WebSphere Message Broker, Version 8.0.0.7 Operating Systems: AIX, HP-Itanium, Linux, Solaris, Windows, z/OS

See information about the latest product version

Configuring identity mapping with a WS-Trust V1.3 STS (TFIM V6.2)

Configure a WS-Trust V1.3 compliant security token server (STS), such as Tivoli® Federated Identity Manager (TFIM) V6.2, to map the incoming security token and, if required, to authenticate and authorize it.

Before you start:

Before you can configure a message flow to perform identity mapping, you need to check that an appropriate security profile exists, or create a new security profile. For information about security profiles, see Creating a security profile.

To configure TFIM V6.2 to map an incoming security token, you must create a custom module chain in TFIM, which performs the security operations. The TFIM configuration controls the token type that is returned from the mapping.

When you use a WS-Trust V1.3 STS for identity mapping, a request is made to the security token server with the following parameters, which control the STS processing:
  • RequestType
  • Issuer
  • AppliesTo
If you are using TFIM V6.2, these parameters are used in the selection of the module chain.

The security manager invokes the WS-Trust v1.3 provider only once, even if it is set for additional security operations (such as authentication or authorization). As a result, when you are using TFIM V6.2, you must configure a single module chain to perform all the required authentication, mapping, and authorization operations.

When the security profile includes a mapping operation, the STS (for example, TFIM V6.2) must return a security token in its response. The STS can return the original unmodified token if no token exchange is required.

For more information about these parameters, see:Authentication, mapping, and authorization with TFIM V6.2 and TAM .

The WS-Trust v1.3 specification, published by OASIS, is available at:
http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html

For information on how to configure TFIM, see the IBM® Tivoli Federated Identity Manager Information Center.

Follow these steps to enable an existing message flow to perform identity mapping.

Using the Broker Archive editor, select a security profile that has mapping enabled. You can set a security profile on a message flow or on individual input nodes. If no security profile is set for the input nodes, the setting is inherited from the setting on the message flow.
  1. In the Message Broker Toolkit, right-click the BAR file, then click Open with > Broker Archive Editor.
  2. Click the Manage and Configure tab.
  3. Click the message flow or node on which you want to set the security profile. The properties that you can configure for the message flow or for the node are displayed in the Properties view.
  4. In the Security Profile Name field, enter the name of a security profile that has mapping enabled.
  5. Save the BAR file.
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2016Copyright IBM Corporation 1999, 2016.

        
        Last updated:
        
        Last updated: 2016-05-23 14:48:24


Task topicTask topic | Version 8.0.0.7 | bp28120_