We have a customer looking at leveraging Tivoli access manager webseal for protecting a mobile application ( mainly REST APIs ). The application is hosted on a non-IBM back-end and webseal is intended to provide authentication and session management for the application.
The turn around for solution is expected to be fairly quick and hence upgrade to ISAM for mobile is not a preferred option.
Here is the application flow -
1) User opens the application on a mobile device
2) Webseal prompts for userid/password for the first time. Upon successful authentication, a token is issued with some predefined expiration of 12 hrs
3) For all subsequent requests, the device also sends this token
4) After 12 hrs, the user is asked to enter user/password again
We are mainly evaluating following options -
1) OAuth - which would be an overkill for a simple application and we would need an OAuth provider, say TFIM
2) Just use Out of box webseal authentication, Keep the timeout at 30 mins, however use re-authentication feature to extend the session beyond 30 mins between 12 hours
Would there be some other simpler approach we should consider ? Or, out of the above two options, which one we can prefer ?