In addition to the basic OpenID authentication option,
you can give users, who are trusted and verified from an identity
provider, access to IBM® WebSphere® Portal. These trusted and verified users do not require a local, registered
Portal user account.
Before you begin
Before enabling the transient user feature, you must verify
that your security configuration is a federated user registry. If
you configured the stand-alone user registry, you must change to the
federated user registry. To locate the proper instructions, navigate
to and then select the Managing your user registry option for your operating
system. Then select Changing from a stand-alone repository
to a federated respository. For example, federated.primaryAdminID=PortaladminuserID.
About this task
Facebook and Google users can authenticate with the WebSphere Portal server instance using
their identity provider credentials. They are granted access to certain
data within WebSphere Portal without
having a local account. You can grant the same access to all identity
providers or you can configure different access rights depending on
the identity provider. With this option you, can provide a personalized
view to unregistered users while still providing benefits to fully
registered users.
Complete the following steps to configure transient
users:Procedure
- Run the following task from the wp_profile_root\ConfigEngine directory
with the appropriate parameters:
Cluster note: Complete this step only on the
primary node.
- AIX®: ./ConfigEngine.sh enable-transient-user -DWasUserId=username -DWasPassword=password
- IBM i: ConfigEngine.sh enable-transient-user -DWasUserId=username -DWasPassword=password
- Linux: ./ConfigEngine.sh enable-transient-user -DWasUserId=username -DWasPassword=password
- Solaris: ./ConfigEngine.sh enable-transient-user -DWasUserId=username -DWasPassword=password
- Windows: ConfigEngine.bat enable-transient-user -DWasUserId=username -DWasPassword=password
Add the following parameters to customize the task for your
business requirements:- -Dtransparent.suffix
- Set this value to a dn suffix that is used for transient users.
This suffix must NOT match your current suffixes for fully registered
users. The default value is o=transparent
- -Dtransparent.prefix
- Set this value to a prefix that is used for transient users. For
example, if you want to set the RDN attribute, set this value to cn.
Note: Complete the following steps if you entered the
wrong value in the
transparent.suffix parameter:
- Log on to WebSphere Integrated Solutions Console as the administrator.
- Go to .
- Go to and
select Federatedrepositories.
- Click Configure.
- Go to Repositories in the realm and click
the link in the Base Entry column for the transientidp repository
identifier, for example, o=transparent.
- Replace the value in the following fields with the new value:
- Distinguished name of a base entry that uniquely identifies
this set of entries in the realm for example,o=transparent.
- Distinguished name of a base entry in this repository for example,o=transparent
- Click OK.
- Save your changes.
- Stop and restart the WebSphere_Portal server.
- Optional: Complete the following steps to create
group objects for external providers to assign different access rights:
Important: After running the enable-transient-user task, all identified users are identified with the all authenticated
group and do not have explicit groups.
- Log on to WebSphere Integrated Solutions Console as the administrator.
- Go to .
- Go to and
select Federatedrepositories.
- Click Configure.
- Go to Repositories in the realm and click transientidp in the Repository Identifier column.
- Click New and add the following
information:
- Name: buildgroupsfor
- Value: Enter the list of supported Identity
Providers you want to build groups for; for example: facebook
myOpenID Google. The items in the list must be separated
by a space. The Identity Providers are case-sensitive and should match
what you entered for the idp.providerlist and openid.servicenames parameters.
- Click OK.
- Save your changes.
- Stop and restart the WebSphere_Portal server.
- Optional: Complete the following steps to mark
transient identity provider users as external:
Information: After running the
enable-transient-user task, the system builds internal
groups for each identity provider. You can use these groups in the
Resource Permissions portlet in the Portal Administration menu. Use
the Resource Permissions portlet to build a set of pages and portlets
that transient users can see and use.
You can also combine transient
users with the external user feature in WebSphere Portal. You can identify
a group of external or transient users with a database suffix. All
external and transient users are then granted a special virtual principle
in the access control. This virtual principle allows you to grant
a general set of access rights to these users.
- Log on to WebSphere Integrated Solutions Console as the administrator.
- Go to .
- Search for WP PumaStoreService and then click Custom properties.
- Add the parentDN.externalUsers property with value you entered for transparent.suffix. If you did not enter a value in transparent.suffix, type o=transparent.
- Save your changes.
- Stop and restart the WebSphere_Portal server.
- Complete the following steps to load user attributes during
authentication:
Note: Transient users do not have attributes
stored locally. Therefore, it is helpful to load attributes from the
Identity Provider during authentication.
Note: If you want to
allow transient users to create or modify pages you must map a short
name to the users. The attribute used for the short name is the User
default search attribute. If you do not know the attribute name, you
can find it defined in the PumaStoreService Resource Environment provider.
The most common values are uid and cn.
- Log on to WebSphere Integrated Solutions Console as the administrator.
- Go to .
- Select com.ibm.portal.auth.tai.OpenidTAI.
- Add the following new properties for OpenID:
For example, you might add the following new properties for
OpenID:
- provider.openid.loadattributes=google|openid.ax;yahoo|openid.ax
- The following properties must be entered as one line.
- provider.openid.loadattributes.google=cn|
- http://axschema.org/namePerson/first;sn|
- http://axschema.org/namePerson/last;ibm-primaryEmail|
- http://axschema.org/contact/email
- Add the following new property for Facebook:
- The following properties must be entered as one line.
- provider.facebook.loadattributes=portalattributename|
- idpattributename;portalattributename2|idpattributename2
For example, you might add the following new property for
Facebook:
- The following properties must be entered as one line.
- provider.facebook.loadattributes=sn|
- first_name;cn|last_name;uid|name
- Save your changes.
- Stop and restart the WebSphere_Portal server.