Configuring authorization with a WS-Trust v1.3 STS (TFIM V6.2)
You can configure supported message flow input nodes or SecurityPEP nodes to perform authorization of an identity or security token by using a WS-Trust v1.3 compliant Security Token Service (STS), such as Tivoli® Federated Identity Manager (TFIM) V6.2.
Before you begin
Before you configure a message flow to perform authorization
with a WS-Trust v1.3 STS:
- Check that an appropriate security profile exists, or create a new security profile. See Creating a security profile for WS-Trust V1.3 (TFIM V6.2).
About this task
The message flow security manager issues an authorization
request to the WS-Trust service with the following parameters, which
select the TFIM module chain to be used:
- RequestType
- Issuer
- AppliesTo
For more information about these parameters, see:Authentication, mapping, and authorization with TFIM V6.2 and TAM .
In addition to configuring IBM App Connect Enterprise to perform authorization with
a WS-Trust compliant STS, you must configure TAM. For information
about how to do this, see the following topics:
Steps for enabling authorization using a WS-Trust v1.3 STS provider:
Procedure
To enable an existing message flow to enforce authorization
using a WS-Trust v1.3 STS provider, use the BAR editor to select a security
profile that has authorization set for that provider.
You
can set a security profile on a message flow or on individual input
nodes or SecurityPEP nodes.
If you leave the Security Profile property blank,
the node inherits the Security Profile property
that is set at the message flow level. If you leave the property blank
at both levels, security is turned off for the node.
- In the IBM App Connect Enterprise Toolkit, right-click the BAR file, then click Open with > BAR Editor.
- Click the Manage and Configure tab.
- Click the flow or node on which you want to set the
security profile. The properties that you can configure for the message flow or for the node are displayed in the Properties view.
- In the Security Profile Name field, select a security profile that has authorization set for WS-Trust V1.3 STS.
- Save the BAR file.
What to do next
For a SOAPInput node to use the token in the WS-Security header (rather than an underlying transport identity) an appropriate policy set and bindings must also be defined and specified.
The WS-Trust v1.3 specification is available at: http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html.