Securing your Web applications with single signon

Start of changeSingle signon enables users to access more than one application and multiple platforms using one user ID and password. For example, you can integrate secured WebFacing applications which are configured using single signon so that a user only needs to be authenticated once. Note that each system involved still requires a separate user ID.End of change

If you want to use single signon for your applications, you need to perform the following tasks:

To perform these tasks, you should install the IBM® i Navigator on a client PC. The following tasks use the IBM i Navigator, which is packaged with IBM i Access for Windows®, which can be installed from your IBM i server. Ensure that you install all of the networking components, including TCP/IP.

The following describes how each of the main components are used for single signon:
Lightweight Directory Access Protocol (LDAP)
EIM configuration is stored in LDAP. WebSphere® Application Server can also use LDAP to authenticate Web users. The tasks here assume that WebSphere Application Server is using LDAP for authentication.
Enterprise Identity Mapping (EIM)
EIM is required for mapping the ID used for WebSphere Application Server authentication to the profile used to invoke the application on the IBM i server. EIM configuration creates an association between these IDs. The ID used by WebSphere Application Server is the source and the IBM i profile is the target.
Web application configured for EIM
Your WebFacing application must be configured to use a token generated by EIM for authentication. This enables users of the application to authenticate to WAS using their LDAP ID and to let EIM map this ID (the source) to an ID on the target IBM i server (the target).

The following diagram illustrates the association between the source and target user identities on two systems. On System A, the user is authenticated by WebSphere Application Server as johnday in order to call an application on System B. On System B, the profile used to run the application on the IBM i is jsd1. The EIM identifier that is used to map the two IDs is John Day. Refer to the following figure while configuring single signon:


Feedback