476 WebSphere Application Server V8.5 Concepts, Planning, and Design Guide
WebSphere Application Server V8.5 supports several authentication mechanisms, but not all
of them can be directly selected in the administrative console:
Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO)
Rivest-Shamir-Adleman algorithm (RSA) token authentication
Web services security SAML Token Profile
SAML Web SSO post binding profile
Figure 15-3 shows the authentication mechanism selection list.
Figure 15-3 WebSphere Application Server V8.5.5 selectable authentication mechanisms
15.3.1 Lightweight Third-Party Authentication
LTPA is intended for single and multiple application server and system environments as the
default user authentication protocol. It supports credentials that can be forwarded and SSO.
LTPA can support security in a composite environment through cryptography. The LTPA token
contains authentication-related data that is encrypted, digitally signed, and securely
transmitted. Later, at the receiving side, the information is decrypted, and the signature is
When using LTPA, a token is created with the user information and an expiration time. This
token is then signed by the keys. The LTPA token is time sensitive. All product servers that
participate in a protection domain must have their time, date, and time zone synchronized. If
they are not synchronized, LTPA tokens might prematurely expire and cause authentication or
validation failures. When SSO is enabled, this token is passed to other servers through
cookies for web resources.
If the server and the client share keys, the token can be decrypted to obtain the user
information. The data is then validated by WebSphere Application Server to ensure that data
is not expired and that the user information in the token is valid. On successful validation, the
resources in the receiving servers are accessible after the authorization check. All
WebSphere Application Server processes in a cell (deployment manager, node agents, or
application servers) share a set of keys.
Restriction: This panel is shown only on a single server edition. WebSphere Application
Server Network Deployment edition does not offer the Simple WebSphere Authentication
Mechanism (SWAM) as a selectable authentication mechanism.