Enable single sign-on for Tivoli Access Manager with SPNEGO

and SPNEGO.

• Complete the task described in the Configure web browsers to support SPNEGO.

• Ensure that IBM Tivoli Access Manager for e-business, version 6.1 Fix Pack 4, is installed.

• This task describes how to enable single sign-on (SSO) for Tivoli Access Manager on the Windows operating system. For information about other operating systems, go to the Configure Windows desktop single signon (UNIX) page in the Tivoli Access Manager information center.

• Connections supports the WebSphere cookie-based lightweight third-party authentication (LTPA) mechanism as an SSO solution for Tivoli Access Manager. IBM Connections does not support other SSO solutions that WebSEAL supports such as WebSphere Trust Association Interceptor (TAI), Forms SSO, Cross-domain SSO, or E-community SSO.

• Connections supports the use of SSL Transparent Path junctions with Tivoli Access Manager. IBM Connections does not support TCP type junctions or Tivoli Access Manager Standard junctions.

• Verify that we can access Connections applications from a web browser.

• Set the IBM WAS single sign-on domain to the same value as the domain of the Tivoli Access Manager server.

Single sign-on (SSO) enables users to log in to a Connections application, and switch to other applications within the product without having to authenticate again.

The IBM Connections DefaultAuthenticator protocol allows the users and Tivoli Access Manager to prove their identities to one another in a secure manner. After users sign in to their Active Directory Windows client systems, they are automatically signed into both Tivoli Access Manager and Connections.

To set up SSO using Tivoli Access Manager with SPNEGO:

1. Create a user account for WebSEAL in the Active Directory domain. When creating the user account, ensure specified the following options:

   • The user cannot change the password

   • The password never expires

   For example, if you create an account for A User, where the Active Directory domain is tamspnego.myco.com, the user identity is auser@tamspnego.myco.com.

2. Map a Kerberos principal to an Active Directory user. Map the service principal name to the account that you created in Step 1 by running the ktpass command on the domain controller. Use the Tivoli Access Manager server through which users access IBM Connections as the instance in the service principal name.

   1. Run the following ktpass command:

      ktpass –princ SPN -mapuser account_name -mapOp set –pass account_password

      where

      • SPN is the Kerberos service principal name. The host name specified in the SPN should match the host name of the WebSEAL server. For example, if users contact the WebSEAL server at diamond.subnet2.myco.com and the WebSEAL server is part of the EXAMPLE.COM Active Directory domain, the Kerberos principal name is HTTP/diamond.subnet2.myco.com@EXAMPLE.COM.

      • account_name is the account name specified in Step 1.

      • account_password is the password associated with the account specified in Step 1.

   2. Modify the Windows service for the WebSEAL instance so that it starts using the new user account that you just created. On the WebSEAL server:

      1. Click Start > Programs > Administrative Tools > Services.

      2. Right-click on Access Manager WebSEAL-default and select Properties.

      3. Click Log On and then click This account.

      4. Enter the details of the user account and password that you created in Step 1.

      5. Click OK to save the changes.

   3. Grant administrator privileges for the local system to the account that you created in step 1.

3. Enable SPNEGO for WebSEAL:

   1. Stop the WebSEAL server.

   2. Enable SPNEGO over SSL by adding the following lines to the WebSEAL configuration file:

      [spnego]

      spnego-auth = https

      [authentication-mechanisms]

      auth-challenge-type = spnego

      kerberosv5 = fully_qualified_path to the authentication library

      For example: kerberosv5 = TDI_root\bin\stliauthn.dll

      where TDI_root is the install directory of Tivoli Access Manager.

4. Restart WebSEAL from the Services Control Panel. On Windows, WebSEAL must be running as a service for SPNEGO authentication to work properly. Otherwise, it runs using the credentials of the logged in user.

5. Configure form-based authentication with transparent junctions. Complete all the steps in the Enable single sign-on for Tivoli Access Manager topic except the steps about updating interService URLs , adding a Tivoli Allow access to the Embedded Experience gadget, and adding a Tivoli Access Manager authenticator property. We need to use the IBM HTTP Server URLs and the DefaultAuthenticator property in this configuration.

   This procedure enables a fallback authentication method for user systems that do not support SPNEGO. This alternative is important for users of Lotus Notes , mobile devices, and other extensions for Connections.

Results

After users sign in to the Windows desktop, they are automatically signed into IBM Connections.

For on-ramp plug-ins or mobile services, the data traffic is not authenticated by Kerberos tickets or SPNEGO tokens. It is instead authenticated through Java EE form-based authentication.

What to do next

For more information about Kerberos and SPNEGO, go to the SPNEGO protocol and Kerberos authentication page in the Tivoli Access Manager information center.

Parent topic:
Configure single sign-on