I am very confused as to how to have Authentication using LTPA for login re-use in datapower.
and
authentication of user presenting a SPNEGO AP-Req (kerberos) via keytab file
What are the steps to be performed and what is the main conept behind the authentication?
Thanks
AAA authentication is pretty much simple and works in following way: 1. Extract the identity of the user from message 2. Extract the resource from message 3. Authenticate 4. Map the resource 5. Authorize 6. Post processing
Unique thing behind AAA is that it doesn't stop processing even if authentication fails. This is owing to the fact that even if a user is un-authenticated you may want 'something' to do with him/her. You can get more information about this in following link.
Now let me answer your second question in a shortest way. You need to do following things to achieve this [tell me if you face any issue because I configured it and it works for me]. 1. Create a AAA policy in the following way 2. In the extract identity phase choose 'LTPA token' 3. In the authenticate phase choose 'Accept LTPA token' and provide LTPA token version. You need to also give LTPA key file and relevant password. The key file must be uploaded to datapower [preferably in 'Cert' folder]
That is all you need to do to accept the LTPA token and authenticate user.
Since kerberos thing can be very tricky to deal with, appriciate if you could tell me following information about how do you want to use Kerberos [in SPNEGO token]. 1. Tell me the scenario where you want to user Kerberos 2. When you extract identity from Kerberos SPNEGO token, how do you want to authenticate user? [or am I understanding it incorrectly, you want to do something else and I am understanding something else :)]