Lightweight Third-Party Authentication (LTPA) is a security token type that is used by IBM® WebSphere® Application Server and other IBM products. LTPA can be used to send the credentials of an authenticated user to back-end services. It can also be used as a single sign-on (SSO) token between the user and multiple servers.
Enabling LTPA token between IBM products is very useful; it enables the IBM products to communicate using the same token, with no need to authenticate more than once. After a user logs in, the server generates an LTPA token. The token is signed by a private key that is shared among all the servers that want to decode it. The token is usually in cookie form for HTTP services. By sending the token as a cookie, there is no need for subsequent user interaction.
As a consultant on Mobile technologies, I find that this type of security mechanism is an important feature of IBM Worklight, which enables the mobile application to integrate with several kinds of services by just adding the token in the service request.
After the user logs in by providing the user id and password, the Worklight Server authenticates the credentials and generates an LTPA token, which is an encrypted hash that contains authenticated user information. The token is signed by a private key that is shared among all the servers that need to decode it. The token is in cookie form for HTTP services. LTPA tokens have a configurable expiration time to reduce the possibility for session hijacking.
The figure shows the LTPA authentication sequence diagram:
- The mobile application request access to a secured resource.
- The Worklight Server responds requesting credentials. This request is called a challenge.
- The challenge handler in the mobile application detects the challenge, collects the user credentials, and sends them to the Worklight Server.
- The Worklight Server successfully validates the user credentials against the users defined locally in Websphere Application Server and returns the LTPA token along with the resource initially requested.
- Now the mobile application calls a secured adapter and sends the LTPA token in the request.
- The adapter procedure extracts the LTPA token from the user session and sends it in the HTTP header to the IBM BPM REST API service on the IBM BPM server.
- The IBM BPM server validates the LTPA token, runs the service, and sends the response back to the Worklight Server. Finally the Worklight Server sends the response to the mobile application.
The IBM Redbooks publication Extending IBM Business Process Manager to the Mobile Enterprise with IBM Worklight explains through use cases and usage scenarios, how to build and deliver business processes using IBM Business Process Manager and how to develop mobile applications that enable remote users to interact with the business processes while on-the-go, using the IBM Worklight platform.
In this book, LTPA token authentication is enabled in the integration between IBM Worklight and IBM BPM, where the same token is shared between the two products to demonstrate SSO between two apps that access processes in the organization's back-end systems. The Worklight adapter calling the IBM BPM REST API includes the cookie with the token in it, and secure integration is established. For details refer to the IBM Redbooks publication Extending IBM Business Process Manager to the Mobile Enterprise with IBM Worklight .
Hala Aziz is an IT Specialist in the Cairo Technology Development Center (CTDC) in IBM Egypt. She has ten years of experience in IBM Application and Integration Middleware Software such as IBM WebSphere® Application server, IBM WebSphere Portal, IBM Worklight, and IBM Endpoint Manager. She worked as a consultant on eGoverment and banking solutions for clients in Egypt, Dubai, Oman, and Switzerland. Hala has several technical professional certifications such as Certified Application Developer for IBM Web Content Manager and IBM Worklight and she has delivered IBM internal education and client enablement training workshops around the world. Hala is a co-author of the IBM Redbooks publication Extending IBM Business Process Manager to the Mobile Enterprise with IBM Worklight
Likes before 03/04/2016 - 1
Views before 03/04/2016 - 4327