«
»

How to create your own LTPA session cookie

April 6th, 2009

Lotus Domino uses LTPA as the authentication technology for single sign-on. LTPA involves creating a session cookie that can be used to achieve single sign-on across several servers.

LTPA can also be used in combination with a reverse proxy to authenticate users at the reverse proxy and then be able to forward the authenticated user to backend Lotus Domino servers. The reverse proxy will then have to send a LTPA session cookie along with the HTTP request to the Lotus Domino server. The Tivoli Access Manager Webseal reverse proxy can do just that and supports LTPA.

However, if you use a product that does not support LTPA, then you have to create the LTPA cookie yourself. Daniel Lehtihet has provided the details on how to create a LTPA session cookie in the Domino Experts forum - and Miha Vitorovič from NIL Data Communications has extended this to create a Java library with all the necessary code. In short, a LTPA session cookie consists of the following (with some SHA-1 and Base64 magic on top):

  • LTPA token version
  • Creation time
  • Expiration time
  • User name
  • Domino server secret

I am currently on a project where we plan to use a F5 BIG-Ip application delivery controller to (among many things) authenticate and load balance HTTP requests against backend Lotus Domino servers. The solution will involve forwarding an authenticated user to the Lotus Domino server and this is where this post on creating your own LTPA session cookie comes into play. I plan to use the F5 iRules control language to create a LTPA session cookie when a user has been authenticated and then send this LTPA session cookie along with the HTTP requests to the Lotus Domino server.

No related posts (automatically generated).

Tags: , , , ,

This entry was posted on Monday, April 6th, 2009 at 21:58. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

10 Responses to “How to create your own LTPA session cookie”

  1. Patrick Kwinten Says:
    April 7th, 2009 at 09:32

    For those who are using Apache on OpenNTF there is an interesting project available:

    http://www.openntf.org/projects/pmt.nsf/ProjectLookup/DominoTomcatSSO

  2. yuce sungur Says:
    May 5th, 2009 at 12:52

    Can you create LTPA token by F5?
    or you simply take from a servlet and insert into header?

    please get in contact with me and we can share some info.

  3. Per Henrik Lausten Says:
    May 5th, 2009 at 15:30

    Yuce, as I write above I plan to use the F5 iRules control language to create a LTPA session cookie when a user has been authenticated and then send this LTPA session cookie along with the HTTP requests to the Lotus Domino server. I will create a blog post on this when the solution has been completed.

  4. paul eisenhardt Says:
    August 5th, 2010 at 04:19

    please let have domino files to me as soon as possible thanks

  5. Mahesh Says:
    August 11th, 2010 at 01:15

    I am using CA reverse proxy server with siteminder webagent and at backend it is Domino server with LTPA token enabled
    In my case users are authenticated first on CA proxy server with siteminder as it is our enteprise SSO solution.We have also BIGIP F5 9.1 .
    So when users authenticated on proxy servers via siteminder and when request reaches at domino server ,domino server is prompting again for username and password as CA reverse proxyserver or siteminder can not generate ltpatoken which domino server can understand.I am thinking to follow your steps .However I do not know what additional steps I need to do .Is it possible for you take some time out to guide me here.Thank you so much for sharing the information

  6. Per Henrik Lausten Says:
    August 13th, 2010 at 11:21

    Hi Mahesh, if the CA reverse proxy is unable to generate the LTPA token then perhaps you can have the F5 BIG-IP device do it for you. Is the F5 BIG-IP used in such a way that it can take over the role as the reverse proxy?

  7. keshav Says:
    June 1st, 2011 at 21:04

    hi ,
    I need to generate LTPA token in websphere application server after the username and password are tested against LDAP user registry and then how can i pass to domino

  8. Per Henrik Lausten Says:
    June 2nd, 2011 at 06:49

    Hi Keshav, check the documentation. This is a standard feature in WAS and Domino when you want to use single sign-on between the two.

  9. Yann Says:
    June 23rd, 2011 at 06:36

    Hi,

    I just wanted to thank you, since using your clear description of the process, and your links, I was able to authenticate users banging on an SSO enabled Domino server by fetching their LDAP credentials on an external LDAP directory, then creating an ltpa Token for their web session, and redirecting them to the requested web base.

  10. Per Henrik Lausten Says:
    June 23rd, 2011 at 06:52

    Hi Yann, thank you for your comment - and well done implementing your own LTPA solution!