+

Search Tips   |   Advanced Search

(iseries)

Configure single sign-on capability with Enterprise Identity Mapping

The Enterprise Identity Mapping (EIM) identity token connection factory is a type of Java 2 Connector (J2C) connection factory. Using EIM identity token connection factories along with EIM identity token-enabled products, such as IBM Toolbox for Java, provides a single sign-on capability for WebSphere Application Server applications that need to access server data and resources through the user ID.

The EIM identity token connection factory is supported on the following WebSphere Application Server products.

(iseries) Attention: Either Lightweight Third Party Authentication (LTPA) or Simple WebSphere Authentication Mechanism (SWAM) may be used with the EIM identity token connection factory. Enable web security single sign-on (SSO) is optional when LTPA is used with the EIM identity token connection factory. See the information about implementing single sign-on to minimize web user authentications.

editions per product.

This table lists the supported edition names per product.

Edition name Supported products
Version 8.0 WebSphere Application Server (base)

, WebSphere Application Server Network Deployment for IBM i ("Network Deployment Edition")

Version 6.1 WebSphere Application Server (base)

WebSphere Application Server Network Deployment for IBM i ("Network Deployment Edition")

Version 6.0.x WebSphere Application Server (base)

WebSphere Application Server Network Deployment for IBM i ("Network Deployment Edition")

We can configure EIM identity token connection factories for v8.5 only. Information about a sample application that might be helpful to you when you develop our own applications is provided. : Configuration tasks can vary slightly for other WebSphere Application Server products and editions.

The sample application uses an EIM identity token connection factory to provide EIM identity tokens for use with IBM Toolbox for Java com.ibm.as400.access.AS400 objects. For example, if the sample application is deployed on SERVER A, we can log in once to WebSphere Application Server and use the sample application to perform IBM i server commands under the IBM i user profiles on SERVER B, SERVER C, or SERVER D.

When we make a request to the sample application, you must log in with the WAS user ID and password. Each request contains the server command and the target server name where the command runs. When the request is received, the application calls the connection factory to generate an identity token. The connection factory extracts the user ID from a JAAS subject object provided by WAS security, and it collaborates with the EIM domain controller to create the identity token returned to the application. The application then creates a com.ibm.as400.access.AS400 object for SERVER B and provides it with the identity token (instead of the IBM i user profile) before it passes the server command to run. : A new identity token and com.ibm.as400.access.AS400 object are created each time that you send a request containing a new target server. All com.ibm.as400.access.AS400 objects are stored in an HTTP Session for use with subsequent requests.

  1. Verify that we have all of the prerequisites that are installed to use the EIM token connection factory. We must verify that we have installed the necessary program temporary fixes (PTF) to the server and applications. For more information, see Verify Enterprise Identity Mapping identity token connection factory prerequisite applications.

  2. Configure EIM work with the identity token connection factory. These instructions explain how to complete the following tasks:

    1. Create a domain in EIM.

    2. Add the domain to domain management.

    3. Create a source user registry definition.

    4. Create a user identifier.

    5. Create a target association.

    6. Create a source association.

    7. Test the connection to the EIM domain controller
    For more information, see Configure Enterprise Identity Mapping.

  3. Configure the EIM identity token connection factory. This step involves configuring two Java Archive (JAR) files and a shared library. For more information, see Configure the Enterprise Identity Mapping identity token connection factory.

  4. Configure the connection factory. For more information, see Automatically configuring the connection factory.


Results

After completing the previous steps, we have configured single sign-on for Enterprise Identity Mapping.


Subtopics


Related concepts

  • Single sign-on for authentication using LTPA cookies


    Related tasks

  • Implement single sign-on to minimize web user authentications

  • Enterprise Identity Mapping identity token connection factory parameters
  • Enterprise Identity Mapping troubleshooting tips