Start of change
WebSphere Message Brokers
File: ap04030_
Writer: Stephanie J Strugnell

Concept topic

This build: July 31, 2007 21:34:45

Identity mapping

Identity mapping is the transformation of an identity in one format to an identity in another format, or the transformation of an identity in one realm to an identity in another realm.

Diagram showing identity mapping.

In WebSphere Message Broker Version 6.1 the supported mapper is IBM Tivoli Federated Identity Manager (TFIM). Mapping is performed only for input nodes with an associated security profile that selects TFIM for mapping. TFIM can also be selected for authentication and authorization in the profile, but the TFIM module chain is invoked only once and must be configured to perform all the required operations. Mapping is not performed in output nodes, even if the node has been configured with a security profile.

In the broker identity mapping is performed at the input node, after authentication and before authorization. The source Identity is passed to an identity mapper (also known as a Federated Identity Manager) for processing.

A request is made to the TFIM trust service with the three parameters:

A custom trust service module chain must be configured in TFIM, and TFIM selects one trust service chain to invoke per request, based on the IssuedBy and AppliesTo values supplied. WebSphere Message Broker Version 6.1 supports the mapping of a username token to a username token, and the mapping of an X.509 certificate to a username token. There is no support for mapping to an X.509 token. When mapping from an X.509 certificate, TFIM can validate the certificate but cannot be used to verify the identity of the original sender. However, if it is required, this verification can be performed by the SOAPInput node.

Related concepts
Identity
Authentication
Authorization
Identity propagation
Security profiles
Security exception processing
Related tasks
Configuring identity
Configuring authentication
Configuring identity mapping
Configuring a security profile
Creating a security profile for LDAP
Configuring a security profile for TFIM
Configuring authorization
Configuring a message flow for identity propagation
Setting up message flow security
Related reference
mqsicreateconfigurableservice command
mqsideleteconfigurableservice command
mqsichangeproperties command
mqsireportproperties command
MQInput node
HTTPInput node
HTTPRequest node
MQOutput node
Notices | Trademarks | Downloads | Library | Support | Feedback

Copyright IBM Corporation 1999, 2007Copyright IBM Corporation 1999, 2007. All Rights Reserved.
This build: July 31, 2007 21:34:45

ap04030_ This topic's URL is:
End of change