(iseries)Configure single sign-on capability with Enterprise Identity Mapping
The Enterprise Identity Mapping (EIM) identity token connection factory is a type of Java 2 Connector (J2C) connection factory. Using EIM identity token connection factories along with EIM identity token-enabled products, such as IBM Toolbox for Java, provides a single sign-on capability for WebSphere Application Server applications that need to access server data and resources through the user ID.
The EIM identity token connection factory is supported on the following WebSphere Application Server products.
(iseries) Attention: Either Lightweight Third Party Authentication (LTPA) or Simple WebSphere Authentication Mechanism (SWAM) may be used with the EIM identity token connection factory. Enable web security single sign-on (SSO) is optional when LTPA is used with the EIM identity token connection factory. See the information about implementing single sign-on to minimize web user authentications.
editions per product.
This table lists the supported edition names per product.
Edition name Supported products Version 8.0 WebSphere Application Server (base) , WebSphere Application Server Network Deployment for IBM i ("Network Deployment Edition")
Version 6.1 WebSphere Application Server (base) WebSphere Application Server Network Deployment for IBM i ("Network Deployment Edition")
Version 6.0.x WebSphere Application Server (base) WebSphere Application Server Network Deployment for IBM i ("Network Deployment Edition")
We can configure EIM identity token connection factories for v8.5 only. Information about a sample application that might be helpful to you when you develop our own applications is provided. : Configuration tasks can vary slightly for other WebSphere Application Server products and editions.
The sample application uses an EIM identity token connection factory to provide EIM identity tokens for use with IBM Toolbox for Java com.ibm.as400.access.AS400 objects. For example, if the sample application is deployed on SERVER A, we can log in once to WebSphere Application Server and use the sample application to perform IBM i server commands under the IBM i user profiles on SERVER B, SERVER C, or SERVER D.
When we make a request to the sample application, you must log in with the WAS user ID and password. Each request contains the server command and the target server name where the command runs. When the request is received, the application calls the connection factory to generate an identity token. The connection factory extracts the user ID from a JAAS subject object provided by WAS security, and it collaborates with the EIM domain controller to create the identity token returned to the application. The application then creates a com.ibm.as400.access.AS400 object for SERVER B and provides it with the identity token (instead of the IBM i user profile) before it passes the server command to run. : A new identity token and com.ibm.as400.access.AS400 object are created each time that you send a request containing a new target server. All com.ibm.as400.access.AS400 objects are stored in an HTTP Session for use with subsequent requests.
- Verify that we have all of the prerequisites that are installed to use the EIM token connection factory. We must verify that we have installed the necessary program temporary fixes (PTF) to the server and applications. For more information, see Verify Enterprise Identity Mapping identity token connection factory prerequisite applications.
- Configure EIM work with the identity token connection factory. These instructions explain how to complete the following tasks:
For more information, see Configure Enterprise Identity Mapping.
- Create a domain in EIM.
- Add the domain to domain management.
- Create a source user registry definition.
- Create a user identifier.
- Create a target association.
- Create a source association.
- Test the connection to the EIM domain controller
- Configure the EIM identity token connection factory. This step involves configuring two Java Archive (JAR) files and a shared library. For more information, see Configure the Enterprise Identity Mapping identity token connection factory.
- Configure the connection factory. For more information, see Automatically configuring the connection factory.
Results
After completing the previous steps, we have configured single sign-on for Enterprise Identity Mapping.
Subtopics
- (iseries) Verify Enterprise Identity Mapping identity token connection factory prerequisite applications
Use the following procedure to verify that the necessary prerequisites have been installed before using the Enterprise Identity Mapping (EIM) identity token connection factory.
- (iseries) Configure Enterprise Identity Mapping
Use the iSeries Navigator to configure Enterprise Identity Mapping (EIM) for use with the identity token connection factory.
- (iseries) Configure the Enterprise Identity Mapping identity token connection factory
The Enterprise Identity Mapping (EIM) identity token connection factory requires the eim.jar file to be in the class path for the connection factory. The jt400.jar file must be in the class path for the sample application.
- (iseries) Manually configuring the connection factory
The following steps help you manually configure the connection factory.
- (iseries) Automatically configuring the connection factory
We can use the cfgIdToken.jacl script to automatically configure the Java 2 Connector (J2C) authentication data, the resource adapter, and the connection factory.
- (iseries) Deploy the Enterprise Identity Mapping sample application
We can deploy the sample application into the WAS environment.
Related concepts
Single sign-on for authentication using LTPA cookies
Related tasks
Implement single sign-on to minimize web user authentications
Enterprise Identity Mapping identity token connection factory parameters Enterprise Identity Mapping troubleshooting tips