When a client authenticates to a server, the received credential is set. When the authorization engine checks the credential to determine whether access is permitted, it also sets the invocation credential . Identity assertion is the invocation credential that is asserted to the downstream server.
When a client authenticates to a server, the received credential is set. When the authorization engine checks the credential to determine whether access is permitted, it also sets the invocation credential so that if the Enterprise JavaBeans™ (EJB) method calls another EJB method that is located on other servers, the invocation credential can be the identity used to invoke the downstream method. Depending on the RunAs mode for the enterprise beans, the invocation credential is set as the originating client identity, the server identity, or a specified different identity. Regardless of the identity that is set, when identity assertion is enabled, it is the invocation credential that is asserted to the downstream server.
The invocation
credential identity is sent to the downstream server in an identity
token. In addition, the sending server identity, including the password
or token, is sent in the client authentication token when basic authentication
is enabled. The sending server identity is sent through a Secure Sockets
Layer (SSL) client certification authentication when client certificate
authentication is enabled. Basic authentication takes precedence over
client certificate authentication.
The sending
server identity is sent using an SSL client certificate. If SSL is
not used, the server identity is not sent.
The target
server validates the authority of the sending server to assert an
identity by the client certificate. The client certificate is mapped
to a Service Access Facility (SAF) user ID. The user ID must have
update authority for the CBIND.servername profile. If a client
certificate is not sent, the CBIND check is performed against the
default user ID.
After the identity format is understood and parsed, the identity maps to a credential. For an ITTPrincipal identity token, this identity maps one-to-one with the user ID fields.
For an ITTDistinguishedName
identity token, the mapping depends on the user registry. For Lightweight
Directory Access Protocol (LDAP), the configured search filter determines
how the mapping occurs. For LocalOS, the first attribute of the distinguished
name (DN), which is typically the same as the common name, maps to
the user ID of the registry.
ITTDistinguishedName
identity tokens and ITTCertChain identity tokens are mapped in the
same way. Both types of identity tokens use a certificate that is
mapped to a SAF user ID using the RACDCERT or equivalent mapping functions.
The mapping can be based on the Subject name or the Issuers name.
Identity
assertion is only available using the Common Secure Interoperability
Version 2 (CSIv2) protocol.