SAML 2.0 supports the use of name identifiers (aliases) for communication of user identities between partners. Aliases are intended to increase the privacy of the user when that user accesses resources at a service provider. When aliases are used, an identifier that both the identity and service provider recognize is sent instead of the actual account name of the user. Aliases are created and recorded during account linkage (federation). After account linkage, the alias is in all messages that are sent between the partners. A different alias is used with each partner. The alias used in one direction, such as from identity provider to service provider, can be different from the alias that is used in the other direction, such as from service provider to identity provider.
The default setting for the alias service is to use persistent IDs.
A service in Tivoli® Federated Identity Manager, called the alias service, generates new aliases, associates aliases with local users, and performs mapping from alias to user and from user to alias.
Most aliases are persistent and must be retained for a long time. Therefore, some type of database must be used to store them. You have two options for the type of database you can use:
The tasks you must perform to set up your alias service database depend on whether you installed the embedded version of WebSphere Application Server, or are using an existing version of WebSphere Application Server with your installation of the Tivoli Federated Identity Manager Runtime and Management Services component.
If you installed the embedded version of WebSphere Application Server, a JDBC database, Cloudscape 10, also known as Derby, was configured on WebSphere Application Server to be used for storing alias information. No further tasks for setting up the database are required.
You have the option of using an LDAP database, such as IBM Tivoli Directory Server, that you have purchased, installed, and configured separately from Tivoli Federated Identity Manager. See the information in Configuring an LDAP alias service database. Then, to use that LDAP database with Tivoli Federated Identity Manager, you must modify the alias service settings, as described in Modifying alias service settings.
If you installed Tivoli Federated Identity Manager on an existing version of WebSphere Application Server, and you want to use a JDBC database, you must manually create and configure the database, using a procedure similar to the procedures below for Cloudscape 10 (Derby), as described in Configuring a JDBC alias service database. (As previously stated, if you installed the embedded version of WebSphere Application Server, these steps were performed automatically and are already completed.)
You have the option of using an LDAP database, such as IBM Tivoli Directory Server, that you have downloaded, installed, and configured separately from your Tivoli Federated Identity Manager. See the information in Configuring an LDAP alias service database. Then, to use that LDAP database with Tivoli Federated Identity Manager, you must modify the alias service settings, as described in Modifying alias service settings.