Identity and security token propagation

Identity and security token propagation enables the identity and security tokens (associated with each message) to be propagated throughout a message flow, and on to target applications through output or request nodes.

In an enterprise system, you can use different physical identities or security tokens (such as user names, certificates, and SAML assertions) to represent a single logical identity through different parts of the enterprise. The propagation of an identity or security token ensures that the logical identity is kept throughout the system by mapping between the various physical forms as necessary. For example, a message might enter the system using a certificate, but a user name token might be required for server processing of the message. Identity mapping is used to convert from the certificate to the Username token, and identity propagation ensures that the mapped identity is placed in the correct place for the outbound transport.

When an output or request node propagates an identity, the mapped identity is used. If the mapped identity is not set, or if it has a token type that is not supported by the node, the source identity is used. You can also configure a fixed identity by using the mqsisetdbparms command; see Configuring a message flow for identity propagation. If no identity is set, or if neither the mapped nor source identity has a token type that is supported by the node, a security exception is thrown by the node.

The following output nodes support identity propagation:

CICSRequest
HTTPRequest
IMSRequest
MQOutput
SAPRequest
SCAAsyncRequest
SCARequest
SOAPAsyncRequest
SOAPRequest
SiebelRequest
RESTRequest
RESTAsyncRequest

The following table shows the support that is provided by the message flow security manager for the propagation of the different types of security token. For more information about these security tokens, see Identity.

Table 1. Support for security token types - token propagation
Token type (format)	Integration node security manager support	Token propagated in
Username	Username tokens are supported for propagation by the following nodes: CICSRequest HTTPRequest IMSRequest MQOutput RESTAsyncRequest RESTRequest SCAAsyncRequest SCARequest SOAPRequest	CICS® The request security credentials HTTP BasicAuth header IMS The request security credentials IWA The request security credentials MQ MQMD.UserIdentifier transport header
Username and password	Username and password tokens are supported for propagation by the following nodes: CICSRequest HTTPRequest IMSRequest MQOutput RESTAsyncRequest RESTRequest SAPRequest SCAAsyncRequest SCARequest SOAPAsyncRequest SOAPRequest SiebelRequest	CICS The request security credentials HTTP BasicAuth header IMS The request security credentials IWA The request security credentials MQ MQMD.UserIdentifier transport header SAP The request security credentials SOAP BasicAuth header, if there is no policy set and binding SOAP header, if a policy set and binding sets the Username token profile Kerberos client credentials, if a policy set and binding sets the Kerberos token profile SIEBEL The request security credentials
SAML assertion	SAML tokens are supported for propagation by the following nodes: SOAPRequest SOAPAsyncRequest	SOAP header when a policy set and binding sets the SAML token profile
X.509 certificate	X.509 tokens are supported for propagation by the following nodes: SOAPRequest SOAPAsyncRequest	SOAP header when a policy set and binding sets the X.509 binary token profile
LTPA v2 token	LTPA v2 tokens are supported for propagation by the following nodes: SOAPRequest SOAPAsyncRequest	SOAP header when a policy set and binding sets the LTPA token profile
Universal WSSE token	Universal WSSE tokens are not supported for propagation by any node.

For information about how to configure a message flow to propagate a message identity, see Configuring a message flow for identity propagation. For more information about how one physical identity is converted to another, see Identity mapping.