Need to decode WebSphere/Domino LTPA token for SSO?
Posted by Vivek Agarwal on July 15, 2008
I needed to implement Single Sign-On between IBM WebSphere Portal and HP Operations Dashboard (HPOD) without using a SSO product, and figured that we could do that using the LTPA token generated by WPE on login to the Portal. For LTPA token based SSO to work, we need to be able to decode the LTPA token on the HPOD front – HPOD is based on Jetspeed – in other words, we are looking at implementing SSO between WebSphere and Jetspeed. I was just getting ready to look up some info that I have from Jerry Cuomo on the LTPA token format, when I tried a quick Google search and found an even better answer. I stumbled upon a blog entry and functional code for LTPA token decoding at http://blog.offbytwo.com/2007/08/21/working-with-lightweight-third-party-authentication-ltpa/. I downloaded the code, exported the LTPA keys from a test WPE server, copied the 3DESKey and our LTPA encryption password into LtpaUtils, logged in to the WPE test server, determined the LTPA token cookie value for test purposes, and was able to decrypt it just fine using LtpaUtils. And thanks to Cosmin, all of this took about 20 minutes!
Vanishree said
HI,
I want to implement SSO for websphere and Tomcat application servers. can you please tell me if this requires a domino server ? Also how i can implement the same in steps. would be grateful for the same..
After reading your article i thought i would be able to get more details from you.
Vani
agcuong said
You should hit the link below to get code. Maybe it’s very useful to you
http://offbytwo.googlecode.com/svn/trunk/bitsandpieces/LTPAUtils/
Drop me a note if you find the code useful or if you have some improvements you would like to share.
Please let me keep update what you do further. I’m learning more this topic
Good lucky,
agcuong
Vanishree said
Hi,
Iam writing to you my deployment/design issue. please suggest me how i will be able to overcome the same.
The set up or the high level architecture is as follows
Websphere Portal Extend Suite is being used.
1. IBM HTTP Server
2. WPS 6.1 /WAS 6.1
3. WPS 5.0 /WAS 5.0
4. Tomcat 5.0
5. LDAP server
6. ADS for authentication and authorization for WAS
We have a IBM HTTP Server, which accepts requests from a user.
It is then redirected thru Iframes to WPS for authentication done thru ADS and LDAP.
Some applications are deployed in WAS 6.1.
There is an application BOSS 2 which was developed long back and it is simple jsp/java pages.
This was to be deployed to WAS as portlet and since they were not aware of
interportlet communication and use of session variables between these two applications.
They deployed it in Tomcat as simple jsp portlets. This application is called Boss2
Now the menus and sub menus for this application is loaded from WAS.
The issue is if I know the url for the pages this application can be accessed by anyone.
Problems
1. Sharing of session variables between portlets – how to do this?
2. How to prevent session variables being hijacked during penetration testing? Securing the Session variables
3. How to do authentication for Tomcat server?
4. How to do authorization for Boss2 application in Tomcat server so that only those menus/ submenus get loaded based on the user logged in and also based on the role available?
So now we need to do the same authentication and authorization for this Boss2 application as done for WAS.
Regards,
Vani
Vanishree said
Hi,
Iam writing to you my deployment/design issue. please suggest me how i will be able to overcome the same.
The set up or the high level architecture is as follows
Websphere Portal Extend Suite is being used.
1. IBM HTTP Server
2. WPS 6.1 /WAS 6.1
3. WPS 5.0 /WAS 5.0
4. Tomcat 5.0
5. LDAP server
6. ADS for authentication and authorization for WAS
We have a IBM HTTP Server, which accepts requests from a user.
It is then redirected thru Iframes to WPS for authentication done thru ADS and LDAP.
Some applications are deployed in WAS 6.1.
There is an application BOSS 2 which was developed long back and it is simple jsp/java pages.
This was to be deployed to WAS as portlet and since they were not aware of
interportlet communication and use of session variables between these two applications.
They deployed it in Tomcat as simple jsp portlets. This application is called Boss2
Now the menus and sub menus for this application is loaded from WAS.
The issue is if I know the url for the pages this application can be accessed by anyone because its assumed authentication is done and if i know the username and the values to pass i can acess any page.
Problems
1. Sharing of session variables between portlets – how to do this?
2. How to prevent session variables being hijacked during penetration testing? Securing the Session variables
3. How to do authentication for Tomcat server?
4. How to do authorization for Boss2 application in Tomcat server so that only those menus/ submenus get loaded based on the user logged in and also based on the role available?
So now we need to do the same authentication and authorization for this Boss2 application as done for WAS.
Regards,
Vani
denis said
Hi,
Thanks for your really interesting article.
With this class I can decode the LTPA cookie. However what can we found inside it ? The idea is to use WebSphere portal with deployed portlets + LTPA (or other) as SSO + JBoss with deployed application which the portlets call.
However, I cannot figure how to integrate this LTPA stuffs with existing application based on JAAS. Have you got idea on that ?
Regards,
Denis.
Vivek Agarwal said
Once you decode a LTPA token, you get the username and the expiration time for the token. For example -
Token is for: u:user\:wpsldap\:389/uid=vagarwal,cn=people,dc=organizationName,dc=com
Token expires at: 2008-08-21-18:26:19 CDT
Full token string : u:user\:wpsldap\:389/uid=vagarwal,cn=people,dc=organizationName,dc=com%1219361179281%dI8CxUr7Xc4O2bPp57g0KMbRgQQs00IcJf+EoQUcaZuz8i7SOp08Uq4tikwcJ5xIgwhSeWLFIuW9VAjZe2Ux5FIU+znrQxkXZKrD3IdwLyMcJ/K1chog7YqqExQm4M0n3j6p+SYysBIKCmx545p4Q5TLI+VMbBXtvFLnO+DY2qg=
So, once you get the username/expiration time, you can use that on the JBoss end to verify user identity/authentication.
Hope this helps!
Erik said
Did you have any issues compiling/running Cosmin’s code? I keep running into a crypto exception…
angapi said
thanks for this post.
it helps me to quickly intergrate some .net apps in my wps portal 6
angapi