ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamm_5.4.0.1/rzammsso.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Single sign-on considerations" />
<meta name="abstract" content="This topic lists considerations for Single sign-on (SSO) with iSeries Access for Web in the Web application server and portal environments." />
<meta name="description" content="This topic lists considerations for Single sign-on (SSO) with iSeries Access for Web in the Web application server and portal environments." />
<meta name="DC.Relation" scheme="URI" content="rzammsecurity.htm" />
<meta name="DC.Relation" scheme="URI" content="rzammeimconfig.htm" />
<meta name="DC.Relation" scheme="URI" content="rzammportletsRefIFrame.htm" />
<meta name="DC.Relation" scheme="URI" content="rzammlogintemplate.htm" />
<meta name="DC.Relation" scheme="URI" content="../rzalv/rzalvmst.htm" />
<meta name="DC.Relation" scheme="URI" content="rzammiawconfig.htm" />
<meta name="DC.Relation" scheme="URI" content="rzammdefaultpg.htm" />
<meta name="DC.Relation" scheme="URI" content="portconfig.htm" />
<meta name="DC.Relation" scheme="URI" content="rzammconfigapsrvsso.htm" />
<meta name="DC.Relation" scheme="URI" content="rzammxmpportesso.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2003, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2003, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzammsso.dita" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Single sign-on considerations</title>
</head>
<body id="rzammsso.dita"><a name="rzammsso.dita"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Single sign-on considerations</h1>
<div><p>This topic lists considerations for Single sign-on (SSO) with iSeries™ Access
for Web in the Web application server and portal environments.</p>
<p>iSeries Access
for Web supports participating in WebSphere<sup>®</sup> SSO environments. When enabled,
users provide WebSphere credentials
when accessing i5/OS™ resources
with iSeries Access
for Web. The user is authenticated with the active WebSphere user registry and Enterprise
Identity Mapping (EIM) is used to map the authenticated WebSphere user
identity to an i5/OS user
profile. The i5/OS user
profile is used to authorize access to the requested i5/OS resources. Single sign-on with WebSphere is
supported in both the Web application server and portal environments.</p>
<div class="p">SSO with WebSphere and iSeries Access
for Web require the following configurations:   <ul><li>WebSphere Application
Server with global security enabled and an active user registry to authenticate
users.  </li>
<li>An EIM domain configuration to enable mapping of WebSphere user identities to i5/OS user profiles.
 </li>
<li>The EIM Identity Token Connector (resource adapter) installed and configured
into WebSphere Application
Server. </li>
</ul>
</div>
<div class="section"><h4 class="sectiontitle">WebSphere global
security</h4><p>For information on WebSphere global security, search
for "Configuring global security" in the appropriate version of the WebSphere Application
Server information center. Links to the WebSphere information centers are
in the <a href="http://www.ibm.com/servers/eserver/iseries/software/websphere/wsappserver/" target="_blank">IBM<sup>®</sup> WebSphere Application Server documentation</a>.</p>
</div>
<div class="section"><h4 class="sectiontitle">EIM domain configuration</h4><p>For information on EIM
domain configuration, see the "Configure Enterprise Identity Mapping" topic. </p>
</div>
<div class="section"><h4 class="sectiontitle">EIM Identity Token Connector</h4><p>The EIM Identity Token
Connector is a resource adapter that must be installed and configured into WebSphere when
enabling iSeries Access
for Web for WebSphere SSO.
The iSeries Access
for Web application and portal application request identity tokens from the
connector. Identity tokens are encrypted data strings that represent the currently
authenticated WebSphere user.
Identity tokens are input to EIM lookup operations, which map an authenticated WebSphere user
identity to an i5/OS user
profile. </p>
<p>The connector supports J2C connection factories with JNDI
names <span class="uicontrol">eis/IdentityToken</span> and <span class="uicontrol">eis/iwa_IdentityToken</span>.
By default, iSeries Access
for Web attempts to use configuration values from the factory defined with
JNDI name <span class="uicontrol">eis/iwa_IdentityToken</span>. If this factory is
not found, configuration values from the factory defined with JNDI name <span class="uicontrol">eis/IdentityToken</span> are
used.   </p>
<p>For information on EIM Identity Token Connector configuration,
follow this path in the <a href="http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp" target="_blank">WebSphere Application Server for OS/400<sup>®</sup>, Version
6  Information Center</a>: <span class="menucascade"><span class="uicontrol">Securing applications
and their environment</span> &gt; <span class="uicontrol">Integrating IBM WebSphere Application
Server security with existing security systems</span> &gt; <span class="uicontrol">Configure
the EIM Identity Token Connection Factory</span></span>.</p>
</div>
<div class="section"><img src="./delta.gif" alt="Start of change" /><h4 class="sectiontitle">Configuration examples</h4>See "WebSphere Application
Server V6.0 for OS/400 with
Single sign-on" topic for an example of configuring iSeries Access for Web with SSO in a
Web application server environment.  <p>See "WebSphere Portal - Express for Multiplatforms
V5.0.2 (iSeries)
with Single sign-on" topic for an example of configuring iSeries Access
for Web with SSO in a portal application environment.</p>
<img src="./deltaend.gif" alt="End of change" /></div>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzammeimconfig.htm">Configure Enterprise Identity Mapping</a></strong><br />
In order to enable Single sign-on (SSO) with WebSphere and iSeries Access
for Web, you must configure Enterprise Identity Mapping (EIM). This topic
provides an overview of the steps to configure EIM. These steps are intended
as a guide to administrators when planning and configuring the EIM environment. </li>
</ul>

<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzammsecurity.htm" title="Learn about security considerations with iSeries Access for Web.">Security considerations</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzammportletsRefIFrame.htm" title="The iSeries Access for Web IFrame portlet provides the ability to access iSeries Access for Web servlet functions from a portal environment.">IFrame</a></div>
<div><a href="rzammlogintemplate.htm" title="The main page is displayed when the iSeries Access for Web main page address is accessed without any parameters.">Login template</a></div>
<div><a href="rzammdefaultpg.htm" title="iSeries Access for Web generates most of its page content dynamically in response to user actions. The remainder of the content is retrieved from static HTML files. A style sheet is also used to control certain aspects of the content's appearance.">Default page content</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzammconfigapsrvsso.htm" title="This example is for users that are not familiar with the Web serving environment. It describes all the steps necessary to get iSeries Access for Web running in a WebSphere Application Server V6.0 for OS/400 environment with single sign-on (SSO) enabled. It also describes how to verify that the setup is working.">Configure WebSphere Application Server V6.0 for OS/400 with Single sign-on</a></div>
<div><a href="rzammxmpportesso.htm" title="This example is for users that are not familiar with the Web serving environment. It describes all the steps necessary to get iSeries Access for Web running in a WebSphere Portal web serving environment with single sign-on (SSO) enabled. It also describes how to verify that the setup is working.">Configure WebSphere Portal - Express for Multiplatforms V5.0.2 (iSeries) with Single sign-on</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="rzammiawconfig.htm" title="Installing iSeries Access for Web to the iSeries server does not make it available for use. To use iSeries Access for Web, it must be configured to the Web application server (WebSphere or ASF Tomcat).">Configure iSeries Access for Web in a Web application server environment</a></div>
<div><a href="portconfig.htm" title="Follow the steps necessary configure iSeries Access for Web in a portal environment.">Configure iSeries Access for Web in a portal environment</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="../rzalv/rzalvmst.htm">Enterprise Identity Mapping</a></div>
</div>
</div>
</body>
</html>