Planning the mapping of user identities

Plan the mapping of user identities appropriate to your deployment.

Task overview:

1. Read this series of topics on the mapping of user identities
2. Review the default mapping rules files for your protocol. Decide if you can use them, either as they are, or by making your own modifications as appropriate for your deployment.
3. If the requirements for your deployment cannot be met by the use of a mapping rule, you can choose one of the succeeding options:
   • Use the Tivoli® Directory Integrator mapping module that is provided withTivoli Federated Identity Manager.
   • Develop a custom mapping module.

A primary function of the Tivoli Federated Identity Manager trust service is the transfer of user identity information (credentials) between partners in a single sign-on federation. This transfer requires changing user identity information formats several times to move between formats local to each partner and the agreed token format for exchanging credentials.

The identity information transfer includes an identity mapping step where the user information is mapped from the structure provided by one credential or token type, into the required structure by another token type.

To complete this mapping step, choose one of the succeeding options:

• Write an identity mapping rule
• Deploy the Tivoli Directory Integrator mapping module

  Use of this module requires an understanding of the Tivoli Directory Integrator features and configuration. See the product documentation for Tivoli Directory Integrator.

  Tivoli Federated Identity Manager provides a user interface for setting some configuration properties. See Tivoli Directory Integrator identity mapping module.

• Develop a custom mapping module.

  Building your own module that is tailored to the needs of the applications in your deployment is a development task. See Creating a custom mapping module.

If you choose to write an identity mapping rule, use the eXtensible Stylesheet Language (XSL), and save it to disk as an XSL file. When you create a federation, the federation wizard prompts you to supply the name of your mapping rule file. The wizard imports this file into the configuration for the federation.

You must create and save a mapping rule file before you create a federation.

The Tivoli Federated Identity Manager management console provides a Federation wizard that guides you through the configuration of a single sign-on federation. The wizard contains an Identity Mapping panel, which prompts the administrator to supply the name of an identity mapping rule file. The wizard imports the file, and uses it when building the configuration for the trust module chain that is specific to the federation.

The administrator must create the identity mapping file before using the wizard to configure the federation. The wizard panel expects that the administrator has created an eXtensible Stylesheet Language (XSL) file that describes identity mapping rules. The identity mapping rules are used to convert information that must move across the federation between the partners (identity provider and service provider). Each identity mapping rule must provide:

• The information structure that is required by the security token to be generated.
• The information content (identity attributes) that is required by applications that use the federation.

To write an identity mapping rule, you must understand:

• The role of the identity mapping module.
• The expression of user identity information in XML files.
• The use of the XSL language to specify rules for manipulating the user identity information.