Configure LTPA single signon

LTPA cookies are generated when LTPA authentication is enabled within WebSEAL. These cookies can then be used to achieve single signon to other LTPA-enabled authentication servers. For further details, see LTPA authentication.

Single signon to other LTPA-enabled servers using an LTPA cookie requires the following configuration tasks:

1. Enable the LTPA mechanism.

2. Provide the name of the key file used to encrypt the identity information.

3. Provide the password to this key file.

4. Ensure the LTPA cookie name for the WebSEAL junction matches the WebSphere LTPA cookie name.

   The name of the WebSEAL cookie containing the LTPA token must match the configured name of the LTPA cookie in theWebSphere application. We can configure the jct-ltpa-cookie-name configuration item on a global or per junction basis. If we do not configure this cookie name, WebSEAL uses the same default values as WebSphere. See Specify the cookie name for junctions.

The first three configuration requirements are specified in the options to the standard junction and virtual host junction create commands. Use these options in addition to other required junction options when we create the junction between WebSEAL and the back-end WebSphere server. For example:

pdadmin> server task default-webseald-webseal.ibm.com create ... -A -F "key.file" -Z "abcdefg" ...

These options are further described in LTPA authentication.

Parent topic: LTPA single signon