Authentication and validation

Authentication is the process of establishing the identity of a user or system and verifying that the identity is valid. Applying authentication to a SAML security token involves validating the assertions that it carries and confirming that it is being processed within its validity period.

In IBM® App Connect Enterprise message flow security, authentication involves the security manager either passing the identity type and token to an external security provider or checking the identity by using credentials stored locally in the integration server's vault. For more information about security tokens, see Identity.

Authentication by an external security provider:

Diagram showing the flow of identity authentication by using an external provider.
The following external security providers (also known as Policy Decision Points) are supported for authentication:
  • Lightweight Directory Access Protocol (LDAP)
  • Tivoli® Federated Identity Manager (TFIM) V6.1
  • WS-Trust V1.3 Security Token Service (STS), including TFIM V6.2
  • Windows domain controller and Kerberos Key Distribution Center
The external security provider checks the identities and returns a value to confirm whether the identity is authentic. If the identity is not authentic, a security exception is raised.

Consider setting the Reject Empty Password property to TRUE to specify that you want the security manager to reject a user name during authentication if the user name has an empty password token, without authenticating the user name with the configured provider.

Some identity providers support only a single type of authentication token. If a token of another type is passed into the message flow, an exception is raised. For example, LDAP supports only a Username and password token.

You can use an LDAP provider for the authentication of an incoming identity token. The LDAP server must be LDAP Version 3 compliant.

Alternatively, you can use a WS-Trust v1.3 STS provider (for example, TFIM Version 6.2) for the authentication of an incoming identity or security token. The security manager invokes the WS-Trust v1.3 provider once, even if it is set for additional security operations (such as mapping or authorization). As a result, when you are using TFIM, you must configure a single module chain to perform all the required authentication, mapping, and authorization operations.

For more information about using TFIM V6.2 for authentication, see Authentication, mapping, and authorization with TFIM V6.2 and TAM.

TFIM V6.1 is also supported, for compatibility with previous versions of IBM App Connect Enterprise. For more information about using TFIM V6.1 for authentication, see Authentication, mapping, and authorization with TFIM V6.1 and TAM.

Authentication using locally stored credentials:

As an alternative to using an external security provider, you can implement basic authentication on incoming requests by using credentials stored locally in an independent integration server's vault. For information about using locally stored credentials, see Authenticating incoming requests by using credentials stored in the vault.