Reusing group information | HCL Digital Experience
During the authentication of a user, IBM® WebSphere® Application Server stores information about which groups users belong to. This information is static for the authentication session of the user. In addition, it can be provided by an External Security Manager through a Trust Association Interceptor. In this case, IBM® WebSphere® Application Server does not load the information on its own. HCL Digital Experience can participate in this flow and reuse the information from the WebSphere® Application Server security context instead of retrieving it from the LDAP server. This function is also referred to as group assertion or WebSphere® Application Server group assertion.
About this task
- Reusing group information for user management results in all components of HCL Portal benefit from the faster group membership lookup. During the authentication session, the membership of the current user is based on the information that is provided by WebSphere® Application Server. This reuse of information reduces load on your LDAP server, increases authentication performance, and results in the ability to define group membership at the authentication layer.
- Reusing group information for access control enables the system to react on possible per request changes of the WebSphere Security context. By default the Security context is not modifiable during an authentication session. However,WebSphere® Application Server provides plug points, which allow the execution of a Trust Association Interceptor on every request, which might be used to establish a new security Subject on every request. In this case, Portal Access Control would be able to work with the updated subject information and would build a dynamic environment. However, this option requires more system resources, custom extensions to WebSphere® Application Server security and impacts performance.
Procedure
- Log on to the WebSphere® Integrated Solutions Console (or deployment manager WebSphere® Integrated Solutions Console in a cluster).
- Go to .
- Choose the appropriate options to reuse group information:
- To reuse group information for user management the first option that is used typically as an
enhancement, complete the following steps:
- Select the WP_PumaStoreService resource environment provider.
- Select Custom properties.
- Click New.
- Enter store.puma_default.filter.assertionFilter.classname in the Name field.
- Enter com.ibm.wps.um.AssertionFilter in the Value field.
- Click Apply.
- Click Save to save the changes to the master configuration.
- To reuse group information for access control, complete the
following steps:
- Select the WP PACGroupManagementService resource environment provider.
- Select Custom properties.
- Click New.
- Enter accessControlGroupManagement.useWSSubject in the Name field.
- Enter true in the Value field.
- Click Apply.
- Click Save to save the changes to the master configuration.
- To reuse transient attribute information for user management, complete the following steps:
- Select the WP_PumaStoreService resource environment provider.
- Select Custom properties.
- Click New.
- Enter store.puma_default.filter.TransparentUserFilter.classname in the Name field.
- Enter com.ibm.wps.um.TransparentUserFilter in the Value field.
- Click New.
- Enter store.puma_default.filter.TransparentUserFilter.position in the Name field.
- Enter -10 in the Value field.
- Click Apply.
- Click Save to save the changes to the master configuration.
- To reuse group information for user management the first option that is used typically as an
enhancement, complete the following steps:
- Log out of the WebSphere® Integrated Solutions Console.
- Restart the HCL Portal server.