Lightweight third-party authentication support

Both RADIUS and LDAP-bind authentication profiles can be configured to use lightweight third-party authentication (LTPA) and single sign-on (SSO) only for HTTP access services. HCL SafeLinx supports both LTPA Version 1 and the more secure LTPA Version 2 (LTPA2) tokens.

LTPA and SSO are separate but complementary functions. Enabling LTPA means that an LTPA token with a specific lifetime is generated when a user is authenticated by the SafeLinx Server. SSO uses the LTPA token and stores it in a browser cookie to support SSO with other LTPA-aware application servers in the same DNS domain. All clocks must be synchronized on the SafeLinx Server and other LTPA-aware servers in order for the LTPA token expiration to be handled correctly.

SSO can be enabled to use only secure sockets layer (SSL) connections.

All servers that use the SafeLinx Server's LTPA support must have the same set of LTPA keys and password. These are obtained by using the manual process of exporting a keyfile from one of the servers and then importing the keyfile on all the participating servers. The SafeLinx Server starts with sl1nx8hcl as the default LTPA password.

Beginning with version 6.1.5.1, you can configure multiple LTPA encryption keys to support multiple LTPA / SSO configurations. The LTPA encryption keys are stored as part of the authentication profile (LDAP or RADIUS), rather than in the wgated.conf file as in earlier versions of the SafeLinx Server.

LTPA key actions are applied immediately and do not have any persistence as configuration values.

Whenever an LTPA token expires, a new authentication challenge occurs. Another time that forces a new authentication challenge includes the termination of a browser session.