FreeKB - Single Sign On (SSO) and Lightweight Third Party Authentication (LTPA) in WebSphere - Getting Started
Single Sign On (SSO) and Lightweight Third Party Authentication (LTPA) in WebSphere - Getting Started

Home > Search

Lightweight Third Party Authentication (LTPA) is a single-sign on (SSO) protocol. By default, WebSphere uses LTPA for SSO. As an example, when you sign into the WebSphere admin console, an LTPA token will be issued. The LTPA token will remain active for a period of time (120 minutes by default). For the lifespan of the LTPA token, when you navigate to the WebSphere admin console, you will not need to authenticate again by providing a username and password. Instead, you will be authenticated via the LTPA token.


Configure WebSphere to use LTPA

By default, at Security > Global Security, WebSphere is configured to use LTPA. Selecting LTPA will let you configure LTPA. 


Get LTPA token

By default, log level is *=info. At this log level, the LTPA token will not be recorded in SystemOut.log or HPEL log. Updating the log level to fine, finer, or finest will make it so that the LTPA token is recorded in the log, like this.



Or, you can get the LTPA token by viewing the web browser cookies.


Destroying LTPA token

Following are the three most common events that will cause the LTPA token to be destroyed.

  • Clicking Logout in the WebSphere admin console
  • Closing the web browser (all browser tabs)
  • The LTPA token timeout period is reached. By default, the LTPA timeout is 120 minutes.

Closing only the browser tab for the WebSphere admin console but leaving the other browser tabs open will not destroy the LTPA token because this action does not remove the LtpaToken2 cookie from the browsers cache.


Sharing LTPA between Websphere servers

If you have two or more WebSphere servers, and can create an LTPA key on one of your WebSphere servers and then use the LTPA key to be automatically authenticated to the other WebSphere servers.



By default, LTPA tokens are encrypted using a public certificate and private key.  In this example, the ltpa.jceks file is the keystore that contains the public certificate and private key used to encrypt LTPA tokens.

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 7d536 in the box below so that we can be sure you are a human.