Introduction
When integrating with Tivoli Federated Identity Manager (TFIM), or any other external authorization tool, the first thing that you do is to change the login button to point to the external tool. This is described in a previous article in this wiki: "Changing the login and logout pages in Portal 6.1." That configuration covers the majority of the users; the ones that first navigate to an anonymous page on the portal and then click on the login link.
There is however, a big difference between TFIM and other external authorization tools. TFIM does not require all portal traffic to travel through a proxy like Tivoli Access Manager (TAM) and CA Site Minder Web Access Manager (SiteMinder). Therefore TFIM does not automatically trap a protected URL and challenge the user with a login prompt. If the user has direct access to the portal and has a bookmark or clicks on a portal URL from another application that is a protected resource, that request will travel directly to the portal. By default WebSphere Portal (WP) is configured to display its own login page. WP has configuration parameters to control redirecting on login and logout. But the login.redirect.url configuration parameter redirects the user to the specified URL after a successful login, not before. This article describes a solution that allows this default behavior to be overridden so the TFIM login page is displayed instead of the default WP login page.
Redirecting to a different login page
When WebSphere Application Server (WAS) detects a request that requires authentication it first calls the Trust Association Interceptors (TAI) that are configured. If there is still no authenticated user specified then WAS will redirect to the 'login-config" information specified in the web.xml file for the web application associated with the given URL. In the case of WP this login-config information causes a redirect to the URL of a form login page. That URL is "/redirect," which is mapped to the LoginRedirector filter. This filter has other logic in it, but in most cases it simply redirects to the portal login page.
If you have a static URL that serves as your login page and you never need to display the default portal login page then you can replace the form-login-page URL with your static URL. In the case of TFIM integration, we would like to preserve the originally requested URL so TFIM directs the user to that URL after the login process. The WAS default behavior preserves the originally requested URL in a cookie called WASReqURL. In order to utilize this information we must supply some logic to make this information available on the request to the TFIM login page.
Here is a sample JSP that implements the required logic:
<%@ page session="false" buffer="none" %>
<%@ page import="java.util.*" %>
<HTML>
<HEAD>
<TITLE>Redirect Login JSP</TITLE>
</HEAD>
<BODY BGCOLOR="#FFFFEE">
<h1>Redirect Login JSP </h1>
<h2>Requested URL:</h2>
<TABLE Border="2" WIDTH="65%" BGCOLOR="#DDDDFF">
<tr><td><%=request.getRequestURL().toString() %></td></tr></table>
<BR><BR>
<%
String allCookies=request.getHeader("cookie");
String wasReqURL=null;
StringBuffer targetURL= new StringBuffer();
StringBuffer redirectURL = new StringBuffer();
redirectURL.append("https://TFIM_IdentityProvider_URL:9443/sps/SAML11/saml11/login?SP_PROVIDER_ID=https://TFIM_ServiceProvider_URL:9443/sps/SAML11/saml11&TARGET=");
int targetIndex = allCookies.indexOf("WASReqURL=");
if (targetIndex>=0)
{
wasReqURL = allCookies.substring(targetIndex+10).trim();
targetIndex = wasReqURL.indexOf(";");
if (targetIndex>0) wasReqURL=wasReqURL.substring(0,targetIndex);
}
if (wasReqURL == null)
{
%>
<h2 style=color:red >Error: WASReqURL cookie not found</h2>
<%
}
else
{
targetURL.append(request.getScheme());
targetURL.append("://");
targetURL.append(request.getServerName());
int port=request.getServerPort();
if (port!=80)
{
targetURL.append(":");
targetURL.append(String.valueOf(port));
}
targetURL.append(wasReqURL);
redirectURL.append(targetURL.toString());
response.sendRedirect(redirectURL.toString());
}
%>
</body>
</html>
Steps to implement this solution:
1. Export wps.ear using the WAS admin console
2. Expand wps.ear using the EARExpander tool
3. Place loginRedirect.jsp in the wps.war directory
4. Change the form-login-page tag in the login-config section to: "/loginRedirect.jsp"
5. Collapse wps.ear back into a single EAR file.
6. Update the installed wps.ear enterprise application with the new one via the WAS admin console.
7. Stop and start the WebSphere_Portal server.
Alternative Solution You may have a situation where you sometimes want to redirect to the external authentication engine and other times allow the default portal login page to be displayed. In that case you will have to create a servlet filter with logic similar to that in the above JSP. Your filter should redirect if it finds the right situation, otherwise it should pass the request to the next filter. You can then install your filter on the same /redirect URL in front of the current LoginRedirector filter.
Authors:
John De Binder (debinder@us.ibm.com)
Robert Loredo (loredo@us.ibm.com)