Introduction to Lightweight Third-Party Authentication(LTPA)

Light Weight Third Party Authentication (LTPA) protocol is IBM's implementation of Single Sign on. IBM WebSPhere and Domino products use LTPA to allow single sign on. When LTPA is enable you can login into one WebSPhere Server and when you go to some other WebSPhere or Domino server it wont ask you for credential. Same thing you can login into a Domino first and when you go to other WebSPhere or DOmino servers that are participating in SSO, it wont prompt you for login.

To enable single sign-on, a common set of server encryption keys are created and exported across all servers that run the application. When users first access the site, they are challenged to log in with user ID and password, this information is verified against user registry Ex. LDAP, . Server will creates a security credential token with the LTPA service, and a cookie(this cookie wont be written to the browsers file system i.e. it is non-persistent) is written back to the browser. When the user later accesses another LTPA server in the same domain, information in the shared cookie is used to re-establish the user security context with LTPA. Hence, a second login prompt is unnecessary.

Important Note: One of the restrictions on using LTPA is that all the Servers participating in SSO should use same user registry

If in the future you change the LTPA key on one server then you will have to export it from that server and import it on all other servers participating in SSO
The LTPA cookie contains the following pieces of information:

  • Cookie name: Always set to LtpaToken.

  • Domain: Set to the Internet domain shared by all servers participating in single sign-on (example:

  • Cookie expiration: Set to delete this cookie at the end of the browser's lifetime.

  • Secure: Set to on to force the use of Secure Sockets Layer (SSL). There is an LTPA configuration setting that creates cookies that are sent only through SSL.
    Cookie value: This is set to the LTPA token as described below.

The LTPA token is an encrypted string that contains the following pieces of information:

  • User data: Typically set to the user ID but can be any user information used to uniquely identify the user.

  • Expiration time: Different from the Cookie expiration, this field is used to enforce a time limit that starts from the moment of login and is unaffected by browser activity or inactivity. The time limit is a configurable LTPA setting that defaults to 30 minutes.

  • Digital signature: Used to validate the token.

This is how the request is handled when user is logged in and he has valid LTPA cookie

1 comment:

john said...

Hi all,
Here I am having one question if some one can clear. Can you change the cookie name itself or can you customize that in websphere application server ?