This is the continuation to the previous entry on WSRP and User Identity Propagation. Sun Java System Portal Server provides a two step/phase configuration for the identity propagation mechanism it supports. In the first phase the administrator of the WSRP Consumer sets up the relationship with the WSRP Producer and allows the end user to do federation with the remote WSRP Producer service. In the second phase the end-user may optionally federate his remote identity with the local identity for Single-Signon with the remote producer. This two phase configuration provides control to both the administrator and the enduser in federating the identity of the enduser.

    The following sections specifically talks about the identity propagation mechanism setup at the WSRP Consumer end. This is because the Consumer is the one which has the knowledge about the actual user and decides to propagate the user identity. The two phase configuration along with the subsequent request/response is as follows.

Phase 1 : Administrator Setup

• The administrator of the Consumer Portal discovers that the Producer Portal supports certain identity propagation mechanism.
• The Consumer Portal administrator setups the system that may optionally allows the user to use identity propagation mechanism.
  

Phase 2 : User setup

• The enduser see that he has access to a remote WSRP Producer services and may decide to federate his identity.
• The enduser federates his identity by populating his remote credentials
  

This normal request/response  processing :

• The Consumer Portal WSRP infrastructure uses the user remote credentials and propagates the identity to the WSRP Producer upon user specific operations.
• The Producer Portal WSRP infrastructure accepts/validates and provides content for the propagated remote identity.
• The Consumer Portal presents the content delivered by the  Producer Portal  to the enduser.

    In essence the two phase configuration allows the administrator decides whether to use an identity propagation mechanism available at the Producer Portal and he also determines the type of identity propagation mechanism that the Consumer Portal should use. The user decides whether he want to use the identity propagation mechanism made available to him by the administrator and federates his identity if required.
Sun Java System Portal Servers WSRP implementation support the following different types of identity propagation mechanisms,

1. SSO Token:  Where the SSOToken associated with the user is propagated from the WSRP Consumer to the WSRP Producer
2. WSS User Name Token Profile (Username only): It uses the WSS (Webservices Security) specification where the user name is propagated as WS Security headers from the WSRP Consumer to the WSRP Producer.
3. WSS User Name Token Profile (With password digest): The WS Security headers contain user name in plain text and password in the digest form to the WSRP Producer.
4. WSS User Name Token Profile (With password text): The WS Security headers contain user name and password in the plain text form to the WSRP Producer.
5. No Identity Propagation : This defaults to the behavior where  there will be no user identity propagation mechanism from the WSRP Consumer to the WSRP Producer

No Identity Propagation :

    This is the default behavior of WSRP as indicated in the WSRP specification, The WSRP consumer propagates a notion of user to the WSRP Producer and there is no real user identity play in the system when this option is used. This is the default option in Sun Java System Portal Server, so any consumer that is created by default will not have any identity propagation mechanism.

SSOToken Identity Propagation :

    Sun Java System Portal Server uses Sun Java System Access Manager for authenticating users and for Single Signon. This options assumes that both the Producer and Consumer are Sun Java System Portal Server, Make sure you use this option only  if both the Producer portal and Consumer portal are configured to use the same Access Manager instance. Typically recommended in configurations where both the Producer Portal and Consumer Portal are  deployed within the same organization.

    This option does not provide the end users with the options to federate their identities. This is because the same user identity is accepted by both the Consumer and the Producer portal as they point to the same Access Manager instance.

    Note this identity propagation mechanism will not interoperate with other Portal vendors and also will not work if the Producer Portal and Consumer Portal are not pointing to the same Access Manager.


WSS User Name Token Profiles :

    The following options are implementations of the OASIS WSS Username token profile specification.  This specification describes how to use the UsernameToken with the Web Services Security (WSS) specification; more specifically, it describes how a web service consumer can supply a UsernameToken as a means of identifying the requester by 'username', and optionally using a password, to authenticate that identity to the web service producer.

1. WSS User Name Token Profile (Username only)
2. WSS User Name Token Profile (With password digest)
3. WSS User Name Token Profile (With password text)
   

    Since this is a standard specification from OASIS, various portal vendors support and implement it. Use one of the above options when interpretability is required. i.e., it allows portal implementations from 2 different vendors to exchange user identity.

    This option provides both the end user and the administrator the flexibility to configure  and control the identity propagation scheme that is in effect.  The following section details with the step by step instructions for doing the above mentioned configurations in Sun Java System Portal Server

Administrator Setup :
 
  Here are the specific steps for administrator to do the administrator setup phase explained above

1. Log on to portal server admin console (psconsole)
2. Click on the WSRP Tab
3. Choose the org on to which you want create a consumer
4. Click on new consumer
5. Enter the name of the consumer
6. Specify the identity propagation mechanism
7. Continue with the rest of the  wizard to create a consumer
   

Step 6 is the choice where the  administrator chooses an sets up an  identityppropagationmechanism for the end-users.  Once the consumer is created. The administrator has to create remote channels based on the above created consumer


User setup : Federating  identity

    The end user logs on to the portal server, clicks on edit of the WS-SSO (Web Services Single Signon Portlet) to provide the the remote WSRP Producers credentials for Single Sign on

WS-SSO Portlet :

    The WS-SSO Portlet is based on the SSOAdapter service that is available on the Sun Java System Portal Server. The SSOAdapter service provides a mechanism to manage and authenticate users to the remote services that are used by the Sun Java System Portal Server.

    The WS-SSO Portlet provides a user interface that allows end users to populate values on to the SSOAdapter. The WS-SSO Portlet uses an SSOAdapter named OASIS-USERNAME-TOKENPROFILE. The values populated by the end user are stored in this SSOAdapter which is used by the WSRP Consumer to obtain the user credentials if exists and propagate to the WSRP Producer service.

WSRP Request/Response :

    Once the credentials are made available by the user, For the subsequent requests when the user views any of the remote portlets that are available on the desktop the user identity is propagated by the WSRP Consumer to the Producer. The Producer based on the identity generates contents for the user

Configuring the WSRP Producer :

 This section specifically talks about the WSRP Producer configuration.

    The identity propagation mechanism is set at the producer automatically, no need for the administrator to set it manually. The Producer checks for user identity headers in the following order 

1. Sun SSO Token,
2. OASIS user name token profile (all the variants of it )
3. No Identity Propagation mode. (default behavior if none of the headers are found).

Notes/Recommendations :

• Sun Java System Portal Server provides both a WSRP Producer and a WSRP Consumer implementation. This section deals with the support for each of the above mentioned options 
  • Sun Java System Portal Server WSRP Producer supports all the above mentioned Identity Propagation Mechanisms except  WSS User Name Token Profile (Username only).
  • Sun Java System Portal Server WSRP Consumer supports all the above mentioned Identity Propagation Mechanisms. i.e..  Sun SSO Token,  WSS User Name Token Profile (With password text), WSS User Name Token Profile (With digest text), WSS User Name Token Profile (Username only) and no identity propagation.
• When using the WSS User Name Token Profile (With password text) it is recommended that the communication between the producer portal and consumer portal is secured via HTTPS, this is essential as the password is sent in plain text between the consumer and the producer.
• It is not recommended to have 2 different consumers that point to the same producer URL to have different identity propagation mechanism types.   
• It would not be recommended to switch identity propagation types once the consumer is created and used, this is because the users portlets preferences are stored based on the identification of user, switching the identity propagation mechanism would mean loss of user customization.