I’ve previously blogged about the goodness of Trust Association Interceptors in Websphere Application Server (WAS) and how I’ve used it to turn the login procedure for IBM Connections on its head. We recently started upgrading the customer I originally developed this for to IBM Connections 3.0.1 hence they needed an upgrade to WAS 7. After upgrading the WAS servers the custom TAI didn’t work anymore. The TAI loaded just fine but it didn’t generate the needed LtpaToken2 for the visiting user. I cried out for help in the Connections forum. I got a few pointers but none of them helped me.
Fortunately I figured it out tonight.
The issue was that my custom TAI created subjects (a subject is the entity that holds the identity of the authenticated user in WAS) in a custom realm that wasn’t trusted by WAS. The only trusted realm was the one that WAS created for me when I configured Federated Repositories. The solution was to add the custom realm as trusted under Federated Repositories, configure <my realm> and then go to “Trusted authentication realms – inbound”. The entry is at the bottom under “Related Items”. Here I simply added my realm as Trusted, restarted WAS and I was golden!! Again this wasn’t necessary in WAS 6 and actually the option isn’t there at all in ISC.
Now I’m back to thinking that WAS and TAI’s are the best thing since sliced bread! 🙂
lekkimworld.com 
Thank you dear for ur post, I have a case where I use TAI for authentication , I added custom attributes in a the public credentials however these attributes are not propagated into another server which we have SSO successfully enabled , any idea how to send custom subject credential attribute to another server using SSO
LikeLike
I’m sorry no I do not. I know that the way that WebSphere and Domino does it is that Domino does a look up and conversion of the subject name it receives e.g. converts the subject name from an Active Directory LDAP name to a Domino DN. Guess you would have to do the same.
LikeLike
Hi Mikkel,
We have Custome TAI with remeber me cookies, as informed by IBM <a target="_blank" href="http://www.ibm.com/developerworks/websphere/techjournal/0711_abbass/0711_abbass.html">http://www.ibm.com/<wbr></wbr>developerworks/websphere/<wbr></wbr>techjournal/0711_abbass/0711_<wbr></wbr>abbass.html. and before 1.5 years environment got migrated from Portal 6.1 to Portal 7. Now whenever we do any changes we are facing problem with user level security. Fox example if user A opens a portal page he is getting User B’s page, its a secuirty breach for us and we are not able to get the root cause of the problem. can you able to help in in this?
Thanks,
Ravi
LikeLike
Does the TAI reuse the cookies from user A for user B? That sounds like bad coding? Also the TAI does authentication – it’s not part of loading actual content.
LikeLike
Not sure if its late. But how do we know this custom realm. Is it the realm defined by the applicaiton in its web.xml ?
LikeLike