where I write about software engineering. All opinions are my own
Quick and dirty SSO with LTPA
If you have WebSphere application server in your environment, it is in fact possible to decode the “LtpaToken” cookie in code for quick-and-dirty SSO with non-WebSphere apps.
The main reason you might want to do this is if you have a portal-like application on WebSphere and want to link to other applications on different non-WebSphere servers. This is only useful if WebSphere is your main point of entry.
Here’s how you do it:
Export the LTPA encryption key to a file from WebSphere using the admin console. You provide a passphrase and a filename.
Find the com.ibm.websphere.ltpa.3DESKey value in the exported file. This is the encrypted key.
Base64 decode the above key and decrypt with 3DES, using the passphrase provided. The decrypted value is the actual key for decrypting LTPA tokens.
Take the LtpaToken cookie, base64 decode it, and decrypt it with the key. The legacy LtpaToken cookie (which you can get with “interoperability mode”) is encrypted with 3DES; the newer LtpaToken2 cookie uses AES.
Convert to String and parse. The string looks like values%expiration%signature where the expiration is a standard UNIX timestamp, which you should use to ensure the token is still valid; and the values somewhere will contain the user DN (e.g., uid=user,ou=company,dc=com).
The Alfresco codebase contains a good example of how to do this in Java: