Authenticating incoming requests with WS-Trust v1.3 STS (TFIM V6.2)

You can configure supported message flow input nodes or SecurityPEP nodes to perform identity authentication or security token validation using a WS-Trust v1.3 compliant Security Token Service (STS), such as Tivoli® Federated Identity Manager (TFIM) V6.2.

Before you begin

Before you can configure identity authentication or token validation, you need to check that an appropriate security profile exists, or create a new security profile. See Creating a security profile for WS-Trust V1.3 (TFIM V6.2).

About this task

When you use a WS-Trust v1.3 STS for authentication, a request is made to the trust service with the following parameters, which control the STS processing. If you are using TFIM V6.2, the following parameters are used in the selection of the TFIM module chain:
  • RequestType
  • Issuer
  • AppliesTo

For more information about these parameters, see:Authentication, mapping, and authorization with TFIM V6.2 and TAM .

The WS-Trust v1.3 specification, published by OASIS, is available at:
http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html
.

Steps for enabling WS-Trust v1.3 authentication:

Procedure

To enable an existing message flow to perform authentication or token validation, use the BAR file editor to select a security profile that uses a WS-Trust v1.3 STS for authentication and to associate it with the node or message flow.
If a security profile is specified on either a message flow or a node, the profile must be available when the message flow is deployed; otherwise, a deployment error occurs.
  1. In the IBM App Connect Enterprise Toolkit, right-click the BAR file, then click Open with > BAR Editor.
  2. Click the Manage and Configure tab.
  3. Click the flow or node on which you want to set the security profile.
    The properties that you can configure for the message flow or for the node are displayed in the Properties view.
  4. In the Security Profile Name field, select a security profile that configures WS-Trust v1.3 STS for authentication.
  5. Save the BAR file.

What to do next

For a SOAPInput node to use the identity in the WS-Security header (rather than an underlying transport identity) an appropriate policy set and bindings must also be defined and specified.

If the message identity (or security token) does not contain enough information for authentication, the information must be taken from the message body. For example, if a password is required for authentication but the message came from IBM MQ with only a username, the password information must be taken from the message body. For more information, see Configuring the extraction of an identity or security token.