Write external authentication interface servers on Tivoli Access Manager for e-business

Allow WebSEAL to outsource authentication decisions to a separate module

External authentication interfaces (EAI) allow WebSEAL to outsource authentication decisions to a separate module—adding functions beyond what WebSEAL can normally do.


developerWorks security editors, Staff, IBM

Security icon imageThis article is brought to you by the editors of the developerWorks Security site.

21 October 2013

IBM expert Ori Pomerantz has been securing computer networks (and showing others how to do it too) since 1995. Pomerantz joined IBM in 2003 and since then, he has written classes on several IBM security products, including IBM Security zSecure™. He is also a co-author of the IBM Press publication Mainframe Basics for Security Professionals: Getting Started with RACF, 2007. In this whitepaper, "IBM Tivoli Access Manager for e-business 6.1: Writing External Authentication Interface Servers," Pomerantz helps you learn how to use external authentication interfaces with WebSEAL to extend WebSEAL's/Tivoli® Access Manager for e-business's capabilities for e-business authentication.

See Download for the full white paper. The following sections outline what you will learn in the full paper.

What is an external authentication interface?

An external authentication interface is a mechanism to outsource the responsibility for authentication from WebSEAL to a third-party product. The process works like this:

  1. The user attempts to connect to the EAI server, which may be on a separate computer from WebSEAL.
  2. WebSEAL allows unauthenticated access to the EAI server. This is necessary because the user is not authenticated at this point.
  3. The user and the EAI server communicate, which can be as long and as involved as necessary.
  4. The user, based on an HTML page from the EAI server, retrieves a trigger URL, a URL that is configured in WebSEAL as one that might contain the EAI output.
  5. The EAI server sends back a reply that has an HTTP header that contains the user identity and possibly additional information.
  6. WebSEAL creates the credential for the user.
  7. WebSEAL lets the user access a back-end server.

By using an EAI, Tivoli Access Manager for e-business can handle more exotic authentication mechanisms. It also adds an additional layer of authentication that Tivoli Access Manager for e-business can use.

The steps you'll learn

Pomerantz covers the following instructions in this paper:

  • How to configure WebSEAL to access an EAI. This includes adding an authentication mechanisms library, setting usage and header-include triggers, and adding (and controlling) a junction that lets users access the EAI.
  • How to write a simple EAI server, how to debug it, and how to integrate it with WebSEAL. This includes using and testing it and how to enable automatic redirection.
  • How to enable the EAI server to negotiate authentication with users using scripting.
  • How to write EAI servers in PHP.
  • How EAI can send extended attributes to WebSEAL to add to the stored credentials.

Pomerantz also explains step-up authentication, the ability to monitor actions at specific authentication levels. WebSEAL allows for web resources to require different authentication levels, which is useful if a particular application is very sensitive and requires two-factor authentication. An EAI server can report the level at which it authenticated a user. Pomerantz explains how to configure WebSEAL and resources to enable this extra layer of authentication.





Get products and technologies

  • Evaluate IBM products in the way that suits you best: Download a product trial, try a product online, or use a product in a cloud environment.


  • Get involved in the developerWorks Community. Connect with other developerWorks users while exploring the developer-driven blogs, forums, groups, and wikis.


developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Security on developerWorks

  • Bluemix Developers Community

    Get samples, articles, product docs, and community resources to help build, deploy, and manage your cloud apps.

  • DevOps Services

    Software development in the cloud. Register today to create a project.

  • IBM evaluation software

    Evaluate IBM software and solutions, and transform challenges into opportunities.

ArticleTitle=Write external authentication interface servers on Tivoli Access Manager for e-business