3 Replies Latest reply on Nov 22, 2011 4:17 AM by jawso

    Web SSO between Domino Server and JBoss AS 6.1 (LTPA token)

    jawso

      Hi,

      I would like to have some feedback on implementing Web SSO between a Domino Server and a JBOSS AS 6.1.

       

      Has anyone ever designed this architecture before in a project ?

      Is it possible to handle LTPA token with JBoss AS ?

       

      Thanks in advance for your help.

       

       

      Jérôme

        • 1. Re: Web SSO between Domino Server and JBoss AS 6.1 (LTPA token)
          dgradl

          I cannot answer specifically on the JBoss capability, but I do know a bit about LTPA.   LTPA is an IBM proprietary SSO token, but its really quite simple.  All it does is take the user identity (maybe a bit more), encrypt it and pass it in a session cookie.  So this just means that the two servers need to:

          • be on the same domain
          • share a secret (encyption key)
          • share an identity store (e.g LDAP)

           

          I have used it before to SSO between IBM Websphere AppServers and PortalServers.  It's easy enough to setup on the IBM side I'm sure and I think it would be feasible to use it on a non-IBM product (again I need to defer to someone else to comment on whether JBoss supports this).

           

          Would the user authenticate on the Domino server or the JBoss server?   That would just drive whether you expect JBoss to create LTPA tokens or just be able to read them.

           

          In terms of an architecture I don't see any reason why you couldn't do it.   I'm not entirely sure whether IBM will not go and change the way it works on you.  In other words I don't know if they intend for you to use it outside of their products, so they may one day decide to change the way it is created.

          1 of 1 people found this helpful
          • 2. Re: Web SSO between Domino Server and JBoss AS 6.1 (LTPA token)
            anil.saldhana

            LTPA is an IBM proprietary token. I do not think they intend it to be used in any manner (CRUD) outside of their ecosystem. There are ways by we are able to obtain a SAML2 token as a replacement for the LTPA token from IBM security services.  But I cannot go over them in the forums. If you desire, you will have to contact our sales or consulting.

            1 of 1 people found this helpful
            • 3. Re: Web SSO between Domino Server and JBoss AS 6.1 (LTPA token)
              jawso

              Dan, Anil,

               

              thanks a lot for your answers.

               

              It's a tricky subject, even if I'm sure LTPA token could be handle through a WebApp deployed on JBoss AS.

              But as you underlined it, LTPA is an IBM proprietary token, so...

               

              Regarding the complexity and our schedule, this subject was finally put in brackets yesterday.

               

              SAMLv2 was my first option too, and I hope I could handle these tokens in my next project.

               

              Thanks for your help.

               

               

              Greetings