Configuring authorization with a WS-Trust v1.3 STS (TFIM V6.2)
You can configure supported message flow input nodes or SecurityPEP nodes to perform
authorization of an identity or security token by using a WS-Trust
v1.3 compliant Security Token Service (STS), such as Tivoli® Federated Identity Manager (TFIM) V6.2.
Before you begin
Before you configure a message flow to perform authorization
with a WS-Trust v1.3 STS:
About this task
The message flow security manager issues an authorization
request to the WS-Trust service with the following parameters, which
select the TFIM module chain to be used:
- RequestType
- Issuer
- AppliesTo
For more information about these parameters, see:Authentication, mapping, and authorization with TFIM V6.2 and TAM .
In addition to configuring
IBM Integration Bus to perform authorization with
a WS-Trust compliant STS, you must configure TAM. For information
about how to do this, see the following topics:
Steps for enabling authorization using a WS-Trust v1.3
STS provider:
Procedure
To enable an existing message flow to enforce authorization
using a WS-Trust v1.3 STS provider, use the BAR editor to select a security
profile that has authorization set for that provider. You
can set a security profile on a message flow or on individual input
nodes or
SecurityPEP nodes.
If you leave the
Security Profile property blank,
the node inherits the
Security Profile property
that is set at the message flow level. If you leave the property blank
at both levels, security is turned off for the node.
- In the IBM Integration Toolkit,
right-click the BAR file, then click Open with > BAR
Editor.
- Click the Manage and Configure tab.
- Click the flow or node on which you want to set the
security profile. The properties that you
can configure for the message flow or for the node are displayed in
the Properties view.
- In the Security Profile Name field,
select a security profile that has authorization set for WS-Trust
V1.3 STS.
- Save the BAR file.
What to do next
For a SOAPInput node
to use the token in the WS-Security header (rather than an underlying
transport identity) an appropriate policy set and bindings must also
be defined and specified. For more information, see Policy sets.
The WS-Trust v1.3 specification
is available at: http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3-os.html.