WAS v8.5 > Secure applications > Authenticate users > Implement single sign-on to minimize web user authentications

Configure single sign-on capability with Tivoli Access Manager or WebSEAL

Use the following information to enable single sign-on to WebSphere Application Server using either WebSEAL or the plug-in for web servers.

Either Tivoli Access Manager WebSEAL or Tivoli Access Manager plug-in for web servers can be used as reverse proxy servers to provide access management and single sign-on (SSO) capability to WAS resources. With such an architecture, either WebSEAL or the plug-in authenticates users and forwards the collected credentials to WAS in the form of an IV Header. Two types of single sign-on are available, the TAI interface and the TAI++ interface, so named as both use WAS trust association interceptors (TAI). With the TAI, the end-user name is extracted from the HTTP header and forwarded to embedded Tivoli Access Manager where the end-user name is used to construct the client credential information and authorize the user. With the TAI++, all of the user credential information is available in the HTTP header and not just the user name. The TAI++ is the more efficient of the two solutions because a LDAP call is not required. TAI functionality is retained for backwards compatibility.

Complete the following tasks to enable single sign-on to WAS using either WebSEAL or the plug-in for web servers. These tasks assume that embedded Tivoli Access Manager is configured for use.

1. Create a trusted user account for Tivoli Access Manager in the shared LDAP user registry. For more information, see Create a trusted user account in Tivoli Access Manager.

2. Configure either WebSEAL or the Tivoli Access Manager plug-in for Web servers to work with WAS. For more information, see either of the following articles:
   • Configure WebSEAL for use with WAS
   • Configure Tivoli Access Manager plug-in for web servers for use with WAS

3. Configure single sign-on using either the TAI or TAI++ interface. For more information, see either of the following articles:
   • Configure single sign-on using trust association
   • Configure single sign-on using trust association interceptor ++

Subtopics

• Single sign-on settings
  Use this page to set the configuration values for SSO.
• com.tivoli.pd.jcfg.PDJrteCfg utility for Tivoli Access Manager single sign-on
  The com.tivoli.pd.jcfg.PDJrteCfg utility configures the Java Runtime Environment component for Tivoli Access Manager. This utility enables Java applications to use the Tivoli Access Manager policy and authorization servers.
• com.tivoli.pd.jcfg.SvrSslCfg utility for Tivoli Access Manager single sign-on
  The utility is used to configure and remove the configuration information associated with WAS and the Tivoli Access Manager server.
• Create a trusted user account in Tivoli Access Manager
  Tivoli Access Manager trust association interceptors require the creation of a trusted user account in the shared LDAP user registry.
• Configure WebSEAL for use with WAS
  Use this topic to set the SSO password in WebSEAL for single sign-on to WAS.
• Configure Tivoli Access Manager plug-in for web servers for use with WAS
  Tivoli Access Manager plug-in for web servers can be used as a security gateway for the protected WAS resources.
• Configure single sign-on using trust association
  This task is performed to enable single sign-on using trust association. Trust association is used to connect reversed proxy servers to the application server.
• Configure single sign-on using trust association interceptor ++
  Perform this task to enable single sign-on using trust association interceptor ++. The steps involve setting up trust association and creating the interceptor properties.
• Configure global sign-on principal mapping
  We can create a new application login that uses the Tivoli Access Manager GSO database to store the login credentials.
• Single sign-on settings
  Use this page to set the configuration values for single sign-on (SSO).
• com.tivoli.pd.jcfg.PDJrteCfg utility for Tivoli Access Manager single sign-on
  The com.tivoli.pd.jcfg.PDJrteCfg utility configures the Java Runtime Environment component for Tivoli Access Manager. This utility enables Java applications to use the Tivoli Access Manager policy and authorization servers.
• com.tivoli.pd.jcfg.SvrSslCfg utility for Tivoli Access Manager single sign-on
  The utility is used to configure and remove the configuration information associated with WAS and the Tivoli Access Manager server.
• Create a trusted user account in Tivoli Access Manager
  Tivoli Access Manager trust association interceptors require the creation of a trusted user account in the shared LDAP user registry.
• Configure WebSEAL for use with WAS
  Use this topic to set the SSO password in WebSEAL for single sign-on to WAS.
• Configure Tivoli Access Manager plug-in for web servers for use with WAS
  Tivoli Access Manager plug-in for web servers can be used as a security gateway for the protected WAS resources.
• Configure single sign-on using trust association
  This task is performed to enable single sign-on using trust association. Trust association is used to connect reversed proxy servers to the application server.
• Configure single sign-on using trust association interceptor ++
  Perform this task to enable single sign-on using trust association interceptor ++. The steps involve setting up trust association and creating the interceptor properties.
• Configure global sign-on principal mapping
  We can create a new application login that uses the Tivoli Access Manager GSO database to store the login credentials.

Related

Implement single sign-on to minimize web user authentications

+

Search Tips   |   Advanced Search