Secure your IBM MobileFirst application using Microsoft ADFS integration
Hamid k 2700006BXY Visits (11007)
With emerging business requirements and standards almost any networked computer systems needs to support distributed applications. These distributed applications might interact with computers on the same local area network, within a corporate intranet, within extranets linking up partners and suppliers, or anywhere on the worldwide Internet. To improve functionality and ease-of-use, and to enable cost-effective administration of distributed applications, information about the services, resources, users, and other objects accessible from the applications needs to be organized in a clear and consistent manner. Fortunately much of this information can be shared among many applications, but it must also be protected in order to prevent unauthorized modification or the disclosure of private information. The same use case is practiced in mobile applications space even in a more complex manner due to the variety of resources, services, and legacy systems, that a mobile application may need to interact with to fulfill a business transaction. IBM MobileFirst platform (MFP) as a simple and scalable infrastructure fully supports secure connection to services and backend resources. In this blog entry, integration of IBM MobileFirst platform with Microsoft ADFS (Active Directory Federation Services) to implement such secure connections is explained.
Concepts and implementation approach
"ADFS is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet. When a user needs to access a Web application from one of its federation partners, the user's own organization is responsible for authenticating the user and providing identity information in the form of "claims" to the partner that hosts the Web application. The hosting partner uses its trust policy to map the incoming claims to claims that are understood by its Web application, which uses the claims to make authorization decisions. ADFS implements the standards based WS-Federation protocol and SAML i.e. Security Assertion Markup Language." 1
The assumption is that a "claims based authentication" which is native to ADFS is being implemented. It should be noted that ADFS uses WS-Fed and SAML as its underlying protocols. MFP does not have "native" support for these, however WebSphere Application Server (WAS) does. Hence the way to get this working with MFP will be to configure WebSphere to accept the SAML assertion using its Trust Association Interceptor (TAI), at which point it will generate an LTPA Token (used internally by WebSphere). Then MFP can be configured to accept the LTPA token.
As noted in the product documentation section WebSphere Trust Association Interceptors: Whenever a request attempts to access a secured resource, WebSphere Application Server starts the TAI. The TAI validates that the request comes from a legitimate third-party authentication proxy and returns the user's authenticated identity to WebSphere Application Server. The TAI returns either a distinguished name (DN) or a short name. WebSphere Application Server performs a registry lookup to verify the distinguished name or convert the short name to a distinguished name before searching for group memberships for that user. If the registry lookup fails, WebSphere Application Server refuses to trust the user. If the registry lookup succeeds, WebSphere Application Server generates a Lightweight Third-Party Authentication (LTPA) token for the user. It stores it as a cookie for subsequent authentication during the user's session.
The developerWorks technical topic "Understanding the WebSphere Application Server SAML Trust Association Interceptor" is where you can read more about the integration of ADFS (and SAML more generally). The article states "The SAML TAI introduces support for a new form of web single sign on (SSO). As we say in our WebSphere Application Server security class, the term "SSO" is considerably overused in the industry."
Once WAS is configured to protect resources using SAML, then you would follow the pattern described for LTPA authentication in the blog entry "Working with LDAP and LTPA in IBM MobileFirst Platform Foundation 8.0 Beta."