120 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
users, computers, and network resources in your enterprise. The forest
represents the security boundary for Active Directory. SPNEGO authentication
for users from multiple Active Directory domains is supported by Tivoli Access
Manager only if an appropriate trust relationship between the domains is
established. This trust exists automatically for domains that are part of the same
Active Directory forest. For SPNEGO authentication to work across multiple
forests, a forest trust relationship must be established.
4.3.7 Authentication using customized HTTP headers
Access Manager supports authentication via customized HTTP header
information supplied by the client or a proxy agent.
This mechanism requires a mapping function (a shared library) that maps the
trusted (pre-authenticated) header data to an Access Manager identity.
WebSEAL can take this identity and create a credential for the user.
WebSEAL assumes that custom HTTP header data has been authenticated
previously. For this reason, you should implement this method exclusively, with
no other authentication methods enabled. It is possible to impersonate custom
HTTP header data.
By default, this shared library is built to map data from trusted proxy headers.
4.3.8 Authentication based on IP address
Access Manager supports authentication via an IP address supplied by the
client. This mechanism is used best in combination with other mechanisms. For
example, you can use IP network addresses to identify a certain group of users,
give them access to a certain application, then use additional authentication
mechanisms to give access to more protected applications. Such a configuration
can be used to implement a two-factor authentication as well. It may be more
secure than plain password authentication.
4.4 Advanced WebSEAL authentication methods
In addition to the authentication methods described in the previous section,
WebSEAL provides advanced authentication functionality, which is described in
this section. Advanced authentication methods include:
Multiplexing proxy agents
Switch user authentication
Authentication strength policy (step-up)