Identity assertion is a method for expressing the identity of the sender (for example, user name) in a Simple Object Access Protocol (SOAP) message. When identity assertion is used as a authentication method, the authentication decision is performed based only on the name of the identity, and on other information such as passwords and certificates.
ID type
The Web services security implementation in WebSphere Application Server - Express supports the following types of identity:
User name
Denotes the user name, such as the one in the local operating system (for example, alice). This name is embedded in the <Username> element within the <UsernameToken> element.
DN
Denotes the distinguished name (DN) for the user, such as CN=alice, O=IBM, C=US. This name is embedded in the <Username> element within the <UsernameToken> element.
X.509 certificate
Represents the identity of the user as a X.509 certificate instead of a string name. This certificate is embedded in the <BinarySecurityToken> element.
Managing trust
The intermediary host in the SOAP message itinerary can assert the initial sender's claimed identity. Two methods (called trust mode) are supported for this assertion:
Basic authentication
The intermediary adds its user name and password pair to the message.
Signature
The intermediary digitally signs the <UsernameToken> element of the initial sender.
Note: This trust mode does not support the X.509 certificate ID type.
In addition to the trust mode, the ultimate receiver can evaluate the trustworthiness of the asserting identity (rather than the initial sender identity) using the trusted ID evaluator. For the details about the trusted ID evaluator, see Trusted ID evaluator.
Typical scenario
ID assertion is typically used in the multi-hop environment where the SOAP message passes through one or more intermediary hosts. The intermediary host authenticates the initial sender. The following scenario describes the process: