The purpose of identity assertion is to assert
the authenticated identity of the originating client from a Web service to
a downstream Web service. You can configure identity assertion authentication
for the server. Do not attempt to configure identity assertion from a pure
client.
About this task
Important: There is an important distinction between
Version 5.x and Version 6.0.x and later applications. The information
in this article supports Version 5.x applications only that are used
with WebSphere Application Server Version 6.0.x and later. The information
does not apply to Version 6.0.x and later applications.
For
the downstream Web service to accept the identity of the originating client
(user name only), you must supply a special trusted BasicAuth credential that
the downstream Web service trusts and can authenticate successfully. You must
specify the user ID of the special BasicAuth credential in a trusted ID evaluator
on the downstream Web service configuration. For more information on trusted
ID evaluators, see Trusted ID evaluator. The server side passes the special BasicAuth credential
into the trusted ID evaluator, which returns true or false that
this ID is trusted. After it is trusted, the user name of the client is mapped
to the credential, which is used for authorization.
Complete the following
steps to configure the server to handle identity assertion authentication
information:
Procedure
- Launch an assembly tool. For more information on the
assembly tools, see Assembly tools.
- Switch to the Java 2 Platform, Enterprise Edition (J2EE) perspective.
Click Window > Open Perspective > J2EE.
- Click EJB Projects > application_name > ejbModule
> META-INF.
- Right-click the webservices.xml file, and click Open
with > Web services editor.
- Click the Extensions tab, which is located at the bottom of the
Web services editor within the assembly tool.
- Expand the Request receiver service configuration details >
Login configuration section. The options you can select are:
- BasicAuth
- Signature
- ID assertion
- Lightweight Third Party Authentication (LTPA)
- Select IDAssertion to authenticate the client using the
identity assertion data provided.
The
user ID of the client must be in the target user registry configured in WebSphere
Application Server global security. You can select global security in the
administrative console by clicking Security > Global security.
- Expand the IDAssertion section and select both the ID
Type and the Trust Mode.
- For ID Type, the options are:
- Username
- Distinguished name (DN)
- X509certificate
These choices are just preferences and are not guaranteed. Most of the
time the Username option is used. You must choose the same ID Type as the
client.
- For Trust Mode, the options are:
The Trust Mode refers to the information sent by the client as the trusted
ID.
- If you select BasicAuth, the client sends basic authentication
data (user ID and password). This basicauth data is authenticated to the configured
user registry. When the authentication occurs successfully, the user ID must
be part of the trusted ID evaluator trust list.
- If you select Signature, the client signing certificate is sent.
This certificate must be mappable to the configured user registry. For Local
OS, the common name (CN) of the distinguished name (DN) is mapped to a
user ID in the registry. For Lightweight Directory Access Protocol (LDAP),
the DN is mapped to the registry for the ExactDN mode. If it is in the CertificateFilter
mode, attributes are mapped accordingly. In addition, the user name from the
credential generated must be in the Trusted ID Evaluator trust list.
What to do next
For more information on getting started with the Web Services Editor
within an assembly tool, see
Configuring the server security bindings using an assembly tool.
After you specify how the server handles identity assertion
authentication information, you must specify how the server validates the
authentication information. See the task for configuring the server to validate
identity assertion authentication information.