Sun Identity Manager 8.1 Web Services

Editing the File

The following table describes three optional entries in the file that you can use to control how SPML requests are authorized.

Table 1–2 Optional Entries in

Entry Name 



Name of the Identity Manager user who performs SPML requests 


Clear text password for the user specified by soap.username


Base-64 representation of an encrypted password for the user specified by soap.username

Editing soap.epassword and soap.password Properties

The user specified in soap.username is known as the proxy user.

You can specify only one password property for the proxy user:

Establishing a proxy user is convenient for clients because authentication is not required by the web service. This configuration is common for portal environments where the Identity Manager server is only accessed by other applications that handle user authentication.

Caution – Caution –

Using a proxy user can be dangerous if the HTTP port on which the responding server resides is generally accessible. Anyone who knows the Identity Manager server’s URL and understands how to build SPML requests can configure Identity Manager operations for the proxy user to perform.

The SPML standard does not specify how to perform authentication and authorization. Several related web standards are available for authentication, but these standards are not yet in common use. At this time, the most common approach for authentication is to use the Secure Socket Layer (SSL) between applications and the server. Identity Manager does not dictate how to configure SSL.

If you cannot use a proxy user or SSL, Identity Manager supports a vendor-specific extension to SPML that allows the client to log in and maintain a session token, which can be used to authenticate subsequent requests. You can use the LighthouseClient class (an extension of the SpmlClient class that includes support for specifying credentials) to perform a login request and pass a session token in all SPML requests.

Note –

The Service Provider SPML interface does not support authentication and authorization. However, you can configure the Identity Manager SPML interface to use the IDMXUser view instead of using Service Provider SPML.

Service Provider assumes that clients accessing Identity Manager have been authenticated and authorized by an access management application. The client has all possible rights when using the Service Provider SPML interface.

To prevent sensitive data from being exposed between the client and Identity Manager, consider accessing the Service Provider SPML interface over SSL.

Creating an Encrypted Password

Use one of the following methods to create an encrypted password: