IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2

Deploying security token service modules

Use the Tivoli® Federated Identity Manager management console to configure and deploy a security token service.

Before you begin

Before you create a trust chain, you must understand the concepts of module types, module instances, module modes, and trust service chains.
Install the Tivoli Federated Identity Manager management console. For the procedure, see http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.tivoli.fim.doc_6.2.1%2Ftask%2Finstallingconsole.html.
For information about the installation and configuration of token exchange scenarios, see http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=%2Fcom.ibm.tivoli.fim.doc_6.2.1%2Fconcept%2FHowToCfgSTS.html.

About this task

Deploying STS modules involves creating instances of module types, and assembling module instances into a security trust service chain. Each module is set to one token handling task.

Procedure

Copy these jar files to the <TFIM installation root path>/plugins directory:
- com.tivoli.am.fim.sts.modules.tamesso.jar
- com.ibm.tamesso.webapi.contract.jar
- com.ibm.tamesso.webapi.wsClient.jar
- com.ibm.tamesso.webapi.wsClientWrapper.jar
Use the Tivoli Federated Identity Manager console to publish the modules:
1. Expand the Tivoli Federated Identity Manager Options pane.
2. Select Domain Management > Runtime Node Management.
3. Click Publish Plug-In. A message prompts you to load configuration changes.
4. Click Load Configuration changes to Tivoli Federated Identity Manager runtime.

Create new instances of the custom STS modules:

In the Management Console, click Configure Trust Service > Module Instances.
Click Create.
Select a module type. For example: VerifyUser.
Click Next.
Type a name for each instance, for example VerifyUserInstance.

Repeat steps b to d until you create the following module instances:

Module types	Name each module instance
VerifyUser	`VerifyUserInstance`
GetUserCredentials	`GetUserCredentialsInstance`
SetUserCredentials	`SetUserCredentialsInstance`
DeleteUserCredentials	`DeleteUserCredentialsInstance`
EncryptUserCredentials	`EncryptUserCredentialsInstance`
MultiUsernameToken	`MultiUsernameTokenInstance`

Click Load configuration changes to Tivoli Federated Identity Manager runtime and wait for the process to complete. You must do this step before you can use the modules in a security trust service chain.

Create the trust service chain.
A trust service chain is a chain of modules operating in different modes, for example validate, map and issue.
1. In Management Console, click Configure Trust Service > Trust Service Chains
2. Click Create.
3. In the Chain Mapping Identification area, in Chain Mapping Name, type EssoChain.
4. Click Next.
5. In Request Type, select Validate.
6. In Lookup Type, select Use Traditional WS-Trust Elements (AppliesTo, Issuer, and TokenType).
7. In the AppliesTo area, in Address, type esso/*.
8. In the Issuer area, in Address, type esso/.
9. In Token Type, select Any Token.

Add the following module instances to the trust chain, and specify the mode in the following sequence:

Order	Module Instance	Mode
1	VerifyUserInstance	Validate
2	GetUserCredentialsInstance	Map
3	SetUserCredentialsInstance	Map
4	DeleteUserCredentialsInstance	Map
5	EncryptUserCredentialsInstance	Map
6	MultiUsernameTokenInstance	Issue

VerifyUserInstance: In Validate mode, the module instance extracts the UserName token from the Request Security Token (RST). The module also calls the IMS web service to log on the user by using the IBM® Security Access Manager for Enterprise Single Sign-On user name and password.; The VerifyUserInstance module finally sets the session and IBM Security Access Manager for Enterprise Single Sign-On user name and password to the STSUU.
Note: In Map mode, the module extracts the user name and password from the STSUU. The module also calls the IMS web service to log on by using the IBM Security Access Manager for Enterprise Single Sign-On user name and password. The VerifyUser module in Map mode is not used in these examples.
GetUserCredentialsInstance: Gets all the application user name and passwords for the user and adds them to the Security Token Service Universal User (STSUU) document. To learn more about the STSUU, see Security Token Service (STS) Universal User document
SetUserCredentialsInstance: Sets the user credentials for a given authentication service.
DeleteUserCredentialsInstance: Deletes the user credentials when given the user name and authentication service.
EncryptUserCredentialsInstance: Encrypts all the user credentials by using the Tivoli Access Manager password by employing password-based encryption. To learn more about password-based encryption, see Password-based encryption
MultiUsernameTokenInstance: Generates a user name token for each user credential, then wraps each token in a Request Security Token Response (RSTR) message. The module instance then wraps all the RSTR into a Request Security Token Response Collection (RSTR Collection).

Configure Module Instance Settings.
VerifyUserInstance: Type the URL of the WebSphere® instance on which the IBM Security Access Manager for Enterprise Single Sign-On API is installed. For example: http://<server_name>:9080

Note: Ensure that you enter the SSL port if you want the IBM Security Access Manager for Enterprise Single Sign-On API and the STS to communicate by using SSL. The default SSL port is 9443.
Click Load configuration changes to Tivoli Federated Identity Manager runtime.

Feedback