Symantec Access Management

Hi We are trying to create SSO across 2 IBM App servers , which use different user stores. Importing and exporting LTPA keys between these servers will not work as the both servers use different user stores.

Lets call these Appservers 1 and 2 for easier understanding,

Apps on server1 are protected by SiteMinder IWA, so when someone logs in SM/TAI will create SMSESSION and LTPA and user gets SSO experience. Is there a possibility using any of the CA components such as (SiteMinder, FSS, SPS or API Gateway) to convert the SMSESSION into LTPA token that can be consumed by App server2. We have full control over LTPA Keys of App server2.

I was told that PingIdentity supports with something called STS, Can CA save the day?

Interesting. I'm aware of the SSO user experience for the snoop servlet.

TAI agent sitting on the app servers connected to the same policy server validates the existing smsession of the user and create a user principal where the IBM connections can identify the user using this principal since we configure the web trust association.

Even though you have 2 directories separately configured to the app servers. Here the trust association should be validated using the directories configured at the siteminder side. So, TAI always validates the smsession accross that user directories and creates the SmUserPrincipal. But I remember a issue about TAI unable to find the Unique ID of the user. Mapping of the attributes resolved that issue.

Not sure how your ask is achieved using the siteminder since the requirement is specific to importing and exporting LTPA keys which needs a password to be exchanged between the domains.

Hi Krishna, Sorry for not clarifying. Only one of the app servers are configured with SM WA/TAI. The other app server has no knowledge of SM. It works independently using SPNEGO and LTPA. Somehow, SM configured WAS Server needs to be able to take SMSESSION and convert it into LTPA that can be consumed by other(Non SM). This might look like a crazy thing to do because IT IS crazy. We are having to do this to bypass certain internal head aches.

Thanks again.

Sam,

this is interesting. CA makes SM and encrypts the SMSession, but IBM makes WebSphere and uses different encryption for the LTPA.

the ASA is actually in the JAAS passing the identity through Java calls. it doesn't actually make the LTPA

Unless IBM has the SDK open to allow the creation of an LTPA outside of their products, which could lead to security issues, i doubt this is possible. however i can see my current company having a similar request in the future so im very interested in how CA replies.

Hi Josh, I was told that Ping Federate's STS can offer a solution to this specific use case. We no longer need this , but good luck with your use case.