ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/webserv/wssecidassert.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">

<title>Identity assertion</title>
</head>

<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>

<h6><a name="wssecidassert"></a>Identity assertion</h6>

<p>Identity assertion is a method for expressing the identity of the sender (for example, user name) in a Simple Object Access Protocol (SOAP) message. When identity assertion is used as a authentication method, the authentication decision is performed based only on the name of the identity, but not on other information such as passwords and certificates.</p>

<p><strong>ID type</strong></p>
<p>The Web services security implementation in WebSphere Application Server - Express supports the following types of identity:</p>

<ul>
<li><p><strong>User name</strong>
<br>Denotes the user name, such as the one in the local operating system (for example, <tt>alice</tt>). This name is embedded in the &lt;Username&gt; element within the &lt;UsernameToken&gt; element.</p></li>

<li><p><strong>DN</strong>
<br>Denotes the distinguished name (DN) for the user, such as <tt>CN=alice, O=IBM, C=US</tt>. This name is embedded in the &lt;Username&gt; element within the &lt;UsernameToken&gt; element.</p></li>

<li><p><strong>X.509 certificate</strong>
<br>Represents the identity of the user as a X.509 certificate instead of a string name. This certificate is embedded in the &lt;BinarySecurityToken&gt; element.</p></li>
</ul>

<p><strong>Managing trust</strong></p>
<p>The intermediary host in the SOAP message itinerary can assert the initial sender's claimed identity. Two methods (called trust mode) are supported for this assertion:</p>

<ul>
<li><p><strong>Basic authentication</strong>
<br>The intermediary adds its user name and password pair to the message.</p></li>

<li><p><strong>Signature</strong>
<br>The intermediary digitally signs the &lt;UsernameToken&gt; element of the initial sender.</p></li>
</ul>

<p><strong>Note:</strong> This trust mode does not support the X.509 certificate ID type.</p>

<p>In addition to the trust mode, the ultimate receiver can evaluate the trustworthiness of the asserting identity (rather than the initial sender identity) using the trusted ID evaluator. For the details about the trusted ID evaluator, see <a href="wssectrustid.htm">Trusted ID evaluator</a>.</p>

<p><strong>Typical scenario</strong></p>

<p>ID assertion is typically used in the multi-hop environment where the SOAP message passes through one or more intermediary hosts. The intermediary host authenticates the initial sender. The following scenario describes the process:</p>

<ol>
<li>The initial sender sends a SOAP message to the intermediary host with some embedded authentication information. This authentication information may be a user name and password pair and an LTPA token.</li>
<li>The intermediary host authenticates the initial sender according to the embedded authentication information.</li>
<li>The intermediary host removes the authentication information from the SOAP message and replaces it with the &lt;UsernameToken&gt; element, which contains a user name.</li>
<li>The intermediary host asserts the trust according to the trust mode.</li>
<li>The intermediary host sends the updated SOAP message to the ultimate receiver.</li>
<li>The ultimate receiver checks the trust against the intermediary host information according to the configured trust mode. Also, the trusted ID evaluator is invoked.</li>
<li>If trust is established by the ultimate receiver, it invokes the Web service under the authorization of the user name (that is, the initial sender) in the SOAP message.</li>
</ol> 

</body>
</html>