External authentication

 

+

Search Tips   |   Advanced Search

 

Overview

By default, WebSphere Portal relies on WAS for authentication. You can also configure a third-party authentication proxy server, such as Tivoli Access Manager (TAM) WebSEAL, to perform authentication for WebSphere Portal. WAS typically uses a TAI to trust the external authentication proxy. TAIs must be activated through the WAS Administrative Console.

TAM and Netegrity SiteMinder provide TAIs that are used only as an authentication service for WebSphere Portal.

Whenever a request attempts to access a secured resource, WAS invokes the TAI, which validates that the request comes from a legitimate third-party authentication proxy and returns the user's authenticated identity to WAS. The TAI should return either a distinguished name (DN) or a short name. WAS performs a registry lookup to verify the distinguished name or convert the short name to a distinguished name before searching for group memberships for that user. If the registry lookup fails, WAS refuses to trust the user. If the registry lookup succeeds, WAS generates an LTPA token for the user and stores it as a cookie for subsequent authentication during the user's session.

In the examples that follow, the authentication proxy determines the challenge mechanism, and WebSphere Portal relies on the authentication proxy to relay success or failure of the user identifier through the TAI or LTPA token. WAS sees all requests from the TAI as authenticated, but WAS and WebSphere Portal still perform a user and group lookup on each request. Even if the authentication proxy has successfully authenticated, WAS and WebSphere Portal deny access if they cannot query the user in the registry. For example, it is possible to have a user in ESM who is not accessible from WebSphere Portal because WebSphere Portal is only configured to one user registry, which may not be ESM's.

If the third-party authentication proxy provides native WAS identity tokens, such as a LTPA tokens, a TAI is not necessary. Currently, only WebSEAL and TAM Plugin for Edge Server provide native WAS identity tokens.

 

Custom TAIs

TAIs that allow other custom authentication services to interact with WAS can be written. If you use a security configuration that is different from the ones that are described in this section, provide and implement a TAI to communicate with the authentication proxy. Refer to the IBM WebSphere V5.0 Security Redbook for additional information about creating custom TAIs.

 

Verify that the TAI is working properly

After completing the configuration to enable External Authentication, follow these steps to verify TAI operation.

  1. Use this address to test the TAI from a Web browser: 
    https://<WebSEAL_hostname>/<junction>/wps/myportal

    OR 

    http://<SM_agent_hostname>/wps/myportal

    WebSEAL or SiteMinder should challenge you to authenticate. After you log in be directed to the secure and personalized myportal page. If you are directed to the portal login screen at wps/portal/.scr/Login or the public page, there is a problem with the TAI configuration.

  2. For TAM only:

    Test the TAI by using TAM to add a new user. From the pdadmin command line, enter the following command on one line: 

    pdadmin> user create <user_name> <user_dn> <cn>

    And then enter: 

    pdadmin> user modify <user_name> account-valid yes

    Make sure that WebSphere Portal is running, open your browser, and go directly to https://<WebSEAL_hostname>/<junction>/wps/myportal. WebSEAL will prompt you for a user ID and password. Enter the user ID and password that you created in the previous step. You should be taken to a new authenticated user page as the specified user.

  3. Proceed to Change the login and logout pages.

 

See also

 

WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.

 

IBM is a trademark of the IBM Corporation in the United States, other countries, or both.

 

Tivoli is a trademark of the IBM Corporation in the United States, other countries, or both.