Interaction with an Enterprise Identity Mapping server

Enterprise Identity Mapping (EIM) for iSeries™ allows administrators and application developers to solve the problem of managing multiple user registries across their enterprise.

Most network enterprises face the problem of multiple user registries, which require each person or entity within the enterprise to have a user identity in each registry. The need for multiple user registries quickly grows into a large administrative problem that affects users, administrators, and application developers. Enterprise Identity Mapping (EIM) enables inexpensive solutions for easier management of multiple user registries and user identities in your enterprise.

EIM allows you to create a system of identity mappings, called associations, between the various user identities in various user registries for a person in your enterprise. EIM also provides a common set of APIs that can be used across platforms to develop applications that can use the identity mappings that you create to look up the relationships between user identities.

If you are a system administrator, you can configure and manage EIM through iSeries Navigator, the iSeries graphical user interface. The iSeries server uses EIM to enable i5/OS™ interfaces to authenticate users by means of network authentication service.

While iSeries Navigator provides an interface for administrators to manage all user EIM identity mappings, it does not provide a secure interface for non-administrative users to manage their own identities. However, the IBM® Telephone Directory V5.2 application can be used by non-administrators (users) to manage their own identities in an EIM domain. When configured, users sign into the IBM Telephone Directory V5.2 application to update their directory entry and EIM identity mappings. The application only displays EIM identity mappings if a user logs in to update his or her own directory entry. By allowing users to manage their own EIM identity mappings, it helps ease the workload of the EIM domain administrator.

When you (as a non-administrator) log in to the IBM Telephone Directory V5.2 application to update your directory entry, a list of identity mappings currently associated with your EIM identifier is also shown. The application shows your identity associations in the EIM registries table. You can then use the application to add and remove any identity associations you have. The application interacts with the EIM domain server to add and remove identity associations as you request them. You can only manage your own associations.

The IBM Telephone Directory V5.2 application queries the EIM domain for user registries of the IBM Telephone Directory V5.2 application to find identity mappings associated with application users. If a user registry is found, the identity that the user provided when he or she logged into the application is used to find his or her EIM identifier. The EIM identifier is used to display all identity associations for the user, and they are displayed in the EIM registries table. If the EIM identifier cannot be found (because user login identity has not been associated with the IBM Telephone Directory application's user registry), an identifier is automatically created for the user in the EIM domain, and an association to the IBM Telephone Directory V5.2 application's user registry is added.

You can remove any identity associations that are currently mapped to your EIM identifier, but to add an EIM association, you must first specify your credentials to the IBM Telephone Directory V5.2 application. When you add an EIM association, you must select a system name and enter your user ID and password associated with that system. The IBM Telephone Directory V5.2 application authenticates these credentials before it will add an association to the EIM domain. If authentication fails, the association is not added.

Not all associations may be managed by IBM Telephone Directory V5.2. The application is only capable of authenticating identities that use LDAP or FTP protocols. If user registries are found that do not accept LDAP or FTP authentication, associations with that user registry cannot be added. The application must be able to authenticate a user's identity using LDAP or FTP before an association for that identity can be added to the user's EIM identifier.

Related tasks
Set up EIM registration and identity mapping