We are in the process of integrating new authentication methods and other features to the ISA Server, and one of our use cases envolve integration to the IBM WebSphere. Now... WebSphere uses HTTP Headers for integration, so my questions is:
- Has someone successfully published WebSphere services through ISA Server? How did you do that? - Did you write your own Interceptor component, or was this possible with out-of-the-box configuration?
Any info would be highly appreciated. Thanks.
< Message edited by fjonga -- 20.Oct.2006 6:03:24 AM >
I have a similar situation. I have implemented an ISA 2006 server for our IIS environment and would like to extend authentication to our websphere environment. Websphere is connected to a Sun LDAP server, the active directory has the same users and passwords as the LDAP. I am currently authenticating users on the ISA server using forms authentication, then I authenticate to the IIS server using integrated auth.
Thanks for the replies. In our situation, when we are creating new authentication options and therefore integrating ie SAML Service Provider functionality to the ISA Server, we need to build our own integration for the back-end, or integrate our solution for the ISA Server so that we can use the integration options offered by ISA.
It seems that in our case we need to use client certs for the ISA Server authentication for the WebSphere TAI, so that the WebSphere users won't have to create custom TAIs in their setups and can use the existing ones that are basically "TAI using trusted user" -> Basic authentication or "TAI using trusted connection" -> client certs.
As for federation, I'm not sure how ISA Server supports WS-Federation... Haven't got that far yet. SAML SP functionality that we are building enables our customers to use Identity Providers that use SAML protocol with ISA Servers (federation).
Your solution sounds very complex, maybe rightly so. I have tried to implement an Active Directory Federation server before with no luck. Why not replace the forms authentication of ISA with code that can accept saml and map it to an active directory user. have you looked at sxip.com before? They can use logins from a number of providers, including infocards.
Our Identity Provider (Ubilogin) product supports over dozen different authentication mechanisms from passwords and OTPs to mobile PKI and smart cards along standards such as SAML 2.0, WS-Federation and ID-WSF 2.0 etc, so basically we are covered in that end.
WebSphere integration will be the first deployment for our new ISA based Security Proxy product, and I wasn't quite 100% sure how to authenticate ISA to the WebSphere using the easiest possible way. Now I know