The Web server plug-in is required to be installed on your Web server only if that server is a supported server other than WebSphere® Application Server. The primary function of the plug-in is to extract the user identity information from the LTPA cookie in a Web request and make the identity information available to the target application that is hosted by the Web server using either HTTP headers or server variables (if supported by the Web server).
To ensure that you can properly configure the Web server plug-in and integrate your application with the plug-in, it is helpful to understand how Web requests are processed by the plug-in.
Cookies are stripped only if the LTPA token cookie is missing, expired, or improperly encoded. Session cookies are present only after a federated single sign-on, which is indicated by the presence of an LTPA token cookie.
A session cookie without a valid LTPA token cookie implies that the session cookie is no longer applicable. Processing ends.
If the decoding fails or if the LTPA token has expired, no further processing occurs. The request is passed to the Web application without the addition of HTTP headers and the application is left to handle the condition.
If the LTPA token is decoded successfully, processing continues and the plug-in creates a list of HTTP headers to set in the request. It creates a list by using the configuration specified in the plug-in configuration file and the LTPA attribute values in the token. For information about the LTPA attribute to HTTP header mapping process, see LTPA-attribute-to-HTTP-header mapping.
To map the LTPA cookie information to an HTTP header, the plug-in relies on a special configuration file, itfimwebpi.xml, which creates and then modifies or strips (removes) the HTTP headers into the final HTTP request that is sent to the target application.
For all the headers, if the corresponding LTPA attribute does not exist, any Header with the configured name should be stripped.
For example, in the figure, the LTPA value 'LTPA_Other' is not present, so the input HTTP header 'Hdr-Other' is stripped (removed). The LTPA value 'tagvalue_email' is present, so the existing header 'Header_mail' is modified to contain the value from the LTPA cookie: "user@example.com." The LTPA value 'tagvalue_name' is present, so the header 'Header_Name' is created with the value from the LTPA cookie: "User_Name."
Headers that are not listed in the configuration file remain unchanged. If an LTPA cookie is not present, then all headers with "strip=yes" are removed.
The plug-in also has the ability to strip cookies if the LTPA cookie is not presented and the ability to map LTPA attributes to server variables. However, these scenarios are not shown in the figure.
For information about configuring your service provider environment, including the plug-in configuration file, see Configuring service provider components.