(iSeries)
Configure SSO capability with Enterprise Identity apping
The Enterprise Identity Mapping (EIM) identity token connection factory is a type of Java 2 Connector (J2C) connection factory. Using EIM identity token connection factories along with EIM identity token-enabled products, such as IBM Toolbox for Java, provides a single sign-on capability for WebSphere Application Server applications that need to access server data and resources through your user ID.
The EIM identity token connection factory is supported on the following WAS products.
(iSeries) Attention: Either Lightweight Third Party Authentication (LTPA) or Simple WebSphere Authentication echanism (SWAM) may be used with the EIM identity token connection factory. Enabling web security single sign-on (SSO) is optional when LTPA is used with the EIM identity token connection factory. See the information about implementing single sign-on to minimize web user authentications.
Edition name Supported products v8.0 WAS (base) , WAS ND for IBM i ("Network Deployment Edition")
v6.1 WAS (base) WAS ND for IBM i ("Network Deployment Edition")
v6.0.x WAS (base) WAS ND for IBM i ("Network Deployment Edition")
We can configure EIM identity token connection factories for v9.0 only. Information about a sample application that might be helpful to you when you develop applications is provided.
Configuration tasks can vary slightly for other WAS products and editions.
The sample application uses an EIM identity token connection factory to provide EIM identity tokens for use with IBM Toolbox for Java com.ibm.as400.access.AS400 objects. For example, if the sample application is deployed on SERVER A, we can log in once to WAS and use the sample application to perform IBM i server commands under the IBM i user profiles on SERVER B, SERVER C, or SERVER D.
When we make a request to the sample application, we must log in with our WAS user ID and password. Each request contains the server command and the target server name where the command runs. When the request is received, the application calls the connection factory to generate an identity token. The connection factory extracts your user ID from a JAAS subject object provided by WAS security, and it collaborates with the EIM domain controller to create the identity token that is returned to the application. The application then creates a com.ibm.as400.access.AS400 object for SERVER B and provides it with the identity token (instead of our IBM i user profile) before it passes the server command to run.
A new identity token and com.ibm.as400.access.AS400 object are created each time that you send a request containing a new target server. All com.ibm.as400.access.AS400 objects are stored in an HTTP Session for use with subsequent requests.
Tasks
- Verify that we have all of the prerequisites that are installed to use the EIM token connection factory. We must verify that we have installed the necessary program temporary fixes (PTF) to the server and applications. For more information, see Verifying Enterprise Identity Mapping identity token connection factory prerequisite applications.
- Configure EIM work with the identity token connection factory. These instructions explain how to complete the following tasks:
- Create a domain in EIM.
- Add the domain to domain management.
- Create a source user registry definition.
- Create a user identifier.
- Create a target association.
- Create a source association.
- Test the connection to the EIM domain controller
- Configure the EIM identity token connection factory. This step involves configuring two Java Archive (JAR) files and a shared library. See Configure the Enterprise Identity Mapping identity token connection factory.
- Configure the connection factory. For more information, see Automatically configuring the connection factory.
After completing the previous steps, we have configured single sign-on for Enterprise Identity Mapping.
Subtopics
- (iSeries) Verifying Enterprise Identity Mapping identity token connection factory prerequisite applications
Use the following procedure to verify that the necessary prerequisites have been installed before using the Enterprise Identity apping (EIM) identity token connection factory.- (iSeries) Configure Enterprise Identity Mapping
Use the iSeries Navigator to configure Enterprise Identity Mapping (EIM) for use with the identity token connection factory.- (iSeries) Configure the Enterprise Identity Mapping identity token connection factory
The Enterprise Identity Mapping (EIM) identity token connection factory requires the eim.jar file to be in the class path for the connection factory. The jt400.jar file must be in the class path for the sample application.- (iSeries) Manually configuring the connection factory
The following steps help we manually configure the connection factory.- (iSeries) Automatically configuring the connection factory
Use the cfgIdToken.jacl script to automatically configure the Java 2 Connector (J2C) authentication data, the resource adapter, and the connection factory.- (iSeries) Deploy the Enterprise Identity Mapping sample application
We can deploy the sample application into the WAS environment.
Related:
Single sign-on for authentication using LTPA cookies Implement single sign-on to minimize web user authentications Enterprise Identity Mapping identity token connection factory parameters Enterprise Identity Mapping troubleshooting tips