Enabling or disabling single sign-on interoperability mode for the LTPA token

You can set an interoperability flag on the token generator to determine whether an LTPA Version 1 token or an LTPA Version 2 token is retrieved when a request message is received.

About this task

In WebSphere® Application Server Version 7.0 and later, a flag is set in the global security settings to enable single sign-on interoperability mode for the LTPA token. This option determines whether an LTPA Version 1 token or an LTPA Version 2 token is sent when a message request is received. When the interoperability flag is set to true, then the AuthenticationToken is an LTPA Version 1 token, and the SingleSignonToken is an LTPA Version 2 token. When the interoperability flag is set to false, then both the AuthenticationToken and the SingleSignonToken are LTPA Version 2 tokens.

When the interoperability mode is enabled (the flag is set to true), and the Web Services Security binding configuration specifies LTPA Version 1 as the token, the AuthenticationToken is used to retrieve the token that is sent with the message. If interoperability mode is not enabled (the flag is set to false), and the Web Services Security binding configuration specifies LTPA Version 1 as the token, an exception error is logged.

You can disable the interoperability checking function by setting the custom property, com.ibm.wsspi.wssecurity.tokenGenerator.ltpav1.pre.v7, on the token generator. This setting determines the LTPA token without checking the state of the interoperability flag, providing compatibility with servers running WebSphere Application Server Version 6.1 and earlier.

To enforce use of the LTPA Version 2 token, edit the token settings, and set the Enforce token version option for the token.

Procedure

  1. Click Applications > Application Types > WebSphere enterprise applications.
  2. Select an application that contains web services. The application must contain a service provider or a service client.
  3. Click the Service provider policy sets and bindings link or the Service client policy sets and bindings link in the Web Services Properties section.
  4. Select a binding. You must have previously attached a policy set and assigned an application specific binding.
  5. Click the WS-Security policy in the Policies table.
  6. Click the Authentication and protection link in the Main message security policy bindings section.
  7. Click a consumer or generator token link from the Protection Tokens table.
  8. Select the Enforce token version check box after the Token type field.