The purpose of identity assertion is to assert
the authenticated identity of the originating client from a Web service to
a downstream Web service. You can configure identity assertion authentication
for the server. Do not attempt to configure identity assertion from a pure
client.
About this task
Important: There is an important distinction between
Version 5.x and Version 6.0.x and later applications. The information
in this article supports Version 5.x applications only that are used
with WebSphere® Application
Server Version 6.0.x and later. The information does not apply to Version
6.0.x and later applications.
For the downstream
Web service to accept the identity of the originating client (user name only),
you must supply a special trusted BasicAuth credential that the downstream
Web service trusts and can authenticate successfully. You must specify the
user ID of the special BasicAuth credential in a trusted ID evaluator on the
downstream Web service configuration. For more information on trusted ID evaluators,
see Trusted ID evaluator. The server
side passes the special BasicAuth credential into the trusted ID evaluator,
which returns true or false that this ID is trusted. After
it is trusted, the user name of the client is mapped to the credential, which
is used for authorization.
Complete the following steps to configure
the server to handle identity assertion authentication information:
Procedure
- Launch an assembly tool. For more information, see the
related information on Assembly Tools.
- Switch to the Java™ Platform, Enterprise Edition (Java EE)
perspective. Click Window > Open Perspective > J2EE.
- Click EJB Projects > application_name >
ejbModule > META-INF.
- Right-click the webservices.xml file, and click Open
with > Web services editor.
- Click the Extensions tab, which is located at the bottom
of the Web services editor within the assembly tool.
- Expand the Request receiver service configuration details >
Login configuration section. The options you can select
are:
- BasicAuth
- Signature
- ID assertion
- LTPA (Lightweight Third Party Authentication)
- Select IDAssertion to authenticate the client using the
identity assertion data provided.
The user
ID of the client must be in the target user registry or repository, which
is configured on the Security > Global security panel
in the administrative console for WebSphere Application Server. You
can select multiple login configurations, which means that different types
of security information can be received at the server. The order in which
the login configurations are added determines the processing order when a
request is received. Problems can occur if you have multiple login configurations
added that have common security tokens. For example, ID assertion contains
a BasicAuth token, which is the trusted token. For ID assertion to work properly,
you must list ID assertion ahead of BasicAuth in the list or BasicAuth processing
overrides ID assertion processing.
- Expand the IDAssertion section and select both the ID
Type and the Trust Mode.
- For ID Type, the options are:
- Username
- DN (distinguished name)
- X509certificate
These choices are just preferences and are not guaranteed. Most of the
time the Username option is used. You must choose the same ID Type as the
client.
- For Trust Mode, the options are:
The Trust Mode refers to the information sent by the client as the trusted
ID.
- If you select BasicAuth, the client sends basic authentication
data (user ID and password). This BasicAuth data is authenticated to the configured
user registry. When the authentication occurs successfully, the user ID must
be part of the trusted ID evaluator trust list.
- If you select Signature, the client signing certificate is sent.
This certificate must be mappable to the configured user registry. For Local
OS, the common name (CN) of the distinguished name (DN) is mapped to a
user ID in the registry. For Lightweight Directory Access Protocol (LDAP),
the DN is mapped to the registry for the ExactDN mode. If it is in the CertificateFilter
mode, attributes are mapped accordingly. In addition, the user name from the
credential generated must be in the Trusted ID Evaluator trust list.
What to do next
For more information on getting started with the Web Services Editor
within an assembly tool, see
Configuring the server security bindings using an assembly tool.
After
you specify how the server handles identity assertion authentication information,
you must specify how the server validates the authentication information.
See the task for configuring the server to validate identity assertion authentication
information.