Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Implement single sign-on to minimize web user authentications > Configure single sign-on capability with Tivoli Access Manager or WebSEAL
Configure global sign-on principal mapping
We can create a new application login that uses the Tivoli Access Manager GSO database to store the login credentials.
Procedure
- Click...
-
Security | Global security | Authentication JAAS | Application logins
- Click New
- Set the alias of the new application login. Click Apply.
- Under Additional properties, click JAAS login modules.
- Click New and set:
Module class name com.tivoli.pdwas.gso.AMPrincipalMapper Use Login Module Proxy enable Authentication strategy REQUIRED - Click Apply
- Define login module-specific values...
-
Additional Properties | Custom Properties | New
The authDataAlias string is passed to the J2C connection factory to retrieve the user name and password The following scenarios are possible:
- authDataAlias contains both GSO resource name and user name. Format of string is...
-
Resource/User
- authDataAlias contains the GSO Resource name only. User name is determined using the Subject of the current session.
The scenario to use is determined by a JAAS configuration option:
Name com.tivoli.pd.as.gso.AliasContainsUserName Value True, alias contains user name. False if user name is retrieved from security context When entering authDataAlias attributes through the WAS administrative console, the node name is automatically pre-pended to the alias. The JAAS configuration entry determines whether this node name is removed or included as part of the resource name:
Name com.tivoli.pd.as.gso.AliasContainsNodeName Value True, if alias contains node name If the PdPerm.properties configuration file is not located default location...
-
JAVA_HOME/PdPerm.properties
...then you also need to add the following property...
Name com.tivoli.pd.as.gso.AMCfgURL Value file:///path/to/PdPerm.properties Enter each new parameter using the following scenario information as a guide, then click Apply.
Scenario 1
Auth Data Alias BackendEIS/eisUser Resource BackEndEIS User eisUser Principal Mapping Parameters...
Name Value delegate com.tivoli.pdwas.gso.AMPrincipalMapper com.tivoli.pd.as.gso.AliasContainsUserName true com.tivoli.pd.as.gso.AliasContainsNodeName false com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path debug false Scenario 2
Auth Data Alias BackendEIS
Resource BackEndEIS
User Currently authenticated WAS user
Principal Mapping Parameters...
Name Value delegate com.tivoli.pdwas.gso.AMPrincipalMapper com.tivoli.pd.as.gso.AliasContainsUserName false com.tivoli.pd.as.gso.AliasContainsNodeName false com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path debug false Scenario 3
Auth Data Alias nodename/BackendEIS/eisUser
Resource BackEndEIS
User eisUser
Principal Mapping Parameters...
Name Value delegate com.tivoli.pdwas.gso.AMPrincipalMapper com.tivoli.pd.as.gso.AliasContainsUserName true com.tivoli.pd.as.gso.AliasContainsNodeName true com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path debug false Scenario 4
Auth Data Alias nodename/BackendEIS/eisUser
Resource nodename/BackEndEIS (notice that node name is not removed)
User eisUser
Principal Mapping Parameters.
Name Value delegate com.tivoli.pdwas.gso.AMPrincipalMapper com.tivoli.pd.as.gso.AliasContainsUserName true com.tivoli.pd.as.gso.AliasContainsNodeName false com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path debug false Scenario 5
Auth Data Alias BackendEIS/eisUser
Resource BackEndEIS
User eisUser
Principal Mapping Parameters...
Name Value delegate com.tivoli.pdwas.gso.AMPrincipalMapper com.tivoli.pd.as.gso.AliasContainsUserName false com.tivoli.pd.as.gso.AliasContainsNodeName true com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path debug false Scenario 6
Auth Data Alias nodename/BackendEIS/eisUser
Resource nodename/BackendEIS/eisUser
(The resource is the same as Auth Data Alias).
User Currently authenticated WAS user
Principal Mapping Parameters...
Name Value delegate com.tivoli.pdwas.gso.AMPrincipalMapper com.tivoli.pd.as.gso.AliasContainsUserName false com.tivoli.pd.as.gso.AliasContainsNodeName false com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path debug false - authDataAlias contains both GSO resource name and user name. Format of string is...
- Create Java 2 Connector (J2C) authentication aliases.
The user name and password that are assigned to these alias entries are irrelevant because Tivoli Access Manager is responsible for providing user names and passwords. However, the user name and password that are assigned to the J2C authentication aliases need to exist so that they can be selected for the J2C connection factory in the administrative console.
To create the J2C authentication aliases, from the WAS administrative console, for each new entry, click...
Security | Global security | Authentication | JAAS | J2C authentication data | New
The connection factories for each resource adapter that need to use the GSO database must be configured to use the Tivoli Access Manager Principal mapping module:
- From the WAS administrative console, click...
-
Applications | Enterprise Applications | application_name | Resource references | Additional properties | Resource Adapter
Note that J2C connection factories must be already configured for the selected application.
The resource adapter can be stand-alone and does not need to be packaged with the application. The resource adapter is configured from Resources > Resource Adapters for stand-alone scenarios.
- Under Additional properties, click J2C Connection Factories.
- Click New and enter the connection factory properties.
- When finished, click Apply > Save.
Attention: Custom mapping configuration for the connection factory is deprecated in WAS v6.
To configure the GSO credential mapping, use the Map Resource References to Resources panel on the administrative console. See the J2EE connector security article.
- From the WAS administrative console, click...
Global single sign-on principal mapping for authentication
Java EE connector security
Configure Java EE Connector connection factories in the administrative console
Configure single sign-on capability with Tivoli Access Manager or WebSEAL