Identity mapping is the transformation of an identity in one format to an identity in another format, or the transformation of an identity in one realm to an identity in another realm.
In WebSphere Message Broker Version 6.1 the supported mapper is IBM Tivoli Federated Identity Manager (TFIM). Mapping is performed only for input nodes with an associated security profile that selects TFIM for mapping. TFIM can also be selected for authentication and authorization in the profile, but the TFIM module chain is invoked only once and must be configured to perform all the required operations. Mapping is not performed in output nodes, even if the node has been configured with a security profile.
In the broker identity mapping is performed at the input node, after authentication and before authorization. The source Identity is passed to an identity mapper (also known as a Federated Identity Manager) for processing.
A custom trust service module chain must be configured in TFIM, and TFIM selects one trust service chain to invoke per request, based on the IssuedBy and AppliesTo values supplied. WebSphere Message Broker Version 6.1 supports the mapping of a username token to a username token, and the mapping of an X.509 certificate to a username token. There is no support for mapping to an X.509 token. When mapping from an X.509 certificate, TFIM can validate the certificate but cannot be used to verify the identity of the original sender. However, if it is required, this verification can be performed by the SOAPInput node.