Authentication for external data services

Edit online

Draft comment:
This topic only applies to BAW, and is located in the BAW repository. Last updated on 2025-03-13 12:15

If your external data service needs to authenticate users, it must participate in the same single sign-on authentication configuration as the other Business Automation Workflow components, such as Case Client or the REST protocol.

If Content Platform Engine and the external data service do not use the same WebSphere® Application Server profile, you must set up Lightweight Third Party Authentication (LTPA) security between the applications in WebSphere Application Server. Begin by exporting the LTPA key from the Content Platform Engine server.

The REST protocol passes one of the following headers to the external data service:

Basic: If basic authentication is used, the protocol passes an authorization header that contains the keyword Basic that is followed by the encoded user name and password pair.
LtpaToken2: If LTPA authentication is used, the protocol passes an LTPA token with the cookie LtpaToken2.

If the request contains either of these authentication values, WebSphere Application Server first authenticates with the LDAP server, if one is configured. WebSphere Application Server then sets up a JAAS subject in the calling context of the external data service. To retrieve this JAAS subject, you can use one of the WebSphere Application Server Java™ APIs. Alternatively, you can use the helper method javax.security.auth.Subject getAmbientSubject( ) that is defined for the UserContext class in the Content Platform Engine Java API.