Single signon
enables users to access more than one application and multiple platforms
using one user ID and password. For example, you can integrate secured
WebFacing applications which are configured using single signon so
that a user only needs to be authenticated once. Note that each system
involved still requires a separate user ID.
If you want to use
single signon for your applications, you need to perform the following
tasks:
- Install and configure the Lightweight Directory Access Protocol
(LDAP)
- Enable and configure WAS security
- Set up security for your application
- Configure Enterprise Identity Mapping (EIM)
- Configure your applications to use EIM
To perform these tasks, you should install the IBM® i Navigator
on a client PC. The following tasks use the IBM i Navigator, which is packaged
with IBM i Access
for Windows®, which can be
installed from your IBM i server. Ensure that you install all
of the networking components, including TCP/IP.
The following
describes how each of the main components are used for single signon:
- Lightweight Directory Access Protocol (LDAP)
- EIM configuration is stored in LDAP. WebSphere® Application Server can also use
LDAP to authenticate Web users. The tasks here assume that WebSphere Application Server
is using LDAP for authentication.
- Enterprise Identity Mapping (EIM)
- EIM is required for mapping the ID used for WebSphere Application Server authentication
to the profile used to invoke the application on the IBM i server.
EIM configuration creates an association between these IDs. The ID
used by WebSphere Application
Server is the source and the IBM i profile is the target.
- Web application configured for EIM
- Your WebFacing application must be configured to use a token generated
by EIM for authentication. This enables users of the application to
authenticate to WAS using their LDAP ID and to let EIM map this ID
(the source) to an ID on the target IBM i server (the target).
The following diagram illustrates the association
between the source and target user identities on two systems. On System
A, the user is authenticated by WebSphere Application
Server as johnday in order to call an application
on System B. On System B, the profile used to run the application
on the IBM i is jsd1.
The EIM identifier that is used to map the two IDs is John
Day. Refer to the following figure while configuring single
signon:
