By default, Lotus® Quickr™ relies on WebSphere® Application Server for authentication. You can also configure a third-party authentication proxy server, such as IBM® Tivoli® Access Manager for e-business WebSEAL, to perform authentication for Lotus Quickr. WebSphere Application Server typically uses a Trust Association Interceptor (TAI) to trust the external authentication proxy.
Tivoli Access Manager and Computer Associates e
Trust SiteMinder provide TAIs that are used only as an authentication service for Lotus Quickr. TAIs must be activated through the WebSphere Application Server Administrative Console. Lotus Quickr now provides the capability to automatically activate TAIs for Tivoli Access Manager and e
Trust SiteMinder. For more detailed information about using TAIs with WebSphere Application Server, refer to the WebSphere Application Server information center and the WebSphere Application Server V6 Security Handbook SG24631600
Whenever a request attempts to access a secured resource, WebSphere Application Server invokes the TAI, which validates that the request comes from a legitimate third-party authentication proxy and returns the user's authenticated identity to WebSphere Application Server. The TAI should return either a distinguished name (DN) or a short name. WebSphere Application Server performs a registry lookup to verify the distinguished name or convert the short name to a distinguished name before searching for group memberships for that user. If the registry lookup fails, WebSphere Application Server refuses to trust the user. If the registry lookup succeeds, WebSphere Application Server generates a Lightweight Third-Party Authentication (LTPA) token for the user and stores it as a cookie for subsequent authentication during the user's session.
A TAI is not necessary if the third-party authentication proxy provides native WebSphere Application Server identity tokens, such as a LTPA tokens. Currently, only Tivoli Access Manager WebSEAL and Tivoli Access Manager Plugin for Edge Server provide native WebSphere Application Server identity tokens. Consult the WebSEAL Administration Guide for more information about configuring Tivoli Access Manager to provide LTPA tokens. The authentication proxy determines the challenge mechanism, and Lotus Quickr relies on the authentication proxy to relay success or failure of the user identifier through the TAI or LTPA token. WebSphere Application Server sees all requests from the TAI as authenticated, but WebSphere Application Server and Lotus Quickr still perform a user and group lookup on each request. Even if the authentication proxy has successfully authenticated, WebSphere Application Server and Lotus Quickr deny access if they cannot query the user in the registry. For example, it is possible to have a user in an External Security Manager (ESM) who is not accessible from Lotus Quickr because Lotus Quickr is configured to one user registry, which may not be the same registry or have the same registry configuration properties as the ESM has.
TAIs that allow other custom authentication services to interact with WebSphere Application Server can be written. If you use a security configuration that is different from the ones that are described in this section, you must provide and implement a TAI to communicate with the authentication proxy. Refer to the WebSphere Application Server information center and to the WebSphere Application Server V6 Security Handbook SG24631600
for additional information about creating custom TAIs.
Verify that the TAI is working properly
After completing the configuration to enable External Authentication, follow these steps to verify TAI operation.
- Use this address to test the TAI from a Web browser:
WebSEAL or e
Trust SiteMinder should challenge you to authenticate. After you log in you should be directed to the secure and personalized myquickr
page. If you are directed to the login screen or the public page, there is a problem with the TAI configuration.
For Tivoli Access Manager only: Test the TAI by using Tivoli Access Manager to add a new user. From the pdadmin
command line, enter the following command on one line:
pdadmin> user create user_name user_dn cn sn pwd
And then enter:
pdadmin> user modify user_name account-valid yes
Make sure that Lotus Quickr is running, open your browser, and go directly to https://WebSEAL_hostname:WebSEAL_port/junction/lotus/myquickr
. WebSEAL will prompt you for a user ID and password. Enter the user ID and password that you just created. You should be taken to a new authenticated user page as the specified user.
- Proceed to Changing the login and logout pages.
Parent topic: External security managers: qp85