Identity Propagation Mechanism

Identity propagation is a mechanism by which the WSRP consumer supplies the identity of the user to the WSRP producer web service. Users federate their identity between the consumer and producer. After a successful federation, the consumer portal propagates the user identity to the producer portal. The WSRP producer, after receiving the user credentials from the consumer, validates the credentials and allows or denies access to the resource in the specified user context.

The user has two identities for each portal: one for producer portal and the other for the consumer portal. Users federate these identities using the identity propagation mechanism, which provides single-sign on for the consumer and the producer portal. When the user logs into the portal through the consumer portal, the user gets the content that the user gets when logs directly into the producer portal. The changes that the user makes using the federated identity would be available when the user logs into the producer portal.

Identity Propagation Mechanism at the Consumer of Portal Server

The consumer can set the identity propagation because the consumer has knowledge about end users. There are two phases in setting up the identity propagation:

Administrator Setup: Administrator of the consumer portal discovers that the producer supports specific identity propagation mechanisms. Then, the administrator set up the system that allows the user to use identity propagation.

User Setup: The end user federates its identity by populating the credentials.

The WSRP Producer available through Portal Server supports the following identity propagation mechanisms:

• SSO Token: Select if both the producer portal and the consumer portal are connected to the same Access Manager instance. Use when both the producer portal and consumer portal are deployed within the same organization. This option does not allow the end user to federate the identity because user identity from consumer and producer is accepted by the same Access Manager instance. This mechanism is not interoperable with other portal vendors.

• WSS User Name Token Profile (Username only): Uses the WSS specification where the user name is propagated as WS Security headers from the consumer portal to the producer portal.

• WSS User Name Token Profile (With password digest): WS Security headers send the user ID that is targeted at the producer with the password in the Digest form.

• WSS User Name Token Profile (With password text): WS Security headers send the user's user ID that is targeted at the producer with the password in the Text form.

• No Identity Propagation: This is the default behavior of WSRP as specified by the WSRP specification. This is the default option in Portal Server. A consumer created by default settings does not have identity propagation.

In the above list, WSS User Name Token Profile (Username only), WSS User Name Token Profile (With password digest), and WSS User Name Token Profile (With password text) implement the OASIS WSS Username token profile specification. This specification describes how to use the Username Token with web Services. The WSS specification describes how a web service consumer can supply a Username Token by identifying the requestor by username, and optionally using a password to authenticate that identity to the web service producer.

After the consumer is created, the administrator has to create remote channels based on the identity propagation mechanism supported by the consumer. After the channels are available on the user desktop, they are ready to accept identity propagation.

To Create User Credentials Using WebServices SSO Portlet

1. Log in to Portal Server.

2. In the WebServices SSO Portlet section, click Edit.

3. In the Create NewToken Profile section, select the WebService URL for which you want to create a user token profile.

4. Type the user name and password. Click Add to add the user name and password.

   You can also edit or remove an existing user token profile.

Identity Propagation at Producer

The identity propagation mechanism is set at the producer automatically. Portal Server supports the following identity propagation mechanisms: Sun SSO Token, OASIS user name token (all its variants), and No identity propagation.

Configuring the Sun Java System WSRP Producer to Accept Digest Passwords

• Only the newly created users, after running the configuration command to store the LDAP passwords in plain text, are able to use the Digest Password facility.

• Creation of a consumer involves selecting the WSSO Username Token Profile (with Digest Password) option for User Identity Propagation Mechanism.

• The Web Services SSO Portlet must be edited to select the appropriate Web service URL (producer) and the newly created username and password must be provided.

To Configure the Sun Java System WSRP Producer to Accept Digest Passwords

1. Run the following command to change the password storage scheme of the Directory Server so that plain text passwords are stored.

   /opt/SUNWdsee/ds6/bin/dscfg set-server-prop pwd-storage-scheme:CLEAR

2. Create a new user in the Access Manager console to ensure that the Username Token Profile with Password Digest can be used.

Best Practices for Using Identity Propagation Mechanism

• When using the WSS User Name Token Profile (With password text), make sure that the communication between the producer portal and consumer portal is secure, because the password is sent in plain text between the consumer and the producer.

• Do not have two different consumers that point to the same producer URL using different identity propagation mechanism types.

• Do not switch to another identity propagation mechanism after a consumer has been created and is using an identity propagation mechanism, because the user's portlets preferences are stored based on the identification of the user, and switching to another identity propagation results in a loss of user customization.