Single Sign-On for Resource Adapters and JCA
The AS Java enables resource adapter SSO for access to backend resources with caller principal mapping, Kerberos and authentication assertion tickets. The backend resources can be, for example databases or Enterprise Information System (EIS).
For caller principal mapping and Kerberos you can use the authentication types and mechanisms, specified by the JCA specification. In addition, the AS Java can use authentication assertion ticket to enable resource adapter SSO for access to the backend resource.
You specify the authentication types and authentication mechanisms in the deployment descriptors of the resource adapter during its development. There is no runtime configuration to enable SSO for resource adapters.
Caller Principal Mapping
The AS Java enables you to use the following authentication types to map the caller principal to the resource principal:
- caller impersonation - the subject, which is passed to the resource adapter, must be a clone of the caller's subject containing the principal and its credentials. In this case, no new credentials are created and only the already existing credentials in the cloned subject are forwarded.
- credentials mapping - the name of the resource principal is the same as the caller principal. The type of credential that needs to be created depends on the authentication mechanism that is configured in the resource adapter deployment descriptor.
- principal mapping - the resource principal is determined by the settings in the resource adapter's configuration, which holds the mappings from the caller principals to the resource principals. The type of credential that needs to be created depends on the authentication mechanism that is configured in the resource adapter deployment descriptor.
- configured identity - the resource principal is determined by the fixed settings in the resource adapter's configuration. This means that for all caller principals, the same resource principal is created according to these settings. The type of credential that needs to be created depends on the authentication mechanism that is configured in the deployment descriptor.
Authentication Mechanisms
To authenticate resource adapter access to backend resource, you can choose between authentication with a username and password as defined by the Java Connector Architecture specification as most common.
In addition, the AS Java enables you to specify the use of authentication assertion tickets for SSO to the backend resource.
You configure the authentication type and the authentication mechanism for resource adapters during resource adapter development. You use the resource adapter deployment descriptors to configure the resource adapter authentication and SSO options. Based on the deployment descriptors, the AS Java automatically assigns relevant login modules to the resource adapter policy configuration and no runtime configuration is necessary.
- You configure the caller principal mapping as an authentication type in the connector-j2ee-engine.xml additional deployment descriptor, using the tag <authentication-type> . The AS Java uses the information in this tag to determine the resource principal from the credentials of the resource caller. Depending on the authentication type you specify, in the deployment descriptor you also provide information about mapping the caller to the resource principal.
- You configure the authentication mechanism type in the ra. xml deployment descriptor, using the tag <authentication-mechanism-type> . The AS Java uses this tag to determine the authentication mechanisms to use. You can choose the JCA standard values BasicPassword for username and password authentication.
In addition, to enable Single Sign-On with authentication assertion tickets, you choose the value SAPAssertionTicketor the corresponding object ID 1.3.6.1.4.1.694.2.1.3.1. as a value for this tag.
TipThe example below shows the relevant tags in the resource adapter deployment descriptor ( ra.xml ) for enabling the use of SSO with Authentication Assertion Tickets.
<authentication-mechanism> <authentication-mechanism-type> SAPAssertionTicket </authentication-mechanism-type> <credential-interface> javax.resource.spi.security.GenericCredential </credential-interface> </authentication-mechanism>
- During resource adapter deployment, the AS Java adds login modules to the resource adapter policy configuration, based on the information you configured for the resource adapter deployment descriptors.
See also: