MobileFirst Security and LTPA

Lightweight Third-Party Authentication (LTPA) is a security token type used by IBM WebSphere Application Server and other IBM products. LTPA can be used to send the credentials of an authenticated user to backend services. It can also be used as a single sign-on (SSO) token between the user and multiple servers.

The following image shows a simple client/server flow with LTPA:

After a user logs in, the server generates an LTPA token, which is an encrypted hash containing authenticated user information. The token is signed by a private key shared among all the servers that want to decode it. The token is usually in cookie form for HTTP services. By sending the token as a cookie, there is no need for subsequent user interaction.

LTPA tokens have a configurable expiration time to reduce the possibility for session hijacking.

The following image shows a client-server-backend flow with LTPA:

Your infrastructure can also use the LTPA token to communicate with a backend server to act on behalf of the user. The user cannot directly access the backend server. Enterprise environments should use a reverse proxy, such as DataPower or IBM Security Access Manager, in the DMZ, and place the MobileFirst Server in the intranet. This configuration ensures that access to the MobileFirst Server cannot be obtained until a user authenticates. See Reverse proxy with LTPA.

• Configure the MobileFirst LTPA realm
  The IBM MobileFirst Platform Server contains the authenticator and login module that are designed to handle authentication using LTPA through form-base authentication.

Parent topic: MobileFirst security overview