This is the continuation to the previous entry on WSRP and User Identity Propagation
Sun Java System Portal Server provides a two step/phase configuration for
the identity propagation mechanism it supports. In the first phase the administrator
of the WSRP Consumer sets up the relationship with the WSRP Producer and allows
the end user to do federation with the remote WSRP Producer service. In the
second phase the end-user may optionally federate his remote identity with
the local identity for Single-Signon with the remote producer. This two phase
configuration provides control to both the administrator and the enduser in
federating the identity of the enduser.
The following sections specifically talks about the identity propagation
mechanism setup at the WSRP Consumer end. This is because the Consumer is
the one which has the knowledge about the actual user and decides to propagate
the user identity. The two phase configuration along with the subsequent request/response
is as follows.Phase 1 : Administrator Setup
Phase 2 :
- The administrator of the Consumer Portal discovers that the Producer Portal
supports certain identity propagation mechanism.
- The Consumer Portal administrator setups the system that may optionally
allows the user to use identity propagation mechanism.
This normal request/response processing
- The enduser see that he has access to a remote WSRP Producer services and
may decide to federate his identity.
- The enduser federates his identity by populating his remote
- The Consumer Portal WSRP infrastructure uses the user remote credentials and
propagates the identity to the WSRP Producer upon user specific operations.
- The Producer Portal WSRP infrastructure accepts/validates and provides
content for the propagated remote identity.
- The Consumer Portal presents the content delivered by the Producer Portal
to the enduser.
In essence the two phase configuration allows the
administrator decides whether to use an identity propagation mechanism available
at the Producer Portal and he also determines the type of identity propagation
mechanism that the Consumer Portal should use. The user decides whether he want
to use the identity propagation mechanism made available to him by the
administrator and federates his identity if required.
Sun Java System Portal Servers WSRP implementation support the following
different types of identity propagation mechanisms,
No Identity Propagation :
- SSO Token: Where the SSOToken associated with the user is propagated from
the WSRP Consumer to the WSRP Producer
- WSS User Name Token Profile (Username only): It uses the WSS (Webservices
Security) specification where the user name is propagated as WS Security headers
from the WSRP Consumer to the WSRP Producer.
- WSS User Name Token Profile (With password digest): The WS Security headers
contain user name in plain text and password in the digest form to the WSRP
- WSS User Name Token Profile (With password text): The WS Security headers
contain user name and password in the plain text form to the WSRP Producer.
- No Identity Propagation : This defaults to the behavior where there will be
no user identity propagation mechanism from the WSRP Consumer to the WSRP
This is the
default behavior of WSRP as indicated in the WSRP specification, The WSRP
consumer propagates a notion of user to the WSRP Producer and there is no real
user identity play in the system when this option is used. This is the default
option in Sun Java System Portal Server, so any consumer that is created by
default will not have any identity propagation mechanism.SSOToken
Identity Propagation :
Sun Java System Portal Server uses Sun
Java System Access Manager for authenticating users and for Single Signon. This
options assumes that both the Producer and Consumer are Sun Java System Portal
Server, Make sure you use this option only if both the Producer portal and
Consumer portal are configured to use the same Access Manager instance.
Typically recommended in configurations where both the Producer Portal and
Consumer Portal are deployed within the same organization.
does not provide the end users with the options to federate their identities.
This is because the same user identity is accepted by both the Consumer and the
Producer portal as they point to the same Access Manager instance.
Note this identity propagation mechanism will not interoperate with other Portal
vendors and also will not work if the Producer Portal and Consumer Portal are
not pointing to the same Access Manager.WSS User Name Token
The following options are implementations of the OASIS
WSS Username token profile specification. This specification describes how to
use the UsernameToken with the Web Services Security (WSS) specification; more
specifically, it describes how a web service consumer can supply a UsernameToken
as a means of identifying the requester by 'username', and optionally using a
password, to authenticate that identity to the web service producer.
- WSS User Name Token Profile (Username only)
- WSS User Name Token Profile (With password digest)
- WSS User Name Token Profile (With password text)
Since this is
a standard specification from OASIS, various portal vendors support and
implement it. Use one of the above options when interpretability is required.
i.e., it allows portal implementations from 2 different vendors to exchange user
This option provides both the end user and the administrator
the flexibility to configure and control the identity propagation scheme that
is in effect. The following section details with the step by step instructions
for doing the above mentioned configurations in Sun Java System Portal
ServerAdministrator Setup :
Here are the specific
steps for administrator to do the administrator setup phase explained above
- Log on to portal server admin console (psconsole)
- Click on the WSRP Tab
- Choose the org on to which you want create a consumer
- Click on new consumer
- Enter the name of the consumer
- Specify the identity propagation mechanism
- Continue with the rest of the wizard to create a consumer
6 is the choice where the administrator chooses an sets up an
identityppropagationmechanism for the end-users. Once the consumer is created.
The administrator has to create remote channels based on the above created
consumer User setup : Federating identity
user logs on to the portal server, clicks on edit of the WS-SSO (Web Services
Single Signon Portlet) to provide the the remote WSRP Producers credentials for
Single Sign onWS-SSO Portlet :
The WS-SSO Portlet is
based on the SSOAdapter service that is available on the Sun Java System Portal
Server. The SSOAdapter service provides a mechanism to manage and authenticate
users to the remote services that are used by the Sun Java System Portal
The WS-SSO Portlet provides a user interface that allows end
users to populate values on to the SSOAdapter. The WS-SSO Portlet uses an
SSOAdapter named OASIS-USERNAME-TOKENPROFILE. The values populated by the end
user are stored in this SSOAdapter which is used by the WSRP Consumer to obtain
the user credentials if exists and propagate to the WSRP Producer
service.WSRP Request/Response :
Once the credentials
are made available by the user, For the subsequent requests when the user views
any of the remote portlets that are available on the desktop the user identity
is propagated by the WSRP Consumer to the Producer. The Producer based on the
identity generates contents for the userConfiguring the WSRP Producer
This section specifically talks about the WSRP Producer
The identity propagation mechanism is set at the producer
automatically, no need for the administrator to set it manually. The Producer
checks for user identity headers in the following order
- Sun SSO Token,
- OASIS user name token profile (all the variants of it )
Identity Propagation mode. (default behavior if none of the headers are
- Sun Java System Portal Server provides both a WSRP Producer and a WSRP
Consumer implementation. This section deals with the support for each of the
above mentioned options
- Sun Java System Portal Server WSRP Producer supports all the above mentioned
Identity Propagation Mechanisms except WSS User Name Token Profile (Username
- Sun Java System Portal Server WSRP Consumer supports all the above mentioned
Identity Propagation Mechanisms. i.e.. Sun SSO Token, WSS User Name Token
Profile (With password text), WSS User Name Token Profile (With digest text),
WSS User Name Token Profile (Username only) and no identity propagation.
- When using the WSS User Name Token Profile (With password text) it is
recommended that the communication between the producer portal and consumer
portal is secured via HTTPS, this is essential as the password is sent in plain
text between the consumer and the producer.
- It is not recommended to have 2 different consumers that point to the same
producer URL to have different identity propagation mechanism types.
- It would not be recommended to switch identity propagation types once the
consumer is created and used, this is because the users portlets preferences are
stored based on the identification of user, switching the identity propagation
mechanism would mean loss of user customization.
_uacct = "UA-898027-1";