Configure single signon

With single signon (SSO) support, Web users can authenticate once when accessing Web resources across multiple WASs. Form login mechanisms for Webapplications require that SSO is enabled. SSO is supported only when Lightweight Third Party authentication (LTPA) the authentication mechanism. SSO uses HTTP cookies to achieve this functionality.

When SSO is enabled, a cookie is created within the LTPA token. When the user accesses other Web resources in any other WAS process in the same domain name service (DNS) domain, the cookie is sent in the request. The LTPA token is then extracted from the cookie and validated. If the request is between different cells of WASs, share the LTPA keys and the user registry between the cells for SSO to work. The LTPA authentication mechanism requires that you enable SSO if any of the Webapplications have form login as the authentication method.

The following steps are required to configure SSO for the first time.

  1. Access the administrative console by typing http://localhost:9090/admin in a Web browser.

  2. Click Security > Authentication mechanisms > LTPA in the Navigation panel on the left. Click Single Signon (SSO) in the Additional Properties section.

  3. Click Enable if SSO is disabled.After you click Enable, make sure you complete the remaining steps to enable security.

  4. Enable the Requires SSL field if all of the requests are expected to come over HTTPS.

  5. Enter the domain name where SSO is effective. The cookie is sent for all of the servers in this domain only.For example, if the domain is ibm.com, SSO works between the domains amsterdam.setgetweb.com, raleigh.ibm.com and not austin.otherCompany.com.

    Domain field option: The domain field is optional, and, if left blank, the Web browser defaults to the domain name of the SSO cookie to the WAS that created it. In this case, SSO is only valid for the server that created the cookie. This behavior might be desirable when multiple virtual hosts are defined and need to have a separate domain specified in the SSO cookie.

  6. Click OK.

For the changes to take effect, save, stop, and restart all the product servers (cell, nodes and all the WAS systems).

 

See Also

Web component security
Configuring global security
Single signon settings
Security: Resources for learning