Securing your Web applications with single signon

Information for the Advanced edition of the product This function is available only in WebSphere Development Studio Client Advanced Edition for iSeries, V5.1.2 and later and OS/400 V5R2 and later.

Single signon enables users to access more than one application and multiple platforms using one user ID and password. For example, you can integrate secured WebFacing and Web Tools applications which are configured using single signon so that a user only needs to be authenticated once. Note that each system involved still requires a separate user ID. In addition, a WebFacing portlet application with single signon enabled does not require authentication if authentication has already been done on the Portal server.

If you want to use single signon for your applications, you need to perform the following tasks:

To perform these tasks, you should install the iSeries Navigator on a client PC. The following tasks use the iSeries Navigator, which is packaged with iSeries Access for Windows, which can be installed from your iSeries server. See "Installing iSeries Navigator" in the iSeries Information Center for details on installing iSeries Navigator. Ensure that you install all of the networking components, including TCP/IP.

The following describes how each of the main components are used for single signon:
Lightweight Directory Access Protocol (LDAP)
EIM configuration is stored in LDAP. WebSphere Application Server can also use LDAP to authenticate Web users. The tasks here assume that WebSphere Application Server is using LDAP for authentication.
Enterprise Identity Mapping (EIM)
EIM is required for mapping the ID used for WebSphere Application Server authentication to the profile used to invoke the application on the iSeries server. EIM configuration creates an association between these IDs. The ID used by WebSphere Application Server is the source and the iSeries profile is the target.
Web application configured for EIM
Your WebFacing or Web Tools application must be configured to use a token generated by EIM for authentication. This enables users to use one user ID, as EIM maps the user ID to WebSphere Application Server (the source) with the profile on your application's iSeries server (the target).

The following diagram illustrates the association between the source and target user identities on two systems. On System A, the user is authenticated by WebSphere Application Server as johnday in order to call an application on System B. On System B, the profile used to run the application on the iSeries is jsd1. The EIM identifier that is used to map the two IDs is John Day. Refer to the following figure while configuring single signon:

Related concepts
Deployment descriptor

Single signon and WebFacing portlet projects

To use Single signon in a WebFacing application, running in a Portal server you must perform the following:
  • Secure the Portal server.
  • Configure the supplied Identity Token resource (eimIdTokenRA.rar) in the WebSphere Application Server production environment.
  • Set authentication options to use EIM
You secure the Portal server on the Secure Application Server and WebSphere Portal with LDAP wizard page. For information on configuring the Identity Token resource, configuring the WebFacing application to use EIM, and information on EIM configuration, refer to the information on configuring EIM. Note that when you configure the Identity Token resource, you must use the WebSphere Administrative Console, under Resources > Resource Adapters.
Note: If you are using iSeries Portal Server 5.1 or iSeries Portal Server 5.0.2 with the latest PTFs, the Create WebSphere Portal wizard has additional pages that will configure the Identity Token resource. When the user signs on to the Portal, the user ID supplied is used to map that user ID to the user ID to be used on the iSeries to start the WebFacing application. Therefore, there must be a mapping in the EIM configuration to map this user ID to an appropriate iSeries user profile.