Configuring LTPA and its keys
You must review the Lightweight Third Party Authentication
(LTPA) on your WebSphere® Application
Server after you have installed Tivoli® Federated Identity Manager. You can choose to use
the default LTPA configuration or modify the configuration so that
it is appropriate for your environment.
Setting up message security Tivoli Federated Identity Manager uses
certificates (pairs of public and private keys) to secure messages.
Setting up transport security
To protect the message as it is communicated (transported)
between the partners, SAML recommends using Secure Sockets Layer (SSL)
with server authentication and in some cases with mutual authentication.
Configuring a Web server plug-in
The Web server plug-in is required to be installed on your
Web server only if that server is a supported server other
than WebSphere Application
Server. The primary function of the plug-in is to extract the user
identity information from the LTPA cookie in a Web request and make
the identity information available to the target application that
is hosted by the Web server using either HTTP headers or server variables
(if supported by the Web server).
Setting up the alias service database
SAML 2.0 supports the use of name identifiers (aliases)
for communication of user identities between partners. Aliases are
intended to increase the privacy of the user when that user accesses
resources at a service provider. When aliases are used, an identifier
that both the identity and service provider will recognize is sent
instead of the user's actual account name. Aliases are created and
recorded during account linkage (federation). After account linkage,
the alias is in all messages that are sent between the partners. A
different alias is used with each partner. Also, the alias used in
one direction (such as from identity provider to service provider)
can be different from the alias that is used in the other direction
(such as from service provider to identity provider). The use of aliases
is optional in SAML 2.0.
Configuring a WS-Federation single sign-on federation
To configure a WS-Federation single sign-on federations,
you must create the federation, add your partner to your federation,
and provide your partner with configuration information from your
new federation.
Web services security management configuration
Configuration of Web services security management starts
with the establishment of a Tivoli Federated Identity Manager domain.
When the domain is established, you can configure the Web services
security management component.
Tuning User Self Care
You can improve User Self Care performance by adjusting
settings for several distributed caches.
Response file parameters
Use the parameters described in this section to configure
response files for User Self Care.
Customizing runtime properties
Custom properties can be used to tailor the runtime service
of the Tivoli Federated Identity
Manager to meet specific needs.
Customizing single sign-on event pages
Tivoli Federated
Identity Manager generates files that are displayed in response to
events that occur during single sign-on requests. The response displayed
might be a form (such as when login information is required) or an
error or information statement about a condition that occurred while
the request was processed.
Developing a custom point of contact server
The point of contact server in your Tivoli Federated Identity Manager environment is the first
entity to process a request for access to a resource. You can choose
one of the provided options for a point of contact server or you can
create a custom point of contact server.
Customizing signature X.509 certificate settings
When you sign messages or assertions, the X.509 certificate
(public key) is included with your signature as a base64-encoded X.509
certificate. However, you have the option of specifying whether this
data should be excluded and whether additional data should be included
with your signatures.
Running WebSphere Application Server with Java 2
If you are running Java™ 2
security on the WebSphere Application
Server where Tivoli Federated
Identity Tivoli Federated Identity Manager is
installed, you must modify the java.policy to grant permission to
the Tivoli Federated Identity
directories that are in the temp subdirectory of your WebSphere profile.
tfimcfg reference
The tfimcfg command can be used to configure LDAP settings for
the Integrated Solutions Console installation, and also to configure WebSEAL
as a Point of Contact server.
URLs for initiating SAML single sign-on actions
The SAML specifications provide limited or no guidance about the
endpoints or methods that end users must use to initiate single sign-on actions.
However, in a Tivoli Federated Identity Manager environment,
URLs are defined that end user can use to initiate single sign-on actions.
Disabling logging to enhance performance
When using Tivoli Federated Identity Manager with Tivoli Access Manager, you can improve performance
on a service provider by disabling logging for theTivoli Access Manager policy server.