You can configure a message flow to perform authorization on an identity by using Tivoli® Federated Identity Manager (TFIM) V6.1.
Before you start:
Authorization is performed with TFIM using an instance of the TFIM AuthorizationSTSModule in the selected module chain. The TFIM AuthorizationSTSModule must be set with Mode = Other. This AuthorizationSTSModule authorizes a user by checking an Access Control List (ACL) from Tivoli Access Manager (TAM). TFIM performs the authorization check by verifying that the action "i" (invoke) has been granted in an ACL for the WebService action group.
The ACL is found starting from the root of the TAM object space using a path formed from the Authorization module Web service protected object name parameter, followed by the Port Type and Operation Name from the authorization request. When the broker makes an authorization request to TFIM, the Port Type and Operation Name parameters have the following values:
Therefore, the ACL is found at this location in the TAM object space:
/<WSProtectedObjectName>.<MessageFlowName>."MessageFlowAccess"
For more information about this process and the parameters, see Authentication, mapping, and authorization with TFIM V6.1 and TAM.
Steps for enabling TFIM authorization:
For a SOAPInput node to use the identity in the WS-Security header (rather than an underlying transport identity) an appropriate policy set and bindings must also be defined and specified. For more information, see Policy sets.
For further information on how to configure TFIM, see the IBM Tivoli Federated Identity Manager product documentation.