Single sign-on for authentication

With single sign-on (SSO) support, Web users can authenticate once when accessing both WebSphere® Application Server resources, such as HTML, JavaServer Pages (JSP) files, servlets, enterprise beans, and Lotus Domino resources, such as documents in a Domino database, or accessing resources in multiple WebSphere Application Server domains.

There are various ways to accomplish SSO, with the most common in WebSphere using LTPA cookies. LTPA cookies do not require any particular client and allow SSO across different cells provide the registry and LTPA keys are the same.

There are other flavors of SSO, including Simple and Protected GSS-API Negotiation (SPNEGO), which is a way to use the token from a Kerberos login (typically Windows) to authenticate to WebSphere Application Server. This prevents the user from having to type in their userid and passwords again.

Note: In WebSphere Application Server Version 6.1, a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources was introduced. In WebSphere Application Server Version 7.0, this function is now deprecated. SPNEGO Web authentication has taken its place to provide dynamic reload of the SPNEGO filters and to enable fallback to the application login method.

TAIs are also a form of single sign-on when used in combination with a Proxy server that does the front-end authentication. The TAI allows the credentials to flow to WebSphere from the Proxy server and to be used to login without the need to re-authenticate the user.




Subtopics
Single sign-on for authentication using LTPA cookies
Enterprise Identity Mapping
Global single sign-on principal mapping for authentication
Related concepts
Single sign-on for HTTP requests using SPNEGO TAI (deprecated)
Single sign-on for HTTP requests using SPNEGO web authentication
Related tasks
Creating a single sign-on for HTTP requests using SPNEGO Web authentication
Implementing single sign-on to minimize web user authentications
Configuring single sign-on capability with Tivoli Access Manager or WebSEAL
Concept topic Concept topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Feb 5, 2014 9:49:51 PM CST
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-mp&topic=csec_ssovo
File name: csec_ssovo.html