Securing your Web applications with single signon

Single signon enables users to access more than one application and multiple platforms using one user ID and password. For example, you can integrate secured WebFacing applications which are configured using single signon so that a user only needs to be authenticated once. Note that each system involved still requires a separate user ID. In addition, a WebFacing portlet application with single signon enabled does not require authentication if authentication has already been done on the Portal server.

If you want to use single signon for your applications, you need to perform the following tasks:

To perform these tasks, you should install the System i™ Navigator on a client PC. The following tasks use the System i Navigator, which is packaged with IBM® System i Access for Windows®, which can be installed from your i5/OS® server. Ensure that you install all of the networking components, including TCP/IP.

The following describes how each of the main components are used for single signon:
Lightweight Directory Access Protocol (LDAP)
EIM configuration is stored in LDAP. WebSphere® Application Server can also use LDAP to authenticate Web users. The tasks here assume that WebSphere Application Server is using LDAP for authentication.
Enterprise Identity Mapping (EIM)
EIM is required for mapping the ID used for WebSphere Application Server authentication to the profile used to invoke the application on the i5/OS server. EIM configuration creates an association between these IDs. The ID used by WebSphere Application Server is the source and the i5/OS profile is the target.
Web application configured for EIM
Your WebFacing application must be configured to use a token generated by EIM for authentication. This enables users of the application to authenticate to WAS using their LDAP ID and to let EIM map this ID (the source) to an ID on the target i5/OS server (the target).

The following diagram illustrates the association between the source and target user identities on two systems. On System A, the user is authenticated by WebSphere Application Server as johnday in order to call an application on System B. On System B, the profile used to run the application on the i5/OS is jsd1. The EIM identifier that is used to map the two IDs is John Day. Refer to the following figure while configuring single signon:

Single signon and WebFacing portlet projects

To use Single signon in a WebFacing application, running in a Portal server you must perform the following:
  • Secure the Portal server.
  • Configure the supplied Identity Token resource (eimIdTokenRA.rar) in the WebSphere Application Server production environment.
  • Set authentication options to use EIM
You secure the Portal server on the Secure Application Server and WebSphere Portal with LDAP wizard page. For information on configuring the Identity Token resource, configuring the WebFacing application to use EIM, and information on EIM configuration, refer to the information on configuring EIM. Note that when you configure the Identity Token resource, you must use the WebSphere Administrative Console, under Resources > Resource Adapters.
Note: If you are using i5/OS Portal Server, the Create WebSphere Portal wizard has additional pages that will configure the Identity Token resource. When the user signs on to the Portal, the user ID supplied is used to map that user ID to the user ID to be used on the i5/OS to start the WebFacing application. Therefore, there must be a mapping in the EIM configuration to map this user ID to an appropriate i5/OS user profile.

Feedback