Configuring EIM

Enterprise Identity Management (EIM) is a mechanism for mapping, or associating, a person or entity to the appropriate user identities in various registries throughout an enterprise. EIM enables administrators and application developers to more easily and efficiently manage multiple user registries across their enterprise. With multiple user registries, each user or entity within the enterprise requires a separate identity in each registry. The requirement for multiple user registries can grow into a large administrative problem that affects users, administrators, and application developers.

EIM enables you to create a system of identity mappings, called associations, between various user identities in various user registries for a person in your enterprise. It also provides a common set of APIs that can be used across platforms to develop applications that can use the identity mappings that you create to look up the relationships between user identities. You can use EIM in conjunction with network authentication service (NAS) to enable a single signon environment.

With your secured applications, a user authenticates to an LDAP registry to run a program on the i5/OS® system. To use single signon, you need to create an identifier in EIM that has two associations: a source association to the LDAP registry, and a target association to the i5/OS system where the program will be running.

You can configure and manage EIM through System i™ Navigator. The i5/OS server uses EIM to enable i5/OS interfaces to authenticate users using NAS. Configuring EIM involves the following steps:
  1. Creating an EIM domain
  2. Adding the domain to Domain Management
  3. Creating a Source User Registry definition in EIM
  4. Creating a Target User Registry definition in EIM
  5. Creating a User Identifier in EIM
  6. Creating associations in EIM for the User Identifier

To configure EIM, follow these steps:

  1. From System i Navigator’s left navigation panel, select your system > Network > Enterprise Identity Mapping > Domain Management > domain > Configuration.
  2. Right-click and select the Configure option to start the configuration wizard that will create an EIM domain and join your system to that domain.

    Now add the new domain to Domain Management.

  3. From System i Navigator’s left navigation panel, select your system > Network > Enterprise Identity Mapping > Domain Management.
  4. Right-click and select the Add Domain option to start the configuration wizard that will add the domain you create to domain management.

    The Identity Token connector requires a source user registry definition entry in EIM that represents the registry that WAS is using for authentication: either a local OS registry or an LDAP registry.

  5. From System i Navigator’s left navigation panel, select your system > Network > Enterprise Identity Mapping > Domain Management > domain > User Registries.
  6. Right-click and select Add Registry to start the configuration wizard that will add a registry to your domain. Since your application server is configured to use the LDAP registry, select LDAP - short name as the EIM registry type (if LDAP - short name is not available, use 1.3.18.02.33.14-caseIgnore) The name you specify here (for example, System_A_WAS) is used during WAS security configuration as well.

    The Identity Token connector requires a user identifier entry in EIM that represents the user of the application.

  7. From System i Navigator’s left navigation panel, select your system > Network > Enterprise Identity Mapping > Domain Management > domain > Identifiers.
  8. Right click and select New Identifier...
  9. Enter an identifier name, such as the user's full name (for example, John Day), and click OK.

    To support mapping from one user ID to another, you need to create associations in EIM. These associations map the user authenticated in the LDAP registry to the user profile needed to run the application on the i5/OS system.

  10. Create a target association to represent the user profile on the target i5/OS system:
    1. From System i Navigator’s left navigation panel, select your system > Network > Enterprise Identity Mapping > Domain Management > domain > Identifiers.
    2. Double-click the identifier for the user you want to associate.
    3. Click the Associations tab.
    4. Click Add and enter the following values for the target association:
      • EIM identifier - in this example, John Day is prefilled
      • Registry - the target registry, for example, System_B
      • User - the user ID in the target registry, for example, jsd1.
      • Association type - select Target
    5. Click OK. This target association represents the user ID and registry under which applications will run.
  11. Create a source association to represent the user ID that will be used when authenticating (logging in) to WAS:
    1. Click Add and enter the following values for the source association.
      • EIM identifier - in this example, John Day is prefilled
      • Registry - the source registry, for example, System_A_WAS
      • User - the user ID in the source registry, for example, johnday.
      • Association type - select Source
    2. Click OK to add the new association. This source association represents the user that is authenticated to WebSphere® Application Server.
  12. Click OK to save the associations.

Feedback