Recently we had a requirement where we had to authenticate a user against a third party via REST call. The user base was in millions and use of LDAP or database as a repository for Portal was ruled out. Also the user credentials were stored centrally in that third party application's repository and were not supposed to be shared with any other application.
Thus enters Trust Association Interceptor (TAI), the less known awesome feature of IBM WebSphere Application Server. TAI provides us a mechanism to customize the authenticate process.
But with TAI also we still need a repository against which TAI will create the user principal and allow us to create user session.
So, the next challenge was how can we customize the authentication process further where we don't need a user repository.
Here comes a feature provided by WebSphere Portal only (not available in WAS) which is primarily used for integration with OpenID providers like Facebook or Google. This feature is called "transient user" which after enabling it creates an in-session temporary user account in Portal's memory. This user account is valid only for that session and when the session expires the user account is also removed. But still it serves the purpose of authenticating third party users and giving them access to your protected resources or pages without having their user account in Portal's local repository.
Refer following link for details about transient user and how to enable it:
https://www.ibm.com/support/knowledgecenter/en/SSYJ99_8.0.0/security/openid_trans_users.html
Thus enters Trust Association Interceptor (TAI), the less known awesome feature of IBM WebSphere Application Server. TAI provides us a mechanism to customize the authenticate process.
But with TAI also we still need a repository against which TAI will create the user principal and allow us to create user session.
So, the next challenge was how can we customize the authentication process further where we don't need a user repository.
Here comes a feature provided by WebSphere Portal only (not available in WAS) which is primarily used for integration with OpenID providers like Facebook or Google. This feature is called "transient user" which after enabling it creates an in-session temporary user account in Portal's memory. This user account is valid only for that session and when the session expires the user account is also removed. But still it serves the purpose of authenticating third party users and giving them access to your protected resources or pages without having their user account in Portal's local repository.
Refer following link for details about transient user and how to enable it:
https://www.ibm.com/support/knowledgecenter/en/SSYJ99_8.0.0/security/openid_trans_users.html
