This extension to the embedded Trust Association Interceptor component provides single sign-on to WebSphere Application Server by IBM Security Access Manager for Web.
This adapter enables single sign-on (SSO) to WebSphere Application Server by configuring WebSphere Application Server to allow trust associations.
The embedded Trust Association Interceptor++ (tai++) accepts an iv-creds HTTP request header from IBM Security Access Manager for Web and a trust password in a Basic Authentication header. The embedded tai++ authenticates the trust password and dismantles the iv-creds HTTP request header to build the credential of the original user.
The extended version of the Trust Association Interceptor++ (ETAI) includes additional capabilities:
- Removes the need for any Security Access Manager configuration on WebSphere Application Server.
- Map the credential attributes of the original user to different registry formats or add no credentials at all.
- Process Tivoli Federated Identity Manager security tokens.
- Additional trust mechanism based on mutual authentication over SSL and validation of incoming certificate chain.
- Works with iv-user only, in the absence of iv-creds.
- Propagate rich identity to JAX-WS, LTPA, RMI/IIOP in the form of Security Access Manager binary security token.
- Propagate Security Access Manager security attributes to the JAAS authorization token using a login module.
- Consume SAML 2.0 assertions from TFIM enable junctions generated by Tivoli Federated Identity Manager without the need for iv-user or iv-creds.
- Signature validation of SAML 2.0 assertions using a local keystore and remote Security Token Service (STS) such as Tivoli Federated Identity Manager.
One of the following versions:
- IBM Security Access Manager 9.0.X
- IBM Security Access Manager 8.0.X
- IBM Security Access Manager for Web Version 7.0.x
- IBM Security Access Manager Version 7.0.x
- IBM Tivoli Access Manager for e-business Version 6.1.x
one of the following versions:
- IBM WebSphere Application Server version 7.0.19 and above
- IBM WebSphere Application Server version 8.0.x
- IBM WebSphere Application Server 8.5.X
- IBM WebSphere Application Server 9.X
***Note: In the interim until they are officially published, when using Java 1.8 please contact IBM Security Access Manager support for updated eTAI jar files.
Ensure that the underlying products such as IBM Security Access Manager and IBM WebSphere Application Server are compatible with each other when you configure the Security Access Manager Trust Association Interceptor Plus.
See the PDF document in the download package for any more prerequisites.
See the PDF document in the download package for installation instructions.
Refer to the following support table to assist in deciding which version of the integration to download.
Existing ETAI v2.5 installations do not require upgrading unless the SAML feature set is required.
ETAI (SAML support)
This download is offered free of charge to existing IBM Security Access Manager customers. Support for this download is available through the normal IBM Security Access Manager support channels.
This integration has been tested and is supported on the platforms and product versions listed in this document.
When accessing support for this download, quote the component ID as TIVOIAM00 or 5724C0800.
14 December 2018