Datapower integration with WL
We have this scenario -
- Data strength is used for both authentication and successful authentication (using ADFS). Passing LTPA token on backlit calls
- When working, we use WASLTPARealm and the corresponding LoginModule
- What happens is, when working with highlighting, there is a question about whether the user is in his registry or not, that he needs to re-integrate AD into WL.
Is it possible to use highlighting to harness the power of data as a reliable partner and not look for the user in the registry? We want to avoid being called back to AD and still protect the wl ...
source to share
WAS needs to validate the LTPA token so that it needs the user's registry (in this case, the Active Directory server). One solution would be to use Trust Authentication, so WAS trusts requests coming from DataPower, but that means TAI (Interceptor Trust Interceptor) must be implemented (not an easy task).
source to share
WAS needs to authorize the incoming user. What is trying to do is validate the LTPA token [this happens without AD] and then try to authorize the user. This permission must be obtained from somewhere [from a local file or via LDAP]. Another thing is that such permission cannot come from LDAP [in most cases AD is not configured to return a user as a member of a specific group with specific resource rights]. In this case, WAS asks the user for authorization information, but the request will do nothing but double check if the user exists in a particular registry or not [you are correct that there is no point in verifying the user again if the LTPA token is valid as the LTPA itself is generated from data,who requested / authenticated the user against the [most likely] the same registry]?
Unfortunately, there doesn't seem to be a way to avoid this.
- Ajitabh
source to share