Overview of Web services security management

The Web services security management component of IBM® Tivoli® Federated Identity Manager is used to establish and manage federation relationships for WebSphere® Web service applications that use WS-Security tokens.

The Web services security management component provides functions for:

Web service providers, which need to process inbound security tokens using a token consumer
Web service clients, which need to create outbound security tokens using a token generator

The processing and creation of the tokens is performed through a series of Web service request and response messages that interact with the Web services security management component and the Tivoli Federated Identity Manager trust service.

The Web services security management component also provides Web services applications with an authorization solution and identity and security token mapping capabilities that can be used without deployment of a federated single sign-on environment. Unlike the other Tivoli Federated Identity Manager components, the Web services security management component does not require the use of the Tivoli Access Manager WebSEAL component.

The Web services security management component enhances the WS-Security support provided by WebSphere Application Server in a number of ways:

Extends the WS-Security token types available in WebSphere Application Server to additional token types supported by the Tivoli Federated Identity Manager trust service. For example, this feature permits a Security Assertion Markup Language (SAML) assertion to be directly used for authentication.
Permits the type of token to be exchanged; for example, a UsernameToken can be exchanged for a SAML assertion.
Permits the user identity to be mapped; for example, a user identity can be mapped to a local identity expected by the Web service.
Permits both many-to-one and one-to-many user identity mappings.
Permits authorization checks to be made on a Web service before invoking the Web service. Using the capabilities provided by Tivoli Access Manager for e-business, requests can be validated without actually invoking the underlying Web service.

All of these features are available at both the Web service client and the Web service.