Configure

This information explains how to configure everything you need to implement a single signon environment in your enterprise.

Creating a single signon environment is a matter of appropriately configuring Enterprise Identity Mapping (EIM) and a compatible authentication method to work together in such a way that the combined configuration provides a true single signon environment. In the case of the i5/OS™ single signon solutions, the authentication method is network authentication service (Kerberos).

Because a single signon environment can be complex to configure, you may find it useful to create a test environment before you implement single signon across your enterprise. The Scenario: Create a test single signon environment demonstrates how to configure such a test environment so that you can learn more about the planning needs of implementing single signon as well as gain a better understanding of how an single signon environment can work for you.

After you work with a test environment, you can use what you learn to plan how to implement single signon on a larger scale in your enterprise. You may find it useful to work through the Scenario: Enable single signon for i5/OS to learn about the more advanced configuration options that you can employ when you implement an single signon environment.

Once you have reviewed these and the other single signon scenarios, you can use the Single signon planning worksheets to create an informed single signon implementation plan that fits the needs of your enterprise. With these planning worksheets in hand, you are ready to continue with the configuration process.

This information helps you configure a single signon environment using the network authentication service as your authentication method and using EIM to create and manage your user profiles and identity mappings. Because single signon involves a number of detailed configuration steps, this information describes the high-level configuration tasks for single signon and provides links to the more detailed configuration information for both EIM and network authentication service where appropriate.

Perform these tasks to configure a single signon environment:

Create your Windows^® 2000 domain
1. Configure the KDC on the Active Directory (AD) Server.
  Note: You can choose to create and run your KDC on i5/OS PASE rather than create a Windows domain and run the KDC on a windows server.
2. Add i5/OS service principals to the Kerberos server.
3. Create a home directory for each Kerberos user who will participate in your single signon environment.
4. Verify TCP/IP domain information.
Create an EIM domain by running the both the network authentication service wizard and the EIM configuration wizard on a server. When you have completed these wizards, you have actually accomplished the following tasks:
1. Configured i5/OS interfaces to accept Kerberos tickets.
2. Configured the Directory server on the iSeries™ to be the EIM domain controller.
3. Created an EIM domain.
4. Configured a user identity for i5/OS and i5/OS applications to use when conducting EIM operations.
5. Added a registry definition to EIM for the local i5/OS registry and the local Kerberos registry (if Kerberos is configured).
For servers running i5/OS V5R3 or later, see the Scenario: Propagate network authentication service and EIM across multiple systems for a detailed demonstration on how to use the Synchronize Functions wizard in iSeries Navigator to propagate a single signon configuration across multiple servers in a mixed i5/OS release environment. Administrators can save time by configuring single signon once and propagating that configuration to all of their systems instead of configuring each system individually.
Finish your configuration for the network authentication service Based on your single signon implementation plan, create a home directory for users on your servers.
Based on your implementation plan, customize your EIM environment by setting up associations for the user identities in your enterprise. Learn how to customize your EIM environment in the iSeries Information Center
1. Configure other servers to participate in the EIM domain.
2. Create EIM identifiers and identifier associations as needed.
3. Add additional registry definitions as needed.
4. Create policy associations as needed.
Test your single signon configuration.
To verify that you have configured the network authentication service and EIM correctly, sign onto the system with a user ID, and then open iSeries Navigator. If no i5/OS signon prompt displays, EIM successfully mapped the Kerberos principal to an identifier on the domain.

Note: If you find that your test of your single signon configuration fails, there may be a problem with your configuration. You can troubleshoot single signon and learn how to recognize and fix common problems with your single signon configuration.