1

I saw the LTPA token contains the following: "... token expiration time, the user identity (usually the LDAP distinguished name), and a digital signature. The signature covers the user data collection (the user identity plus any optional key-value pairs), security context of the authenticated user (the token server issuer’s name and address, expiration, SPNEGO status, and so forth).

I'm interested in the user data collection where it mentioned the use of key-value pairs. I wanted to know does this mean the one generating the token can include any data by using name value pairs (eg: mydata1=12345678, mydata2=abcdefg ). If it can be, then I would further assume the receiver of this LTPA token can also get the mydata1 and mydata2 value by using some LDAP API?

ᄂ ᄀ
  • 5,669
  • 6
  • 43
  • 57
Court
  • 11
  • 2

1 Answers1

1

You should be able to use the addAttribute method on the token object to add the key-value pair to the SSOToken in your custom login module. Look for com.ibm.wsspi.security.auth.callback.Constants.WSSSOTOKEN_KEY in the shared state to get the SSOToken after the login in your custom login module.

To retrieve the key-value pair you can call the getAttributes method on the token object once you get the SSOToken (in the loginModule or from the Subject).

Ajay
  • 201
  • 1
  • 2