Interface eIAM-WSG


The WS-Federation interface supports the integration of web applications based on the WS-Federation standard. The eIAM-Web PEP offers defined interfaces for this federation protocol. It creates a security token in SAML format for the requesting application and transmits it to it. The WS-Federation protocol is used for this purpose.
Overview of the eIAM-WSG solution, communication
Overview of the eIAM-WSG solution, communication


The scenario starts with a service consumer that wants to call a web service. The request is first routed through the load balancer (1). The load balancer authenticates the service consumer according to its certificate. After successful authentication, the load balancer forwards the request to the web service gateway (2). The WSG extracts the distinguished name (DN) from the certificate. For this DN, the WSG has a SAML security token (SAML 2.0) issued by the trust broker. This is done by means of a WS Trust security token request (3, 4, 5). The SAML security token describes the access roles of the service consumer.

The Web Service Gateway checks the validity of the security token (6) and allows access to the service provider, (7, coarse authorisation) based on the roles contained in the security token. If access is permitted, the WSG forwards the request with the security token (8) (identity propagation) to the service provider. If necessary, the service provider performs a fine-grained authorisation of the service consumer based on the roles contained in the token (9).

With the administration tools provided by eIAM, the customer is able to administrate with the different access policies (fine-granular roles) also for service providers with web services. All authorisations for his application can be modified in one place (in IDM). This increases flexibility for the customer and minimises the effort required to operate the web service gateway.

Required information and tools which are within the customer's area of responsibility

Load balancer
A load balancer (LB) must be configured before the WSGs. The ordering of these LBs,
the DNS entries and the certificates for LBs as well as the WSG are tasks of the Web Service Integration.

Technical user
Access to a web service interface via eIAM-WSG is regulated via the authorisation of technical users. Corresponding technical users must be ordered in advance from ICD - CIS & Directories. The team creates an account in the data reference point, which is provisioned to eIAM and is subject to a regulated lifecycle. As soon as the account is ready, the completion of the tech user can be requested from eIAM Operations using the form below. In addition to the consent of the CISO of the relevant office (e-mail form is sufficient), this also requires a class C certificate from the Swiss Government PKI, which must be obtained in advance by the applicant.

Order form for setting up a tech user for eIAM-WSG

Certificates
Authentication is performed by means of an X.509 certificate of class C (classes D and E are not supported) in the name of the technical user used to establish the connection. Such a certificate must be obtained in accordance with the specifications of the Admin PKI (see SAML 2.0 configuration (metadata)).

Task distribution project / integration team eIAM & WSG
Task distribution project / integration team eIAM & WSG


For detailed information please refer to the eIAM-WSG Integration Guide: