203 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
Latest 7 Posts
Domino 10 – to be continued!
Mon, Nov 6th 2017 5
IBM Connections 6 – Following and Followers blank
Wed, Oct 25th 2017 5
Exchange integration into WebSphere Portal (SSO – Kerberos)
Tue, Sep 26th 2017 4
User provisioning for IBM Connections Cloud – You have the choice
Mon, Aug 28th 2017 4
SAML & IBM Connections 5.5 – not a dream team
Fri, Aug 18th 2017 5
IBM Docs – Migration from DB2 –> ORACLE
Fri, Jul 7th 2017 2
IBM Connections – trouble adding additional nodes
Wed, May 31st 2017 5
Top 10
Configuration of secret key storage in WebSphere Application Server
Thu, Mar 12th 2015 19
SAML – Enterprise SSO in the WebSphere world
Mon, Jul 20th 2015 15
DB2 Instance autostart does not work on SLES 12 / RHEL 7
Tue, Jul 12th 2016 14
IBM Connections Docs – file preview not possible for some CCM pdf files
Thu, Nov 17th 2016 12
Security Bulletin: HTTP Response Splitting in WebSphere Application Server (CVE-2016-0359)
Tue, Sep 13th 2016 11
HTTP Outbound authentication via SAML
Tue, Oct 6th 2015 10
WebSphere custom TAI – Doing SSO the right way
Tue, Sep 6th 2016 9
Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182) (2016.06.28)
Tue, Sep 13th 2016 9
IBM Connections: Create external Users / Community using rest API
Wed, Mar 25th 2015 8
CCM files editing in IBM Docs 1.0.7 – a tough job
Tue, Apr 21st 2015 8

WebSphere custom TAI – Doing SSO the right way
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Julius Schwarzweller    

WebSphere TAI – Doing SSO the right way

Hi all,

one thing on my “to do blog posts” list is to write something about WebSphere TAI. A great way to introduce Single-Sign On between different systems.

What is TAI?

WebSphere TAI means “Trust Association Interceptor”

WebSphere TAI is a well-known and proven security concept in WebSphere stable for a long time. It allows to set up custom advanced (pseudo) SSO scenarios. And the clue is it is extremely easy to code and use.

The base idea is that the TAI code is called whenever a web user is challenged to login.

In many cases not only one TAI is configured. In this case it is up to the TAI developer to make sure that only one of them handles the request. If no TAI handles the request the default login page raises.

Where is a TAI used?

You might have already realized that also standard installations of IBM Connections or WebSphere Portal use Trust Association Interceptors to allow Single-Sign-On using various methods such as:

  • SPNEGO (deprecated)
  • SAML
  • custom …

Example SAML TAI configuration:


How does it work?

Sample flow how a TAI authentication may be implemented (there are also other possibilities and ways)

Bildschirmfoto 2016-09-05 um 19.48.15

1.The user calls a website and authenticates on the given login-form

2.The authentication service checks the LDAP if the given credentials are valid

3.A Cookie (authentication Token) is generated that may contain:

  1. username
  2. timestamp of request
  3. a shared secret

and other security relevant information. The content of this cookie is encoded. The cookie is sent to the configured WebSphere Application Server with the activated TAI

4. The deployed TAI received this token and evaluated if the request is trustable:

  1. Where does the request come from (X-Forwarded-For information in request) – does the request come from the authentication proxy? If not the request is not valid!
  2. Does the timestamp match?
  3. Does the shared secret match?

If all of the above conditions match, the TAI trusts and logs in the user.

There are many other possibilities how to implement a TAI!!! Note that the Cookie that contains sensitive information will never leave the “company network”. The cookie is not sent to the client. It is only visible between authentication proxy and WebSphere Application Server (this may not work with every authentication service…)

How to install and activate?

The installation and activation is quite simple. In our example the TAI only consists of a jar file that needs to be placed in the “…/WebSphere/AppServer/lib/ext” folder of the WebSphere nodes. After a restart of the server, the jar file is loaded.

Now you need to activate the TAI or let`s say tell WebSphere Application Server to use the TAI.

“Global Security” – “Web and SIP Security” – “Trust Association”


Make sure “Enable trust association” is checked. Then click on Interceptors


Click on “New…”


And enter the mandatory custom properties (this heavily depends on how you code your TAI and what additional functions you use there):


Those values need to match the values, ips … you specified on you logon device!

Restart the server and check if it works

Some code samples

From a developer perspective a TAI implments an interface with two methods.

public boolean isTargetInterceptor(HttpServletRequest request) {
boolean doHandleRequest = checkToken(request);
return doHandleRequest;

This method is called before a user is challenged to login. Typically this method is implemented in the way that a token a Cookie a request parameter or something else is in the request from which the user can be identified.
It returns true if the parameter is in the request otherwise returns false.

If this method returned true, a second method is called later in the login process.

public TAIResult negotiateValidateandEstablishTrust(HttpServletRequest request, HttpServletResponse response)
throws WebTrustAssociationFailedException {

String userId = myTokenHandler.getUserId(request);
if (userId == null) {
return redirectToLoginPage(request, response);
else {
Subject subject = createSubjectForUserId(userId);

This method then identifies the user using the given request data for example against a remote repository. After this a user subject is created and the request is forwarded to the original target URL. And voila the user is authenticated.
There are several options to achieve this for example read the subject from the underlying user repository modify additional user attributes add the user to an additional group. In this simple example we created the user subject for our own:

private Subject createSubjectForUserId(String userId) throws Exception {

Subject subject = new Subject();
Principal principal = new UsernamePrincipal(userid);
return subject;

Note that implementing a custom TAI is a powerful thing you have to be careful not to break the security of an environment.

Sep 06, 2016
10 hits

Recent Blog Posts
Domino 10 – to be continued!
Mon, Nov 6th 2017 8:48a   GIS Techblog
Welcome to the first post about IBM Domino on our GIS AG Techblog! Here at GIS AG, we have a dedicated IBM Domino team made up of certified specialists for everything from development, to administration, support and beyond. On this blog we will be sharing the latest news and technical information about IBM Domino. If you have any questions or comments, please, feel free to write an Email to: frederik.potyka@gis-ag.com Visit our About Us page! Domino  10 – This year Notes and Domino 9.0
IBM Connections 6 – Following and Followers blank
Wed, Oct 25th 2017 8:42a   GIS Techblog
IBM Connections 6 – Following and Followers blank Hi, during the last weeks we had to deal with a strange problem in an IBM Connections 6 environment. The system was migrated from IC 5.5 to IC 6 and live for about 4 weeks when suddenly the following problem occurred: Neither users that I follow nor followers were shown in the UI. Despite installing the latest Fixes no bigger changes have been performed on the system. I was able to follow a user: Looks good: Then opening “Following
Exchange integration into WebSphere Portal (SSO – Kerberos)
Tue, Sep 26th 2017 12:03p   GIS Techblog
Exchange integration into WebSphere Portal (SSO – Kerberos) During the last years working with Portal I had several challenges with WebSphere Portals HTTP Outbound Proxy (aka. Ajax Proxy) in terms of authenticating backend calls to various other systems. What we`ve done so far in terms of SSO / backend authentication: – Authenticating using LTPAToken – Authenticating using SAML – Authenticating using SPNEGO / Kerberos (this was a new one for me) The challenge this time
User provisioning for IBM Connections Cloud – You have the choice
Mon, Aug 28th 2017 1:42p   GIS Techblog
User provisioning for IBM Connections Cloud – You have the choice Customers who use IBM Cloud for Connections, Sametime or other applications face the problem to manage their cloud accounts. For some single users you can use the Web frontend to add or change user accounts or to assign subscriptions and licenses to users. But in real world scenarios it is not possible to manage thousands of users manually or to keep them synchronized with an on-prem user repository or LDAP. This can be handled
SAML & IBM Connections 5.5 – not a dream team
Fri, Aug 18th 2017 7:45a   GIS Techblog
Hi all, last week we had to fight with an activation of SAML on a IC 5.5 CR3 environment. The setup was: IBM Connections 5.5 CR3 as test instance ADFS Server 3.0 (I know… it is only tested with ADFS 2.0 – but works with 3.0 too) We followed the instructions from the IBM Connections Knowledge Center. Smooth setup everything standard procedure. When testing this setup, the redirect to the IdP was initiated. After logging into the IdP the browser was redirected to IBM Connections ACS
IBM Docs – Migration from DB2 –> ORACLE
Fri, Jul 7th 2017 9:52a   GIS Techblog
IBM Docs – Migration from DB2 –> ORACLE Hi, within our last big project, we had the challenge to transfer the IBM Docs database from DB2 to ORACLE. Within this database comments and other document related data is stored. Officially there is no script available to perform this move using DBT (remove constraints / transfer / reapply constraints). We looked into the database and figured out how to perform this task using DBT – so we are not dependent on any other products. We m
IBM Connections – trouble adding additional nodes
Wed, May 31st 2017 2:52p   GIS Techblog
IBM Connections – trouble adding additional nodes Hi all, we are currently involved in a project where we installed a 1 node IBM Connections 6 Cluster and later added a second node to the cell. So far so good… Everything that needs to be done after adding the second node is described here … Everything? Yes, mainly… but not in the mandatory details as I think! Missing custom properties and other settings might result in non-functional nodes. Especially not setting httpSess
SNOUG 2017 Presentation – SikaConnect goes External
Thu, Mar 23rd 2017 1:06p   GIS Techblog
SNOUG 2017 Presentation – SikaConnect goes External Hi all, yesterday I was at SNouG in Zurich. I had a great time there – good speakers and a overall perfectly organized event (would we expect sth. else from Switzerland? ) Raymond Weber from SIKA Informationssysteme AG and I did a session about the SIKA Extranet Feature:
Whiteboard in IBM Sametime Meeting 9.0.1 removed
Fri, Mar 17th 2017 10:43a   GIS Techblog
Whiteboard in IBM Sametime Meeting 9.0.1 removed IBM implemented in Sametime Meeting 9.0.1 a whiteboard function as technical preview. Ben described in his articel how to enable this feature: https://collaborationben.com/2016/05/20/whiteboard-in-sametime-9-0-1/ With the current cumulative Fix 901-ST-General-FP-SMOL-AK4G43  for the Meeting Server IBM has removed this function. The response on my PMR was: “I can confirm The Meetings Whiteboard feature release is being put on hold indefinitely.
Wikis content not accessible…
Thu, Jan 26th 2017 10:54a   GIS Techblog
Wikis content not accessible… Hi, it`s been quite a long time; many projects at the moment so that blogging needs to wait Last week we had a very interesting problem at one customer’s environment. When accessing a Wiki, the page was displayed blank – no content was available. Browsing to older versions of this wikis worked. The error in the log: Parsing error… Wikis content (the body) gets store in the filesystem as xml files. If you access a Wiki there is a XML parser

Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition