IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2

Deploying security token service modules

Use the Tivoli® Federated Identity Manager management console to configure and deploy a security token service.

Before you begin

About this task

Deploying STS modules involves creating instances of module types, and assembling module instances into a security trust service chain. Each module is set to one token handling task.

Procedure

  1. Copy these jar files to the <TFIM installation root path>/plugins directory:
    • com.tivoli.am.fim.sts.modules.tamesso.jar
    • com.ibm.tamesso.webapi.contract.jar
    • com.ibm.tamesso.webapi.wsClient.jar
    • com.ibm.tamesso.webapi.wsClientWrapper.jar
  2. Use the Tivoli Federated Identity Manager console to publish the modules:
    1. Expand the Tivoli Federated Identity Manager Options pane.
    2. Select Domain Management > Runtime Node Management.
    3. Click Publish Plug-In. A message prompts you to load configuration changes.
    4. Click Load Configuration changes to Tivoli Federated Identity Manager runtime.
  3. Create new instances of the custom STS modules:
    1. In the Management Console, click Configure Trust Service > Module Instances.
    2. Click Create.
    3. Select a module type. For example: VerifyUser.
    4. Click Next.
    5. Type a name for each instance, for example VerifyUserInstance.
    6. Repeat steps b to d until you create the following module instances:
      Module types Name each module instance
      VerifyUser VerifyUserInstance
      GetUserCredentials GetUserCredentialsInstance
      SetUserCredentials SetUserCredentialsInstance
      DeleteUserCredentials DeleteUserCredentialsInstance
      EncryptUserCredentials EncryptUserCredentialsInstance
      MultiUsernameToken MultiUsernameTokenInstance
    7. Click Load configuration changes to Tivoli Federated Identity Manager runtime and wait for the process to complete. You must do this step before you can use the modules in a security trust service chain.
  4. Create the trust service chain.

    A trust service chain is a chain of modules operating in different modes, for example validate, map and issue.

    1. In Management Console, click Configure Trust Service > Trust Service Chains
    2. Click Create.
    3. In the Chain Mapping Identification area, in Chain Mapping Name, type EssoChain.
    4. Click Next.
    5. In Request Type, select Validate.
    6. In Lookup Type, select Use Traditional WS-Trust Elements (AppliesTo, Issuer, and TokenType).
    7. In the AppliesTo area, in Address, type esso/*.
    8. In the Issuer area, in Address, type esso/.
    9. In Token Type, select Any Token.
  5. Add the following module instances to the trust chain, and specify the mode in the following sequence:
    Order Module Instance Mode
    1 VerifyUserInstance Validate
    2 GetUserCredentialsInstance Map
    3 SetUserCredentialsInstance Map
    4 DeleteUserCredentialsInstance Map
    5 EncryptUserCredentialsInstance Map
    6 MultiUsernameTokenInstance Issue
    VerifyUserInstance
    In Validate mode, the module instance extracts the UserName token from the Request Security Token (RST). The module also calls the IMS web service to log on the user by using the IBM® Security Access Manager for Enterprise Single Sign-On user name and password.
    The VerifyUserInstance module finally sets the session and IBM Security Access Manager for Enterprise Single Sign-On user name and password to the STSUU.
    Note: In Map mode, the module extracts the user name and password from the STSUU. The module also calls the IMS web service to log on by using the IBM Security Access Manager for Enterprise Single Sign-On user name and password. The VerifyUser module in Map mode is not used in these examples.
    GetUserCredentialsInstance
    Gets all the application user name and passwords for the user and adds them to the Security Token Service Universal User (STSUU) document. To learn more about the STSUU, see Security Token Service (STS) Universal User document
    SetUserCredentialsInstance
    Sets the user credentials for a given authentication service.
    DeleteUserCredentialsInstance
    Deletes the user credentials when given the user name and authentication service.
    EncryptUserCredentialsInstance
    Encrypts all the user credentials by using the Tivoli Access Manager password by employing password-based encryption. To learn more about password-based encryption, see Password-based encryption
    MultiUsernameTokenInstance
    Generates a user name token for each user credential, then wraps each token in a Request Security Token Response (RSTR) message. The module instance then wraps all the RSTR into a Request Security Token Response Collection (RSTR Collection).
  6. Configure Module Instance Settings.

    VerifyUserInstance: Type the URL of the WebSphere® instance on which the IBM Security Access Manager for Enterprise Single Sign-On API is installed. For example: http://<server_name>:9080

    Note: Ensure that you enter the SSL port if you want the IBM Security Access Manager for Enterprise Single Sign-On API and the STS to communicate by using SSL. The default SSL port is 9443.
  7. Click Load configuration changes to Tivoli Federated Identity Manager runtime.


Feedback