Our customer will have two channels of authentication via intranet:
- 1. The users who have the smartcard will be authenticated through SAML SSO IdP (using WAS SAML TAI).
- 2. The users who don’t have the smartcard will be authenticated through LDAP.
As I have understood, both channels could be accomplished by using the SSO mode of TRIRIGA. In SSO mode, TRIRIGA will use the SSO_REQUEST_ATTRIBUTE_NAME to identify the HTTP header attribute, which holds the username, but we can have only one SSO_REQUEST_ATTRIBUTE_NAME value per TRIRIGA instance. So we can’t directly handle the two channels within the same TRIRIGA instance, because the HTTP header attribute used by SAML SSO IdP and IHS LDAP could be different. Here’s my thinking:
- Solution 1: One IHS with two “virtual hosts” point to two TRIRIGA instances. I think it will work with no problem.
- Solution 2: One IHS with two “virtual hosts” point to the same TRIRIGA instance. Assuming that the SAML SSO IdP will send the username with the attribute defined in SSO_REQUEST_ATTRIBUTE_NAME. The virtual host on which the LDAP authentication is enabled will need to rewrite the HTTP header to adapt the setting of SSO_REQUEST_ATTRIBUTE_NAME. I’m not sure if it will work.
Ideally, we would like to handle the two channels with the same IHS and same virtual host (basically, the same URL). That would be easier for sharing the URLs between the end users. But I haven’t found the solution yet. Maybe we should use the ALTERNATE_INDEX_HTML? Is it possible? Thanks in advance for sharing your opinion about my solution. Any idea will be appreciated.
[Admin: For convenience, here are the meanings of the acronyms: Security Assertion Markup Language (SAML), Single Sign-On (SSO), Identity Provider (IdP), WebSphere Application Server (WAS), Trust Association Interceptor (TAI), Lightweight Directory Access Protocol (LDAP), IBM HTTP Server (IHS).]
[Admin: This post is related to the 02.10.16 post about SAML SSO in TRIRIGA.]