Identity assertion
Identity assertion is a method for expressing the identity of the sender
(for example, user name) in a SOAP message. When identity assertion is used
as an authentication method, the authentication decision is performed based
only on the name of the identity, and on other information such as passwords
and certificates.
- ID type
The Web Services Security implementation in WebSphere Application Server
can handle these identity types:
- User name
- Denotes the user name, such as the one in the local operating system (for
example, "alice"). This name is embedded in the <Username> element within
the <UsernameToken> element.
- DN
- Denotes the distinguished name (DN) for the user, such as "CN=alice,
O=IBM, C=US". This name is embedded in the <Username> element within
the <UsernameToken> element.
- X.509 certificate
- Represents the identity of the user as an X.509 certificate instead of
a string name. This certificate is embedded in the <BinarySecurityToken> element.
- Managing trust
The intermediary host in the SOAP message itinerary can assert claimed
identity of the initial sender. Two methods (called trust mode) are
supported for this assertion:
- Basic authentication
- The intermediary adds its user name and password pair to the message.
- Signature
- The intermediary digitally signs the <UsernameToken> element of the
initial sender.
Note: This trust mode does not support
the X.509 certificate ID type.
- Typical scenario
ID assertion is typically used in the multihop environment where the
SOAP message passes through one or more intermediary hosts. The intermediary
host authenticates the initial sender. The following scenario describes the
process:
- The initial sender sends a SOAP message to the intermediary host with
some embedded authentication information. This authentication information
might be a user name and a password pair with an Lightweight Third Party Authentication
(LTPA) token.
- The intermediary host authenticates the initial sender according to the
embedded authentication information.
- The intermediary host removes the authentication information from the
SOAP message and replaces it with the <UsernameToken> element, which contains
a user name.
- The intermediary host asserts the trust according to the trust mode.
- The intermediary host sends the updated SOAP message to the ultimate receiver.
- The ultimate receiver checks the trust against the intermediary host information
according to the configured trust mode. Also, the trusted ID evaluator is
invoked.
- If trust is established by the final receiver, the receiver invokes the
Web service under the authorization of the user name (that is, the initial
sender) in the SOAP message.

Trusted ID evaluator

Securing Web services using XML digital signature
Searchable topic ID:
cwbs_idassert
Last updated: Jun 21, 2007 8:07:48 PM CDT
WebSphere Business Integration Server Foundation, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/ae/cwbs_idassert.html