Actual situation:
I have a Liberty Server where my JEE - Application is running. If you enter the application liberty runs a Login Form where you can enter your userid and password, which will be checked by Ldap-Registry and eventually you´ll be authenticated and liberty create a Session with your credentials. Now you can see the App and the app can use the SessionContext and knows - who you are...
As my company now has changed its security philosophy, we gotta use a F5 APM. So far: on entering the Application you´ll be redirected to the F5 APM which will redirect to a IDP where you can login. Afterwards its redirecting back to the App with an IV-User in Http-Header. Good news is, i can still use the Lioberty Formlogin from here - but this is kinda stupid, cause you gotta login twice...
Now my Question is, how can i use this IV-User to create the UserSession with liberty or maybe to check against the LdapRegistry?
If you dont want to query registry you need to create full subject. So instead of this:
return TAIResult.create(HttpServletResponse.SC_OK, userid);
you need to do this in your TAI:
// stash in hashtable
Hashtable hashtable = new Hashtable();
hashtable.put(AttributeNameConstants.WSCREDENTIAL_UNIQUEID,uniqueid);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_SECURITYNAME,userid);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_GROUPS, groupList);
hashtable.put(AttributeNameConstants.WSCREDENTIAL_CACHE_KEY, "myCustomAttribute" + uniqueid);
Subject subject = new Subject();
subject. getPublicCredentials().add(hashtable);
return TAIResult.create(HTTPServletResponse.SC_OK, "userid", subject);
For more information check these pages:
Successful authentication should create LTPA cookie and not require additional authentications, so if you dont see such behavior something is still misconfigured.
I did a very quick look at the F5 APM and it looks like it supports OIDC so you should at least also consider that option.