See information about the latest product version
Authentication, mapping, and authorization with TFIM V6.2 and TAM
You can use WebSphere® Message Broker, Tivoli® Federated Identity Manager (TFIM) V6.2, and Tivoli Access Manager (TAM) to control authentication, mapping, and authorization.
WebSphere Message Broker makes a single TFIM WS-Trust call for an input node or SecurityPEP node that is configured with a WS-Trust V1.3 STS security profile. As a result, a single module chain must be configured to perform all the required authentication, mapping, and authorization operations.
Parameter | Value |
---|---|
RequestType | The type of request issued to the trust service.
Valid values are:
|
Issuer | This value is determined by the effective setting of the IssuedBy property on the Basic tab of the SecurityPEP node or the Security tab of the input node. |
AppliesTo | This value is determined by the type of node:
|
This section describes an authorization configuration that you can use to perform the authorization operation with TFIM V6.2 and TAM.
In the security profile, set the TFIM V6.2 endpoint for the authorization operation. When you create a module chain to be used by a security enabled input node or SecurityPEP node, and resolved by AppliesTo information, you must include the TFIM TAMAuthorizationSTModule to invoke TAM authorization.
- PrincipalName
- The username to be authorized. This username must exist in your TAM user repository.
- ObjectName
- The TAM object name of the resource on which an authorization check is to be made. Typically this is derived from the AppliesTo information that is passed by the message flow security manager from the security enabled input node or SecurityPEP node.
- Action
- The TAM action to be authorized; for example, x (eXecute).
The TAM Access Control List (ACL), which determines the authorization decision, is located in the TAM protected object space using the path that is set on the ObjectName attribute of the TFIM STS universal user context input to the TAMAuthorizationSTSModule module.
The following diagram shows the configuration of WebSphere Message Broker, TFIM V6.2, and TAM to enable authentication, mapping, and authorization of an identity in a message flow:

- A message enters a message flow.
- A WS-Trust request is issued by the broker, with the RequestType, Issuer, and AppliesTo properties set.
- TFIM selects a module chain to process the WS-Trust request, based on the RequestType, Issuer, and AppliesTo properties of the request.
- A module chain can perform authentication if it includes a module in Validate mode that is appropriate to the token type that is being passed in the request from the message flow input message. For example, a Username and Password token can be authenticated using a UsernameTokenSTSModule .
- The module chain must perform some mapping by using an XSLTransformationModule in mapping mode to manipulate the identity information and to provide the required context attributes in the TFIM stsuser object for use by subsequent modules.
- A module chain can perform authorization in TAM by using the TAMAuthorizationSTSModule.
- The TAMAuthorizationSTSModule performs the authorization check
by making a request to TAM with these properties:
- Action = a (where a is the
stsuser context action attribute). For example, x for
eXecute could be set using the following code:
<stsuuser:ContextAttributes> <!-- Action --> <stsuuser:Attribute name="Action" type="urn:ibm:names:ITFIM:stsmodule:tamazn"> <stsuuser:Value>x</stsuuser:Value> </stsuuser:Attribute> </stsuuser:ContextAttributes>
- Action Group = WebService
- Protected Object = ProtectedObjectName (where ProtectedObjectName is
the stsuser context action attribute). For example, x for
eXecute could be set using the following code:
Typically, ProtectedObjectName is set conditionally from the AppliesTo information in the request.<stsuuser:ContextAttributes> <!-- ObjectName --> <stsuuser:Attribute name="ObjectName" type="urn:ibm:names:ITFIM:stsmodule:tamazn"> <stsuuser:Value>ProtectedObjectName</stsuuser:Value> </stsuuser:Attribute> </stsuuser:ContextAttributes>
- Action = a (where a is the
stsuser context action attribute). For example, x for
eXecute could be set using the following code:
- TAM processes the authorization request by:
- Finding the Access Control Lists (ACLs) associated with protected object ProtectedObjectName
- Checking whether the ACLs grant action a on action group WebService to the user (the user is named either directly or indirectly, through membership of a named group).
- The WS-Trust reply is returned to the broker. If this action is the result of a mapping request, the WS-Trust reply contains the mapped identity token.
For further information about how to configure TFIM and TAM, see IBM® Security Systems information centers.