Identity Propagation Mechanism at the Consumer of Portal Server

The consumer can set the identity propagation because the consumer has knowledge about end users. There are two phases in setting up the identity propagation:

Administrator Setup: Administrator of the consumer portal discovers that the producer supports specific identity propagation mechanisms. Then, the administrator set up the system that allows the user to use identity propagation.

User Setup: The end user federates its identity by populating the credentials.

The WSRP Producer available through Portal Server supports the following identity propagation mechanisms:

• SSO Token: Select if both the producer portal and the consumer portal are connected to the same Access Manager instance. Use when both the producer portal and consumer portal are deployed within the same organization. This option does not allow the end user to federate the identity because user identity from consumer and producer is accepted by the same Access Manager instance. This mechanism is not interoperable with other portal vendors.

• WSS User Name Token Profile (Username only): Uses the WSS specification where the user name is propagated as WS Security headers from the consumer portal to the producer portal.

• WSS User Name Token Profile (With password digest): WS Security headers send the user ID that is targeted at the producer with the password in the Digest form.

• WSS User Name Token Profile (With password text): WS Security headers send the user's user ID that is targeted at the producer with the password in the Text form.

• No Identity Propagation: This is the default behavior of WSRP as specified by the WSRP specification. This is the default option in Portal Server. A consumer created by default settings does not have identity propagation.

In the above list, WSS User Name Token Profile (Username only), WSS User Name Token Profile (With password digest), and WSS User Name Token Profile (With password text) implement the OASIS WSS Username token profile specification. This specification describes how to use the Username Token with web Services. The WSS specification describes how a web service consumer can supply a Username Token by identifying the requestor by username, and optionally using a password to authenticate that identity to the web service producer.

After the consumer is created, the administrator has to create remote channels based on the identity propagation mechanism supported by the consumer. After the channels are available on the user desktop, they are ready to accept identity propagation.

To Create User Credentials Using WebServices SSO Portlet

1. Log in to Portal Server.

2. In the WebServices SSO Portlet section, click Edit.

3. In the Create NewToken Profile section, select the WebService URL for which you want to create a user token profile.

4. Type the user name and password. Click Add to add the user name and password.

   You can also edit or remove an existing user token profile.