Lightweight third-party authentication support
Both RADIUS and LDAP-bind authentication profiles can be configured to use lightweight third-party authentication (LTPA) and single sign-on (SSO) only for HTTP access services. HCL SafeLinx supports both LTPA Version 1 and the more secure LTPA Version 2 (LTPA2) tokens.
LTPA and SSO are separate but complementary functions. Enabling LTPA means that an LTPA token with a specific lifetime is generated when a user is authenticated by the SafeLinx Server. SSO uses the LTPA token and stores it in a browser cookie to support SSO with other LTPA-aware application servers in the same DNS domain. All clocks must be synchronized on the SafeLinx Server and other LTPA-aware servers in order for the LTPA token expiration to be handled correctly.
SSO can be enabled to use only secure sockets layer (SSL) connections.
All servers that use the SafeLinx Server's LTPA support must have the same set of LTPA keys and password. These are obtained by using the manual process of exporting a keyfile from one of the servers and then importing the keyfile on all the participating servers. The SafeLinx Server starts with sl1nx8hcl as the default LTPA password.
Beginning with version 22.214.171.124, you can configure multiple LTPA encryption keys to support multiple LTPA / SSO configurations. The LTPA encryption keys are stored as part of the authentication profile (LDAP or RADIUS), rather than in the wgated.conf file as in earlier versions of the SafeLinx Server.
- Generate new keys
- Specifies that new keys are generated for use with LTPA tokens. Generating new keys causes the
current LTPA tokens to be canceled. Export new keys to an LTPA keyfile so that participating
LTPA-aware application servers can import an updated LTPA keyfile to obtain the new keys.
Generating new LTPA keys takes time to complete. This action is initiated the first time LTPA is enabled on a SafeLinx Server or, when the key action is configured to generate new keys. Generating new keys requires an LTPA generate keys password.
- Import from keyfile
- The specified LTPA keyfile is imported for use by the SafeLinx Server.
- Export to keyfile
- The specified LTPA keyfile is created by the SafeLinx Server.
- No action occurs.
LTPA key actions are applied immediately and do not have any persistence as configuration values.
Whenever an LTPA token expires, a new authentication challenge occurs. Another time that forces a new authentication challenge includes the termination of a browser session.