3

We have this scenario -

  1. Data power is used as authentication, and on successful authentication (using ADFS) It is passing LTPA token to worklight calls
  2. At worklight we are using WASLTPARealm and respective LoginModule
  3. What is happening, worklight is looking whether user is in its registry or not which need integrating AD again at WL.

Is it possible to worklight to use data power as trusted partner and don't look for user in registry? What we are looking is to avoid calling to AD again and still protecting wl resources...

Idan Adar
  • 44,156
  • 13
  • 50
  • 89
user2069473
  • 31
  • 1

2 Answers2

2

WAS needs to validate the LTPA token so it needs the user registry (in this case the Active Directory server). One solution would to use trust authentication so WAS trusting the requests coming from DataPower but this means that a TAI (Trust Association Interceptor) has to be implemented (not an easy task).

Bruno Charpentier
  • 611
  • 3
  • 5
0

WAS needs to do authorization of incoming user. What is trying to do is validating the LTPA tokent [this happens without AD], and then trying to authorize the user. This authorization decision has to come from somewhere [either from local file or through LDAP]. It is the other thing that, such authorization may not be coming from LDAP [in most cases AD is not configured to return user as a member of specific group with specific resource rights]. In this case WAS do query user for authorization information, but the query will do nothing but doubly check if user exists in particular registry or not [you are correct that there is no point in checking a user again if the LTPA token is valid because LTPA itself is generated from data which queried/authenticated user in [most probably] the same registry]?

Unfortunately there seems to be no way to avoid it.

  • Ajitabh
Ajitabh Sharma
  • 101
  • 3