+

Search Tips   |   Advanced Search

WebSphere Trust Association Interceptors

IBM Security Verify Access (SAM) and CA eTrust SiteMinder provide Trust Association Interceptors (TAIs) used only as an authentication service. TAIs can be configured with Portal ConfigEngine tasks. The IBM Security Verify Access TAI requires an available SAM authorization server for successful single sign-on.

Whenever a request attempts to access a secured resource, WAS starts the TAI, which...

  1. Validates the request comes from a legitimate third-party authentication proxy
  2. Returns the user's authenticated identity to WAS

The TAI returns either a distinguished name or a short name. WAS performs a registry lookup to verify the distinguished name or convert the short name to a distinguished name. WAS then searches for group memberships for that user. If the registry lookup fails, WAS refuses to trust the user. If the registry lookup succeeds, WAS generates an LTPA token for the user. It stores it as a cookie for subsequent authentication during the user's session.

A TAI is not necessary if the third-party authentication proxy provides native WAS identity tokens, such as LTPA tokens. Currently, only SAM WebSEAL and SAM plug-in for Edge Server provide native WAS identity tokens. The authentication proxy determines the challenge mechanism.HCL WebSphere Portal relies on the authentication proxy to relay success or failure of the user identifier through the TAI or LTPA token. WAS sees all requests from the TAI as authenticated, but WAS and HCL WebSphere Portal performs a look up on each user anyway. Depending on the TAI and system configuration, WAS and HCL WebSphere Portal can be configured to look up the group also. Even if the authentication proxy has successfully authenticated, WAS and HCL WebSphere Portal deny access if they cannot query the user in the registry. For example, a user in an External Security Manager is not accessible from HCL WebSphere Portal because it is configured to a different registry. Or that registry does not have the same registry configuration properties as the External Security Manager.


Custom TAIs

TAIs that allow other custom authentication services to interact with WAS can be written. For a different security configuration, provide and implement a TAI to communicate with the authentication proxy.


Parent Plan for external security managers


Related information

WAS Library
Single sign on to a HCL WebSphere Portal through IBM Security Verify Access WebSEAL
ISAM Trust Association Interceptor (TAI++)
Extended Security Access Manager Trust Association Interceptor Plus (ETAI)