for identity propagation
Setting up message flow security
Related reference:
mqsicreateconfigurableservice command
mqsideleteconfigurableservice command
mqsichangeproperties command
mqsireportproperties command
MQInput node
HTTPInput node
SOAPInput node
SOAPAsyncRequest node
HTTPRequest node
MQOutput node
bp28110_.htm | Last updated Friday, 21 July 2017