IBM Tivoli Federated Identity Manager, Version 6.2.1

Configuring

The Configuring topics explain how to deploy and configure Tivoli Federated Identity Manager scenarios.

PDF
Domain configuration
Overview of configuration tasks for federated single sign-on
Identity provider and service provider roles
Using keys and certificates to secure communications
Configuring LTPA and its keys
You must review the Lightweight Third Party Authentication (LTPA) on your WebSphere® Application Server after you have installed Tivoli® Federated Identity Manager. You can choose to use the default LTPA configuration or modify the configuration so that it is appropriate for your environment.
Setting up message security
Tivoli Federated Identity Manager uses certificates (pairs of public and private keys) to secure messages.
Setting up transport security
To protect the message as it is communicated (transported) between the partners, SAML recommends using Secure Sockets Layer (SSL) with server authentication and in some cases with mutual authentication.
Selecting a point of contact server
Configuring WebSphere as point of contact server
Configuring a Web server plug-in
The Web server plug-in is required to be installed on your Web server only if that server is a supported server other than WebSphere Application Server. The primary function of the plug-in is to extract the user identity information from the LTPA cookie in a Web request and make the identity information available to the target application that is hosted by the Web server using either HTTP headers or server variables (if supported by the Web server).
Setting up the alias service database
SAML 2.0 supports the use of name identifiers (aliases) for communication of user identities between partners. Aliases are intended to increase the privacy of the user when that user accesses resources at a service provider. When aliases are used, an identifier that both the identity and service provider will recognize is sent instead of the user's actual account name. Aliases are created and recorded during account linkage (federation). After account linkage, the alias is in all messages that are sent between the partners. A different alias is used with each partner. Also, the alias used in one direction (such as from identity provider to service provider) can be different from the alias that is used in the other direction (such as from service provider to identity provider). The use of aliases is optional in SAML 2.0.
Planning the mapping of user identities
SAML federations overview
SAML endpoints and URLs
Sample identity mapping rules for SAML federations
SAML 2.0 Attribute query
Establishing a SAML federation
Planning an Information Card federation
Configuring an Information Card federation
Information Card reference
OpenID planning overview
Configuring OpenID
OpenID reference
Planning a Liberty federation
You will need to specify values for federation properties when configuring a Liberty federation.
Configuring a Liberty federation
Planning a WS-Federation single sign-on federation
You will need to specify values for federation properties when configuring WS-Federation.
Configuring a WS-Federation single sign-on federation
To configure a WS-Federation single sign-on federations, you must create the federation, add your partner to your federation, and provide your partner with configuration information from your new federation.
Web services security management configuration
Configuration of Web services security management starts with the establishment of a Tivoli Federated Identity Manager domain. When the domain is established, you can configure the Web services security management component.
Kerberos constrained delegation overview
Enabling integrated Windows authentication
These instructions describe how to configure Microsoft® IIS for SPNEGO authentication.
Configuring Active Directory and WebSphere for constrained delegation
Tivoli Federated Identity Manager configuration for a Kerberos junction scenario
WebSEAL configuration
SSL configuration task for a Kerberos junctions deployment
For optimal security, configure SSL communication between servers in a Kerberos junction deployment.
Understanding User Self Care
Deploying User Self Care
Tuning User Self Care
You can improve User Self Care performance by adjusting settings for several distributed caches.
Response file parameters
Use the parameters described in this section to configure response files for User Self Care.
Customizing runtime properties
Custom properties can be used to tailor the runtime service of the Tivoli Federated Identity Manager to meet specific needs.
Customizing an authentication login form for single sign-on
Customize an authentication login form by adding parameters to a WebSphere or WebSEAL point of contact server profile.
Customizing single sign-on event pages
Tivoli Federated Identity Manager generates files that are displayed in response to events that occur during single sign-on requests. The response displayed might be a form (such as when login information is required) or an error or information statement about a condition that occurred while the request was processed.
Developing a custom point of contact server
The point of contact server in your Tivoli Federated Identity Manager environment is the first entity to process a request for access to a resource. You can choose one of the provided options for a point of contact server or you can create a custom point of contact server.
Customizing signature X.509 certificate settings
When you sign messages or assertions, the X.509 certificate (public key) is included with your signature as a base64-encoded X.509 certificate. However, you have the option of specifying whether this data should be excluded and whether additional data should be included with your signatures.
Running WebSphere Application Server with Java 2
If you are running Java™ 2 security on the WebSphere Application Server where Tivoli Federated Identity Tivoli Federated Identity Manager is installed, you must modify the java.policy to grant permission to the Tivoli Federated Identity directories that are in the temp subdirectory of your WebSphere profile.
tfimcfg reference
The tfimcfg command can be used to configure LDAP settings for the Integrated Solutions Console installation, and also to configure WebSEAL as a Point of Contact server.
URLs for initiating SAML single sign-on actions
The SAML specifications provide limited or no guidance about the endpoints or methods that end users must use to initiate single sign-on actions. However, in a Tivoli Federated Identity Manager environment, URLs are defined that end user can use to initiate single sign-on actions.
Disabling logging to enhance performance
When using Tivoli Federated Identity Manager with Tivoli Access Manager, you can improve performance on a service provider by disabling logging for theTivoli Access Manager policy server.

Feedback