When SSO is required with WebSphere®, it can be achieved using the WebSphere lightweight third-party authentication mechanism (LTPA) and additional custom login modules. The LTPA protocol results in a token being created for an authenticated user. In WebSphere, a token is generated once credentials are added for an authenticated user. This token is then used to retrieve identity information for an authenticated user in an SSO environment.
Security is implemented as a Cúram login module within a chain of login modules set up in WebSphere. It is expected that at least one of these login modules be responsible for adding credentials for the user. By default, the Cúram login module adds credentials for an authenticated user. As a result of this, the configured WebSphere user registry handled by a subsequent login module does not add credentials. The recommended approach to implementing an SSO solution is to add a custom login module somewhere along the chain of login modules.
The ability to disable the addition of credentials for an unauthenticated user is provided, thus enabling an SSO solution to be implemented.
The Cúram JAAS login module for WebSphere checks if an LTPA token exists within WebSphere using the WSCredTokenCallbackImpl callback for WebSphere. If this token exists and is valid, then no authentication is performed by the Cúram login module.
Credentials may be added to the WebSphere user registry. Credentials include authentication information on the user logging in, including the unique identifier for the user. WebSphere checks that credentials exist for a user after all configured system login modules have executed, if the credentials exist, then the WebSphere user registry is not queried. Credentials are not added by the Cúram JAAS login module if the following settings are in place:
As mentioned in Deployment of an External Application, there are properties relating to the type of external user that control if credentials are added to WebSphere for a specific external user type. These include:
These properties provide fine grained control over authentication for external user types.
In the case where the Cúram JAAS login module does not add credentials, the WebSphere user registry will be queried to attempt to add credentials for the user.