WAS v8.5 > Reference > Sets

Single sign-on settings page

To enable single sign-on, from the dmgr console, go to...

...and fill out settings...

Enabled The single sign-on function is enabled.

Web applications that use J2EE FormLogin style login pages, such as the dmgr console, require SSO enablement. Only disable SSO for certain advanced configurations where LTPA SSO-type cookies are not required.

Data type: Boolean
Default: Enabled
Range: Enabled or Disabled

Requires SSL

Only enable single sign-on when requests are made over HTTPS. When enabled, security is automatically enabled.

Data type: Boolean
Default: Disable
Range: Enable or Disable

Domain name Domain name (.ibm.com, for example) for all single sign-on hosts. The application server uses information after the first period, from left to right.

If not defined, the host name where the web application is running is used, and single sign-on is restricted to the application server host name, and does not work with other application servers in the domain.

Specify multiple domains with a semicolon (;), a space ( ), a comma (,), or a pipe (|). Each domain is compared with the host name of the HTTP request until the first match is located. For example, if we specify...

    ibm.com;austin.ibm.com

...and a match is found in the ibm.com domain first, the application server sets that domain for the LtpaToken cookie.

The session manager generates session ID written to the cookie when the cookie is created using the setCookie method. The session manager does not set the LtpaToken to cookies.

If we specify UseDomainFromURL, the application server sets the SSO domain name to the host used in the web address. For example, if an HTTP request comes from...

    server1.raleigh.ibm.com

...the application server sets the SSO domain name value to...

    raleigh.ibm.com

Data type: String

Interoperability mode

The server can send a maximum of two SSO cookies back to the browser. In some cases, the server just sends the interoperable SSO cookie.

Web inbound security attribute propagation When enabled, security attributes are propagated to front-end application servers. When disabled, the SSO token is used to log in and recreate the Subject from the user registry.
Set security cookies as HTTPOnly to resist cross-site scripting attacks The HttpOnly attribute is a browser attribute created to prevent client side applications (such as Java scripts) from accessing cookies to prevent some cross-site scripting vulnerabilities. The attribute specifies that LTPA and WASReqURL cookies include the HTTPOnly. For session cookies, see the session settings for servers, applications, and web modules.

Data type: boolean
Default: enabled
Range: enabled or disabled


Reference:
Login module settings for Java Authentication and Authorization Service
AdminTask SecurityConfigurationCommands


Related information:
Internet Explorer Does Not Set a Cookie for Two-Letter Domains


+

Search Tips   |   Advanced Search