Trust associations

Trust association enables the integration of WebSphere® Application Server security and third-party security servers. Demand for an integrated configuration is compelling, especially when a single product cannot meet all of the needs of a specific web environment or when migration is not a viable solution.

When you use trust association, the third-party security server authenticates the user, then WebSphere Application Server can authorize the user and take advantage of its fine-grained access control.

Example uses of trust association are web single sign-on (SSO) and reverse proxy. Examples of web SSO are SAML web SSO and OpenId Connect (OIDC). For reverse proxy, a reverse proxy server acts as a front-end authentication server and forwards credentials to WebSphere Application Server in the form of a header that a trust association interceptor (TAI) can consume. In the web SSO scenario, the TAI is directly involved in the authentication process. In either case, after the TAI authentication is complete, WebSphere Application Server then applies its authorization policy onto the resulting credentials.

Authentication and authorization with Trust Association Interceptors

When trust association is enabled, WebSphere Application Server invokes the initialize method for each configured TAI during server startup. Whenever the initialized server receives a web request for a URL that has a security-constraint with a role-requirement, the server invokes the isTargetInterceptor method for each TAI. This method determines which TAI can service the request. If all of the isTargetInterceptor methods return false, web authentication proceeds through the standard Java EE flow. When an isTargetInterceptor method returns true, the server invokes the negotiateValidateAndEstablishTrust method for the TAI so that the TAI can attempt to authenticate the request.

After a successful authentication, the WebSphere Application Server authorization proceeds in the same manner as a Java EE web login. The username and any group names are evaluated against the security role to user or group mappings within the application configuration. If a match is found, the Subject is mapped to the matched role. The server can then determine whether the Subject has the required role for the requested URL.

Trust association interceptor interface

The intent of the trust association interceptor interface is to allow interceptors to perform authentication, while WebSphere Application Server enforces authorization and further fine-grained access control. The interceptor can be a web SSO or reverse proxy client. The trust association interface is