Configure SSO capability with ISAM WebSEAL

Either Security Access Manager WebSEAL or ISAM plug-in for web servers can be used as reverse proxy servers to provide access management and single sign-on (SSO) capability to WAS resources. Both authenticate users and forward the collected credentials to WAS in the form of an IV Header. Two types of single sign-on are available, the TAI interface and the TAI++ interface, so named as both use WAS trust association interceptors (TAI).

TAI	End-user name is extracted from the HTTP header and forwarded to embedded TAM where the end-user name is used to construct the client credential information and authorize the user.
TAI++	All of the user credential information is available in the HTTP header, not just the user name. The TAI++ is the more efficient of the two solutions because a LDAP call is not required. TAI functionality is retained for backwards compatibility.

See also:

• Trust association
• WebSEAL setup

Enable SSO to WAS using either WebSEAL or the plug-in for web servers

1. Verify the WAS builtin embedded TAM is configured for use.

2. Create a trusted user account for TAM in the shared LDAP user registry.

3. Configure either WebSEAL or the TAM plug-in for Web servers to work with WAS.
   • Configure WebSEAL for use with WAS
   • Configure TAM plug-in for web servers for use with WAS

4. Configure SSO using either the TAI or TAI++ interface.
   • Configure SSO using trust association
   • Configure SSO using trust association interceptor ++

Subtopics

• Single sign-on settings
  
• com.tivoli.pd.jcfg.PDJrteCfg utility for TAM single sign-on
  
• com.tivoli.pd.jcfg.SvrSslCfg utility for TAM single sign-on
  
• Configure global sign-on principal mapping
  

Implement single sign-on to minimize web user authentications

WebSEAL setup