Authentication

If a web service request is received from a client without specifying any existing HTTP session the user is authenticated. If a web service request specifies an existing session and if the session is not already expired, the session is maintained and no authentication is done. In this case, no password needs to be specified.

Following authentication mechanisms are supported:

• Normal/Default mode: A password needs to be specified. The authentication is done using the user ID and password. Users can reside in either database or LDAP. However, if a valid web service session ID is specified by appending ;jsessionid=<session id value> to the web service request URL, authentication is skipped provided the specified HTTP session is valid.

  If an HTTP session is present for an existing user, the user ID is also specified in the web service request, and if the user ID does not match with the session owner; user ID in the web service request takes precedence and the user is re-authenticated into TIBCO MDM. The HTTP session is invalidated later on.

• Single Sign-On (SSO) mode: Single sign-on is a mechanism whereby a single initial action of user authentication and authorization allows you to access subsequent multiple web services for which you are authorized, without the need to specify password for all such subsequent requests. All TIBCO MDM web services are SSO-enabled.

  TIBCO MDM supports variations of single sign-on. For example, SiteMinder/Transaction Minder (SM) and SAML2.0. For the purpose of trust verification and validating user data, TIBCO MDM relies on the information or attributes set in the SOAP headers. This helps in establishing the trust and confirming that the request has been received from a reliable or trusted source and the user is pre-authenticated. Role information for the user is also extracted from these headers. If a user does not exist in TIBCO MDM, it is created. If the user data relevant for TIBCO MDM changes over subsequent web service requests, it gets updated in the application. TIBCO MDM does not store user passwords in this mode.

  The authentication of the user name is controlled by the User name case sensitivity property that is specified in the Configurator (InitialConfig > Miscellaneous). By default, the value is true.

  Note: Tivoli Access Manager (TAM) does not support web services single sign-on. However, it can be customized to secure web service requests, and TIBCO MDM can work with that through the same model of establishing trust through header information. TIBCO MDM does not support TAM based single sign-on out of the box.