Hi,
I'm currently facing a strange issue with LTPA token...

The value used to generate the token is supposed to be taken from

------------------------------
Michael Erkens
------------------------------

Hi Michael,

the way I do this is by using a TFIM:SSO junction with an STS chain.

var principalName = stsuu.getPrincipalName();
stsuu.getPrincipalAttributeContainer().clear();

// TODO: this is a hardcoded technical user.
stsuu.addPrincipalAttribute(new Attribute("name", "urn:ibm:names:ITFIM:ltpa", "CN=yourotheruser,ou=users,o=XXXX,c=XX"));



This approach does not change the credential of the logged in user in ISAM, but allows to modify the LTPA token.
It does require the federation module, though.

------------------------------
Tom Bosmans
------------------------------

Original Message:
Sent: Fri April 22, 2022 08:51 AM
From: Michael Erkens
Subject: LTPA token issue

Hi,
I'm currently facing a strange issue with LTPA token...

The value used to generate the token is supposed to be taken from

AZN_CRED_REGISTRY_ID but this seems not working anymore (ISVA10.0.3.1)

I'm trying to substitute the identity of a user defined in a federated directory on ISAM with the one defined into another LDAP on WAS level.(other path)

Does anyone already face this issue? or how can I do this?

eg:

 context.set(Scope.SESSION, 'urn:ibm:security:asf:response:token:attributes', 'AZN_CRED_REGISTRY_ID', 'cn=' + user + ',ou=users,o=XXXX,c=XX');

Thanks in advance for your help

------------------------------
Michael Erkens
------------------------------

Hi Tom,
thanks for the tip, I'll try this solution if no other option...

------------------------------
Michael Erkens
------------------------------

Original Message:
Sent: Fri April 29, 2022 05:22 AM
From: Tom Bosmans
Subject: LTPA token issue

Hi Michael,

the way I do this is by using a TFIM:SSO junction with an STS chain.

var principalName = stsuu.getPrincipalName();
stsuu.getPrincipalAttributeContainer().clear();

// TODO: this is a hardcoded technical user.
stsuu.addPrincipalAttribute(new Attribute("name", "urn:ibm:names:ITFIM:ltpa", "CN=yourotheruser,ou=users,o=XXXX,c=XX"));



This approach does not change the credential of the logged in user in ISAM, but allows to modify the LTPA token.
It does require the federation module, though.

------------------------------
Tom Bosmans

Original Message:
Sent: Fri April 22, 2022 08:51 AM
From: Michael Erkens
Subject: LTPA token issue

Hi,
I'm currently facing a strange issue with LTPA token...

The value used to generate the token is supposed to be taken from

AZN_CRED_REGISTRY_ID but this seems not working anymore (ISVA10.0.3.1)

I'm trying to substitute the identity of a user defined in a federated directory on ISAM with the one defined into another LDAP on WAS level.(other path)

Does anyone already face this issue? or how can I do this?

eg:

 context.set(Scope.SESSION, 'urn:ibm:security:asf:response:token:attributes', 'AZN_CRED_REGISTRY_ID', 'cn=' + user + ',ou=users,o=XXXX,c=XX');

Thanks in advance for your help

------------------------------
Michael Erkens
------------------------------