Authentication and validation

In IBM® Integration Bus message flow security, authentication involves the security manager passing the identity type and token to an external security provider. For more information about security tokens, see Identity.

Consider setting the Reject Empty Password property to TRUE to specify that you want the security manager to reject a user name during authentication if the user name has an empty password token, without authenticating the user name with the configured provider.

Some identity providers support only a single type of authentication token. If a token of another type is passed into the message flow, an exception is raised. For example, LDAP supports only a Username and password token.

You can use an LDAP provider for the authentication of an incoming identity token. The LDAP server must be LDAP Version 3 compliant.

Alternatively, you can use a WS-Trust v1.3 STS provider (for example, TFIM Version 6.2) for the authentication of an incoming identity or security token. The security manager invokes the WS-Trust v1.3 provider once, even if it is set for additional security operations (such as mapping or authorization). As a result, when you are using TFIM, you must configure a single module chain to perform all the required authentication, mapping, and authorization operations.

For more information about using TFIM V6.2 for authentication, see Authentication, mapping, and authorization with TFIM V6.2 and TAM.

TFIM V6.1 is also supported, for compatibility with previous versions of IBM Integration Bus. For more information about using TFIM V6.1 for authentication, see Authentication, mapping, and authorization with TFIM V6.1 and TAM.

Windows domain controller and Kerberos Key Distribution Center providers are reached by using Integrated Windows Authentication. For more information, see Integrated Windows Authentication.