|
|
|
The SiteMinder Agent for IBM WebSphere provides user mapping functionality that enables the SiteMinder Agent for IBM WebSphere to support environments in which SiteMinder is responsible for user authentication, but SiteMinder and WebSphere are not configured to authenticate users against the same user store.
By default, both the SiteMinder TAI and SiteMinder Login Module are responsible for authenticating the user against SiteMinder and propagating the user identity by populating the Subject with a SiteMinder Principal required to authorize the user using the SiteMinder JACC Provider. Additionally, they propagate that user identity to WebSphere, which creates its own principal and places that principal in the Subject.
However, WebSphere requires that an identity that is valid against the WebSphere user registry is available in the Subject to handle WebSphere Single Signon (SSO) and all J2EE programmatic security calls. Exceptions to this are isUserInRole() and isCallerInRole(), which are handled by the JACC specification and thus require only the SiteMinder Principal.
To handle this requirement, you configure user mapping policy objects (a user mapping rule, response, and policy) in the policy realm of the SiteMinder TAI and SiteMinder Login Module. These objects define a mapped identity that is valid against the WebSphere user registry. Then, when users make requests, they are authenticated using the SiteMinder identity, but the SiteMinder Agent for IBM WebSphere module responsible for authentication propagates an alternate, mapped user identity that WebSphere converts into a principal and places in the Subject in addition to the SiteMinder Principal.
| Copyright © 2010 CA. All rights reserved. | Email CA Technologies about this topic |