Topic
5 replies Latest Post - ‏2013-04-29T12:48:46Z by tonye1
tonye1
tonye1
4 Posts
ACCEPTED ANSWER

Pinned topic DataPower SSO: Fails because no domain cookie from DataPower

‏2012-11-19T20:25:21Z |
I am configuring SSO between Datapower AAA and WebSphere. I use the same (WebSphere) LTPA
store, the same realm name, and same last 2 nodes of LTPA domain name. I use "BasicAuth" to challenge the user, then generate LTPA as part of post-processing.

When WebSphere generates LTPA, all of my datapower AAA URLs work without being challenged again. This is as I expect.

However, when Datapower generates LTPA token (LTPAToken2), the Web Application Firewall
URLS that "wrap" webSphere challenge me again. Security trace shows that the AppServer never even "sees" the request.

I believe this is due to the LTPA cookie domain generated by Datapower. Even though the keystore comes from websphere, the LtpaToken2 cookie from Datapower has "Host" of the datapower machine (fully resolved hostname.xx.yy.com. When it's genreated from Websphere, it contains a "Domain" name (.yy.com).

I need datapower to generate a "Domain" cookie like Websphere does. Where is the location on Datapower to define the domain name for cookies? I've searched in various places and can't seem to find it.

I have all configuration information available if more info is needed.
Thanks in advance
-Tony
Updated on 2012-11-19T20:40:07Z at 2012-11-19T20:40:07Z by tonye1
  • tonye1
    tonye1
    4 Posts
    ACCEPTED ANSWER

    Re: DataPower SSO: Fails because no domain cookie from DataPower

    ‏2012-11-19T20:40:07Z  in response to tonye1
    Almost forgot - this is WI52 Firmware 5.0.0.0.
    • Víctor_García
      Víctor_García
      2 Posts
      ACCEPTED ANSWER

      Re: DataPower SSO: Fails because no domain cookie from DataPower

      ‏2013-04-29T07:50:20Z  in response to tonye1

      Hi,

      The only way I've found to edit path or domain cookie values is by generating the cookies manually.

      Once the LTPA token is generated you can "Wrap Token in a WS-Security Security Header" or not (if not, it's set into a cookie)

      By means of an xslt template in an action executed after the AAA one you can read the value for the token from var://context/AAA/PPLTPA

      To generate an LTPA cookie manually you might:

       

      <xsl:variable name="variable" select="dp:variable('var://context/AAA/PPLTPA')" />
      <xsl:variable name="TokenLTPA" select="$variable//*[local-name()='Value']" />
      <dp:set-http-request-header name="'Set-Cookie'" value="concat('LtpaToken2=',string($TokenLTPA),'; Domain=.yy.com; Path=/' )" />

      Don't forget to also edit the response cookie

      And so your cookie will be available for all yy.com sub-domains and in any application context url

      __

      Anyway... I've found problems to logout when doing so (if I don't set the domain property for the cookie it works seamlessly) ...anyway, I hope this helps :)

       

      Regards,

      Víctor.

       
      • tonye1
        tonye1
        4 Posts
        ACCEPTED ANSWER

        Re: DataPower SSO: Fails because no domain cookie from DataPower

        ‏2013-04-29T12:29:03Z  in response to Víctor_García

        Hi Victor,

        Thanks. Yes, I had come to the same conclusion, so I worked with some folks to get it and included that solution in our   developerWorks article on DataPower as a Mobile enabler:

        See similar script in Listing 2

        http://www.ibm.com/developerworks/websphere/techjournal/1301_efremenko/1301_efremenko.html


        Best Regards

        -Tony

        • Víctor_García
          Víctor_García
          2 Posts
          ACCEPTED ANSWER

          Re: DataPower SSO: Fails because no domain cookie from DataPower

          ‏2013-04-29T12:40:16Z  in response to tonye1

          Great to read that's the right way :)

          The only problem I encountered using this code, as said, is about logout... 

          When I invoke ibm_security_logout WAS returns set-cookie headers with no domain attached and so the browser does NOT delete the cookies, making it impossible for the user to logout

          (in fact, logout happens as far as WAS is concerned, but the remaining LTPA cookies re-authenticate the user after any user interaction with the app I'm afraid)

          I hope this does not happen to you too.

          P.D.: great article

          Regards,

          Víctor.

          • tonye1
            tonye1
            4 Posts
            ACCEPTED ANSWER

            Re: DataPower SSO: Fails because no domain cookie from DataPower

            ‏2013-04-29T12:48:46Z  in response to Víctor_García

            Agreed it's good to get multiple confirmations, as it can be a difficult topic.  Fortunately, I believe the scripts provided are really easy to understand.

            Thanks for the kind words on the article:  Please accept my apologies for not circling back on this sooner, but our customers should benefit when they see how really great the DataPower appliances are, and how, without much work, they can be made to do lots of important things. 

            I'll consider this thread "answered"....many thanks for your help.

            Kind regards

            -Tony