WAS v8.5 > Secure applications > Authenticate usersSingle sign-on for authentication
With SSO support, web users can authenticate once when accessing both WebSphere Application Server resources, Lotus Domino resources, and resources in multiple WAS domains.
The most common method is to use LTPA cookies, which do not require any particular client, and allow SSO across different cells, providing the registry and LTPA keys are the same.
Another method is SPNEGO, which uses the token from a Kerberos login (typically Windows) to authenticate to WAS. This prevents the user from having to type in their userid and passwords again. SPNEGO web authentication provides dynamic reload of the SPNEGO filters and enables fallback to the application login method.
Another method is to use TAIs in combination with a Proxy server that does the front-end authentication. The TAI allows the credentials to flow to WebSphere from the Proxy server and to be used to login without the need to re-authenticate the user.
Subtopics
- Single sign-on for authentication using LTPA cookies
- Use a WAS API to achieve downstream web single sign-on with an LtpaToken2 cookie
- Global single sign-on principal mapping for authentication
Related concepts:
Single sign-on for HTTP requests using SPNEGO TAI (deprecated)
Single sign-on for HTTP requests using SPNEGO web authentication
Create a single sign-on for HTTP requests using SPNEGO Web authentication
Implement single sign-on to minimize web user authentications
Configure single sign-on capability with Tivoli Access Manager or WebSEAL