This entry is a collection of references to developerworks articles on advanced Tivoli Federated Identity Manager (TFIM) concepts, development, and integrations. I have also included a few of my articles related to Tivoli Access Manager (TAM), as I often use the concepts from both in various Tivoli security deployments that I am involved with. I hope you find this collection of articles useful, and if you would like me to write about another other aspects of TFIM or TAM, please let me know.
|Link to Article/Tutorial||Description|
|STS Module Development Tutorial||TFIM 6.2 now delivers an Eclipse-based development approach for authoring custom product extensions. |
TFIM now uses an OSGi plug-in runtime environment and developers can author several different types of plug-ins using standard Eclipse extension tooling. One of the primary TFIM extension interfaces for customers is the Security Token Service Module (STS Module). This extension point allows customers to easily author their own identity token or mapping modules in Eclipse (or Rational Application Developer) and export them as plug-ins that will work with TFIM. The STS Module Development Tutorial walks through the complete development process from establishing a Eclipse environment for TFIM development to deploying and testing a plug-in. Examples are provided for both mapping modules and simple token modules.
|Tivoli Federated Identity Manager Business Gateway and ASP.NET Authentication||This is actually a refresh from an article first delivered TFIM 6.1.1 and represents a new and improved way of providing IIS web server integration. Major enhancements include:|
|Integrating Tivoli Federated Identity Manager with Tivoli Identity Manager||This article presents a Security Token Service mapping module which allows user identity data to be queried from Tivoli Identity Manager, and is particular useful in SOA environments. This article is authored by Neil Readshaw.|
|IBM Tivoli Access Manager: WebSEAL Kerberos Junctions||This describes in detail how to configure the new Kerberos Junctions capability in Tivoli Access Manager 6.1. This capability leverages the new Kerberos Delegation STS module in TFIM 6.2 to generate kerberos service tickets that allow WebSEAL to authenticated to a junctioned IIS server as the logged-in user.|
|Understanding the Tivoli Federated Identity Manager Information Service 6.2||This article describes how to develop client applications to exploit the TFIM information service. The TFIM information service allows you to:
|Adding custom XML extensions to SAML 2.0 request messages||This article describes how to write a TFIM 6.2 plug-in for added custom samlp:Extension elements to SAML 2.0 request messages.|
|Managing OpenID trusted sites with Tivoli Federated Identity Manager||This article describes how to replace the cookie-based OpenID Identity Provider trusted sites manager implementation with your own custom implementation. An example is provided which uses JDBC to store the user's trust site information.|
|User-Centric Identity with Tivoli Federated Identity Manager, Part 1: Replace Password Authentication on your Web site with an Information Card or OpenID||This article describes how to use an Information Card or OpenID Relying-Party federation to enable the linking of a user-centric identity to a local account for reduced single-signon. Part 2 of the series will add self-registration capabilities with email verification.|
|User Centric Identity with Tivoli Federated Identity Manager, Part 2: Self registration and account recovery using information cards and OpenID||Part 2 of the user-centric identity series extends the linking example presented in part 1 to add self-registration capabilities with email verification.|
|Using WebSEAL without a User Registry||This article describes a technique that allows you to leverage WebSEAL for enterprise WebSSO and authorization without having to tie the TAM registry to the corporate directory where users are authenticated. One redeeming quality of this integration compared to doing a many:1 mapping at authentication time to an existing TAM user is that TAM audit logs show correct per-user information as the user's real identity is maintained in the WebSEAL session credential.|
|Real-time WebSEAL statistics with Windows Performance Monitor||This article provides integration code to allow you to graph realtime WebSEAL junction statistics data (txns/sec and milliseconds/txn) in Windows Performance Monitor. It leverages the TAM administration API's in C++, and contains fully-functional binaries for TAM 6.0 as well as all the source code.|
|Practical TAM Authorization API||This tutorial provides working example code of usint the TAM Java authorization API's to decode a TAM credential and extract all the attributes. There is a JSP equivalent of the sample TAMeB epac demo program included. This is invaluable when working with TFIM to do user identity mapping rules, or when authoring TAM authorization rules.|