Trust association interceptors
IBM Security Access Manager (ISAM) and CA eTrust SiteMinder provide trust association interceptors (TAIs) used only as an authentication service. TAIs can be configured with Portal ConfigEngine tasks. The ISAM TAI requires an ISAM authorization server for successful single sign-on.
Request flow...
- The portal appserver recieves a request for a secured resource
- WAS starts a trust association interceptor
- The TAI validates the request came from a legitimate third-party authentication proxy.
- The TAI returns the user's authenticated identity (distinguished or short)
- WAS performs a registry lookup to verify the distinguished name (after converting short name to a distinguished names).
WAS sees all requests from the TAI as authenticated, but performs a look up on each user anyway.
- (Optional) WAS searches for group memberships for the user. If lookup fails, WAS refuses to trust the user.
If the lookup succeeds, WAS generates an LTPA token for the user, stored as a cookie for subsequent authentication during the user's session.
An interceptor is not necessary if the third-party authentication proxy provides LTPA tokens. Currently, only ISAM WebSEAL and ISAM plug-in for Edge Server provide native WAS identity tokens.
We can write custom trust association interceptors to allow Portal to use security managers other than the default for ISAM and SiteMinder.
Parent Plan for external security managers
Related information
Integrating third-party HTTP reverse proxy servers
WAS Library
Extended Tivoli Access Manager Trust Association Interceptor Plus (ETAI)