Use the default single sign-on token with default or custom token factory

Do not use the default single sign-on token in service provider code. This default token is used by the WAS run-time code only.

Size limitations exist for this token when it is added as an HTTP cookie. to create an HTTP cookie using this token framework, we can implement a custom single sign-on token. To implement a custom single sign-on token see Implement a custom single sign-on token for security attribute propagation for more information.

 

• Modify the single sign-on token factory configuration to use a token factory other than the default token factory.

  When the default single sign-on token is generated, the appserver utilizes the TokenFactory class specified using the com.ibm.wsspi.security.token.singleSignonTokenFactory property. Use the admin console to modify the property.

  The com.ibm.ws.security.ltpa.LTPAToken2Factory token factory is the default specified for this property. This token factory creates a SSO token called LtpaToken2, which WAS uses for propagation. This token factory uses the AES/CBC/PKCS5Padding cipher.

  If we change this token factory, you lose the interoperability with any servers running a version of WAS prior to version 5.1.1 that use the default token factory. Only servers running WAS V5.1.1 or later with propagation enabled are aware of the LtpaToken2 cookie. If all of the appservers use WAS V 5.1.1 or later and all of the servers use the new token factory this awareness is not a problem.

  1. Open the admin console.

  2. Click...
     Security | Global security

  3. Under Authentication, click Custom properties.

• Perform our own signing and encryption of the default single sign-on token. to perform our own signing and encryption of the default single sign-on token, implement the following classes:

  • com.ibm.wsspi.security.ltpa.Token

  • com.ibm.wsspi.security.ltpa.TokenFactory

  Your token factory implementation instantiates (createToken) and validates (validateTokenBytes) the token implementation. Use the LTPA keys passed into the initialize method of the token factory or we can use our own keys. If we use our own keys, they must be the same everywhere to validate the tokens that are generated using those keys. See the API reference information for more information on implementing our own custom token factory.

• Associate our own token factory with the default single sign-on token.

  1. Open the admin console.

  2. Click...
     Security | Global security

  3. Under Authentication, click Custom properties.

  4. Locate the com.ibm.wsspi.security.token.singleSignonTokenFactory property and verify that the value of this property matches the custom TokenFactory implementation.

  5. Verify that the implementation classes are put into the APP_ROOT/classes directory so that the WAS class loader can load the classes.

  6. Verify that the implementation classes are located in...

     ${USER_INSTALL_ROOT}/classes

     ...so that the WAS class loader can load the classes.

 

Related tasks

Implement a custom single sign-on token for security attribute propagation
Propagating security attributes among appservers