Configure single signon using the trust association interceptor

Configure single signon using the trust association interceptor

+
Search Tips | Advanced Search

Before you begin
The following steps are required when setting up security for the first time. Ensure that LTPA is the active authentication mechanism:

From the WAS console click...
Security | Global security

Ensure that the Active authentication mechanism field is set to LTPA. If not, set it and save your changes.

Overview
This task is performed to enable single signon using the trust association interceptor. The steps involve setting up trust association and creating the interceptor properties.

Procedure

From the WAS console, click...
Security | Global security | LTPA | Trust association | Enable trust association | Interceptors | com.ibm.ws.security.web.WebSealTrustAssociationInterceptor | Custom Properties

Click New to enter the property name and value pairs. Ensure the following parameters are set:

Option Description
com.ibm.websphere.security.trustassociation.types Ensure that webseal is listed.
com.ibm.websphere.security.webseal.loginId The WebSEAL trusted user as created in Creating a trusted user account in TAM
The format of the username is the short name representation. This is a mandatory property. If it is not set in the WAS then TAI initialization will fail.
com.ibm.websphere.security.webseal.id The iv-user header, which is com.ibm.websphere.security.webseal.id=iv-user
com.ibm.websphere.security.webseal.hostnames Do not set this property if using TAM Plug-in for Web Servers. The host names (case sensitive) that are trusted and expected in the request header.
For example: com.ibm.websphere.security.webseal.hostnames=host1
This should also include the proxy host names (if any) unless the com.ibm.websphere.security.webseal.ignoreProxy is set to true. A list of servers can be obtained using the server list pdadmin command.
com.ibm.websphere.security.webseal.ports Do not set this property if using TAM Plug-in for Web Servers. The corresponding port number of the host names that are expected in the request header. This should also include the proxy ports (if any) unless the com.ibm.websphere.security.webseal.ignoreProxy is set to true. For example: com.ibm.websphere.security.webseal.ports=80,443
com.ibm.websphere.security.webseal.ignoreProxy An optional property that if set to true or yes ignores the proxy host names and ports in the IV header. By default this property is set to false.

Click OK.
Save configuration and logout.
Restart WAS.

See Also
Single signon using WebSEAL or the TAM plug-in for Web servers
Trust associations

Related Tasks
Creating a trusted user account in TAM
Configuring trust association interceptors

See Also
Trust association interceptor support for Subject creation

Option	Description
com.ibm.websphere.security.trustassociation.types	Ensure that webseal is listed.
com.ibm.websphere.security.webseal.loginId	The WebSEAL trusted user as created in Creating a trusted user account in TAM The format of the username is the short name representation. This is a mandatory property. If it is not set in the WAS then TAI initialization will fail.
com.ibm.websphere.security.webseal.id	The iv-user header, which is com.ibm.websphere.security.webseal.id=iv-user
com.ibm.websphere.security.webseal.hostnames	Do not set this property if using TAM Plug-in for Web Servers. The host names (case sensitive) that are trusted and expected in the request header. For example: com.ibm.websphere.security.webseal.hostnames=host1 This should also include the proxy host names (if any) unless the com.ibm.websphere.security.webseal.ignoreProxy is set to true. A list of servers can be obtained using the server list pdadmin command.
com.ibm.websphere.security.webseal.ports	Do not set this property if using TAM Plug-in for Web Servers. The corresponding port number of the host names that are expected in the request header. This should also include the proxy ports (if any) unless the com.ibm.websphere.security.webseal.ignoreProxy is set to true. For example: com.ibm.websphere.security.webseal.ports=80,443
com.ibm.websphere.security.webseal.ignoreProxy	An optional property that if set to true or yes ignores the proxy host names and ports in the IV header. By default this property is set to false.