Single sign-on considerations

This topic lists considerations for Single sign-on (SSO) with iSeries™ Access for Web in the Web application server and portal environments.

iSeries Access for Web supports participating in WebSphere^® SSO environments. When enabled, users provide WebSphere credentials when accessing i5/OS™ resources with iSeries Access for Web. The user is authenticated with the active WebSphere user registry and Enterprise Identity Mapping (EIM) is used to map the authenticated WebSphere user identity to an i5/OS user profile. The i5/OS user profile is used to authorize access to the requested i5/OS resources. Single sign-on with WebSphere is supported in both the Web application server and portal environments.

SSO with WebSphere and iSeries Access for Web require the following configurations:

WebSphere Application Server with global security enabled and an active user registry to authenticate users.
An EIM domain configuration to enable mapping of WebSphere user identities to i5/OS user profiles.
The EIM Identity Token Connector (resource adapter) installed and configured into WebSphere Application Server.

WebSphere global security

For information on WebSphere global security, search for "Configuring global security" in the appropriate version of the WebSphere Application Server information center. Links to the WebSphere information centers are in the IBM^® WebSphere Application Server documentation.

EIM domain configuration

For information on EIM domain configuration, see the "Configure Enterprise Identity Mapping" topic.

EIM Identity Token Connector

The EIM Identity Token Connector is a resource adapter that must be installed and configured into WebSphere when enabling iSeries Access for Web for WebSphere SSO. The iSeries Access for Web application and portal application request identity tokens from the connector. Identity tokens are encrypted data strings that represent the currently authenticated WebSphere user. Identity tokens are input to EIM lookup operations, which map an authenticated WebSphere user identity to an i5/OS user profile.

The connector supports J2C connection factories with JNDI names eis/IdentityToken and eis/iwa_IdentityToken. By default, iSeries Access for Web attempts to use configuration values from the factory defined with JNDI name eis/iwa_IdentityToken. If this factory is not found, configuration values from the factory defined with JNDI name eis/IdentityToken are used.

For information on EIM Identity Token Connector configuration, follow this path in the WebSphere Application Server for OS/400^®, Version 6 Information Center: Securing applications and their environment > Integrating IBM WebSphere Application Server security with existing security systems > Configure the EIM Identity Token Connection Factory.

Configuration examples

See "WebSphere Application Server V6.0 for OS/400 with Single sign-on" topic for an example of configuring iSeries Access for Web with SSO in a Web application server environment.

See "WebSphere Portal - Express for Multiplatforms V5.0.2 (iSeries) with Single sign-on" topic for an example of configuring iSeries Access for Web with SSO in a portal application environment.

Configure Enterprise Identity Mapping
In order to enable Single sign-on (SSO) with WebSphere and iSeries Access for Web, you must configure Enterprise Identity Mapping (EIM). This topic provides an overview of the steps to configure EIM. These steps are intended as a guide to administrators when planning and configuring the EIM environment.

Parent topic: Security considerations

Related concepts

IFrame

Default page content

Configure WebSphere Portal - Express for Multiplatforms V5.0.2 (iSeries) with Single sign-on

Related reference

Configure iSeries Access for Web in a Web application server environment

Configure iSeries Access for Web in a portal environment

Related information

Enterprise Identity Mapping