Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Implement single sign-on to minimize web user authentications > Configure single sign-on capability with Tivoli Access Manager or WebSEAL


Configure global sign-on principal mapping

We can create a new application login that uses the Tivoli Access Manager GSO database to store the login credentials.


Procedure

  1. Click...

      Security | Global security | Authentication JAAS | Application logins

  2. Click New

  3. Set the alias of the new application login. Click Apply.

  4. Under Additional properties, click JAAS login modules.

  5. Click New and set:

    Module class name com.tivoli.pdwas.gso.AMPrincipalMapper
    Use Login Module Proxy enable
    Authentication strategy REQUIRED

  6. Click Apply

  7. Define login module-specific values...

      Additional Properties | Custom Properties | New

    The authDataAlias string is passed to the J2C connection factory to retrieve the user name and password The following scenarios are possible:

    • authDataAlias contains both GSO resource name and user name. Format of string is...

        Resource/User

    • authDataAlias contains the GSO Resource name only. User name is determined using the Subject of the current session.

    The scenario to use is determined by a JAAS configuration option:

    Name com.tivoli.pd.as.gso.AliasContainsUserName
    Value True, alias contains user name. False if user name is retrieved from security context

    When entering authDataAlias attributes through the WAS administrative console, the node name is automatically pre-pended to the alias. The JAAS configuration entry determines whether this node name is removed or included as part of the resource name:

    Name com.tivoli.pd.as.gso.AliasContainsNodeName
    Value True, if alias contains node name

    If the PdPerm.properties configuration file is not located default location...

      JAVA_HOME/PdPerm.properties

    ...then you also need to add the following property...

      Name com.tivoli.pd.as.gso.AMCfgURL
      Value file:///path/to/PdPerm.properties

    Enter each new parameter using the following scenario information as a guide, then click Apply.


    Scenario 1

    Auth Data Alias BackendEIS/eisUser
    Resource BackEndEIS
    User eisUser

    Principal Mapping Parameters...

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 2

    Auth Data Alias BackendEIS
    Resource BackEndEIS
    User Currently authenticated WAS user

    Principal Mapping Parameters...

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 3

    Auth Data Alias nodename/BackendEIS/eisUser  
    Resource BackEndEIS
    User eisUser

    Principal Mapping Parameters...

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName true
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 4

    Auth Data Alias nodename/BackendEIS/eisUser  
    Resource nodename/BackEndEIS (notice that node name is not removed)
    User eisUser

    Principal Mapping Parameters.

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName true
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 5

    Auth Data Alias BackendEIS/eisUser
    Resource BackEndEIS
    User eisUser

    Principal Mapping Parameters...

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName true
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

    Scenario 6

    Auth Data Alias nodename/BackendEIS/eisUser
    Resource nodename/BackendEIS/eisUser
    (The resource is the same as Auth Data Alias).
    User Currently authenticated WAS user

    Principal Mapping Parameters...

    Name Value
    delegate com.tivoli.pdwas.gso.AMPrincipalMapper
    com.tivoli.pd.as.gso.AliasContainsUserName false
    com.tivoli.pd.as.gso.AliasContainsNodeName false
    com.tivoli.pd.as.gso.AMLoggingURL file:///jlog_props_path
    debug false

  8. Create Java 2 Connector (J2C) authentication aliases.

    The user name and password that are assigned to these alias entries are irrelevant because Tivoli Access Manager is responsible for providing user names and passwords. However, the user name and password that are assigned to the J2C authentication aliases need to exist so that they can be selected for the J2C connection factory in the administrative console.

    To create the J2C authentication aliases, from the WAS administrative console, for each new entry, click...

      Security | Global security | Authentication | JAAS | J2C authentication data | New

    The connection factories for each resource adapter that need to use the GSO database must be configured to use the Tivoli Access Manager Principal mapping module:

    1. From the WAS administrative console, click...

        Applications | Enterprise Applications | application_name | Resource references | Additional properties | Resource Adapter

      Note that J2C connection factories must be already configured for the selected application.

      The resource adapter can be stand-alone and does not need to be packaged with the application. The resource adapter is configured from Resources > Resource Adapters for stand-alone scenarios.

    2. Under Additional properties, click J2C Connection Factories.

    3. Click New and enter the connection factory properties.

    4. When finished, click Apply > Save.

    Attention: Custom mapping configuration for the connection factory is deprecated in WAS v6.

    To configure the GSO credential mapping, use the Map Resource References to Resources panel on the administrative console. See the J2EE connector security article.


Global single sign-on principal mapping for authentication
Java EE connector security
Configure Java EE Connector connection factories in the administrative console
Configure single sign-on capability with Tivoli Access Manager or WebSEAL

+

Search Tips   |   Advanced Search