Identity assertion is a method for expressing the identity
of the sender (for example, user name) in a SOAP message. When identity
assertion is used as an authentication method, the authentication
decision is performed based only on the name of the identity and not
on other information, such as passwords and certificates.
Important: There is an important distinction between Version
5.x and Version 6.0.x and later applications. The information in this
article supports Version 5.x applications only that are used with WebSphere® Application Server Version 6.0.x
and later. The information does not apply to Version 6.0.x and later
applications.
Identity assertion involves:
- ID type
The Web Services Security implementation in WebSphere Application
Server can handle these identity types:
- User name
- Denotes the user name, such as the one in the local operating
system (for example, alice). This name is embedded
in the <Username> element within the <UsernameToken> element.
- DN
- Denotes the distinguished name (DN) for the user, such as "CN=alice,
O=IBM, C=US". This name is embedded in the <Username>
element within the <UsernameToken> element.
- X.509 certificate
- Represents the identity of the user as an X.509 certificate instead
of a string name. This certificate is embedded in the <BinarySecurityToken>
element.
- Managing trust
The intermediary host in the SOAP message itinerary can assert
claimed identity of the initial sender. Two methods (called trust
mode) are supported for this assertion:
- Basic authentication
- The intermediary adds its user name and password pair to the message.
- Signature
- The intermediary digitally signs the <UsernameToken> element
of the initial sender.
Note: This trust mode does not support the
X.509 certificate ID type.
- Typical scenario
ID assertion is typically used in the multi-hop environment
where the SOAP message passes through one or more intermediary hosts.
The intermediary host authenticates the initial sender. The following
scenario describes the process:
- The initial sender sends a SOAP message to the intermediary host
with some embedded authentication information. This authentication
information might be a user name and a password pair with an Lightweight
Third Party Authentication (LTPA) token.
- The intermediary host authenticates the initial sender according
to the embedded authentication information.
- The intermediary host removes the authentication information from
the SOAP message and replaces it with the <UsernameToken> element,
which contains a user name.
- The intermediary host asserts the trust according to the trust
mode.
- The intermediary host sends the updated SOAP message to the ultimate
receiver.
- The ultimate receiver checks the trust against the intermediary
host information according to the configured trust mode. Also, the
trusted ID evaluator is invoked.
- If trust is established by the final receiver, the receiver invokes
the web service under the authorization of the user name (that is,
the initial sender) in the SOAP message.