Enable single sign-on
Enable single sign-on (SSO) preserves user authentication on different Web Applications in WebSphere Commerce. By using HTTP single sign-on, the user is not prompted multiple times for security credentials within a given trust domain.
Before you begin
- There must be an existing LDAP server installed and configured.
- WebSphere Commerce must be installed and configured to use LDAP.
- Enable WebSphere Application Server security with Federated Repositories.
- Modify the WebSphere Commerce configuration file and ensure that the MigrateUsersFromWCSdb flag is set to ON, if WebSphere Commerce switches to participate in a single sign-on environment when there are shoppers stored in WebSphere Commerce database.
- Synchronize the system clocks of all the systems participating in the single sign-on configuration.
Procedure
- Enable single sign-on in WebSphere Application Server.
- Configure single sign-on using the WebSphere Commerce integration wizard.
- Ensure WebSphere Application Server is in the following state.
- Ensure WebSphere Application Server is started.
- Ensure WebSphere Application Server is not started.
- Open the WebSphere Commerce integration wizard.
WC_INSTALL/bin/WCIntegrationWizard.sh
- Verify the prerequisites for the wizard and click Next.
- Select the WebSphere Commerce instance name, enter and confirm the database password, and click Next.
- Select Single Sign On as the integration task and click Next.
If you have not completed the Enable WebSphere Application Server security with Federated Repositories prerequisite, selecting Single Sign On begins the WebSphere Application Server security with Federated Repositories integration task before continuing with the current integration task.
- Enter the information specific to the single sign-on configuration.
- Enter the single sign-on domain name.
- Optional: Select Configure JAAS Login Module if you want WebSphere Commerce to generate the LTPA token.
Each field is described in...
WC_INSTALL/components/sso/properties/ltpa.properties
- Click Next and verify the summarized information.
- Click Next and Finish to complete the WebSphere Commerce integration wizard.
- Verify that the configuration is complete by searching for the Feature 'ldap','sso' enablement completed sucessfully. string in the log file:
- WCDE_INSTALL/logs/enableFeature.log
- WC_INSTALL/instances/instance/logs/enablesso_time.log
Ensure that you have added create/search/read/write permissions to the DNBind user after enabling single sign-on. This ensures access to the tool pages.
- In the WebSphere Application Server Administration Console, verify the LTPA configuration.
- Log on as:
- the non-root user.
- a user with administrative authority.
- Start the WebSphere Application Server administration server
- Launch the WebSphere administrative console.
- Click Security and navigate to Global Security > Authentication.
- Ensure that LTPA is selected.
- Click LTPA, enter and verify the password, and enter the key path.
- Click Export.
- Verify that the key is successfully generated.
- Configure the roles that will be assigned to users coming in to the system from single sign-on (SSO). Every time a user connects to the system by SSO WebSphere Commerce will try to assign the roles from the MemberRegistrationAttributes.xml file with registration type = "SSO".
See MemberRegistrationAttributes XML and DTD files for more information.
In WebSphere Commerce, security roles are assigned as part of the registration process. With single sign-on, the customer can bypass the registration step for the site if they have successfully authenticated to a collaborating system. The ability to be implicitly authenticated to a WebSphere Commerce site has very little value if the user will simply end up being denied access to the facilities that they want to use, for example, shopping at a store.
Therefore, the same functionality of automated role assignment that happens with user registration also happens in the session management code. In this case the would configure the roles for SSO shoppers using the 'SSO' registration type. This way, when a customer authenticates onto the system, WebSphere Commerce will automatically provide all of the roles that they should have for the site. Keep in mind that the SSO role assignment happens on a site level and not on a store level (as with the typical user registration). Therefore, you should ensure that the storeAncestor attribute specified is actually an ancestor of the site (store 0).
Example:
<User registrationType="SSO" memberAncestor="o=Default Organization,o=Root Organization" storeAncestor="o=Root Organization"><BR> <Role name="Registered Customer" roleContext="explicit" DN="o=Reseller Organization,o=Root Organization"/><BR> <Role name="Registered Customer" roleContext="explicit" DN="o=Seller Organization,o=Root Organization"/><BR> <Role name="Registered Customer" roleContext="explicit" DN="o=Supplier Organization,o=Root Organization"/><BR> <Role name="Registered Customer" roleContext="explicit" DN="ou=Supplier Hub Organization,o=Business Indirect Supplier Organization, o=Root Organization"/><BR> </User>
This example gives four roles to any customer who comes in to the system from SSO if the customer exists on the LDAP server somewhere below the 'default organization' (because of the memberAncestor specified).
- To enable single sign-on within the Management Center, uncomment the ResolveIdentity action in struts-extension.xml to use the authenticateLTPA service to resolve identity:
The struts-extension.xml file is located in the d:\WebSphere\AppServer\profiles\demo\installedApps\WC_demo_cell\WC_demo.ear\LOBTools.war\WEB_INF directory.
<!-- <action path="/ResolveIdentity" parameter="Person" type="com.ibm.commerce.foundation.client.lobtools.actions.AuthenticationClientLibraryAction" className="com.ibm.commerce.foundation.client.facade.bod.servlet.struts.BusinessObjectDocumentActionMapping"> <set-property property="contextParameters" value="channelId" /> <set-property property="clientLibrary" value="com.ibm.commerce.member.facade.client.MemberFacadeClient" /> <set-property property="clientLibraryMethod" value="authenticateLTPA" /> <forward name="success" path="/jsp/commerce/shell/restricted/AuthenticationSuccess.jsp"> </forward> <forward name="failed" path="/jsp/commerce/shell/restricted/ResolveIdentityFailed.jsp"> </forward> </action> -->
- Restart the WebSphere Application Server.
Results
Alternatively, you can enable WebSphere Application Server security with Federated Repositories and SSO using the command line.
- Encrypt the password:
- Navigate to WC_INSTALL/bin
- Run the following command: wcs_encrypt.bat db_password
- The ASCII encrypted string is required to put into the properties file in the next steps.
- Copy the components/sso/properties/ltpa.properties file to instance/properties/ltpa.properties and modify the file accordingly.
- Copy the components/ldap/properties/vmm.properties file to instance/properties/vmm.properties and modify the file accordingly.
- Run the following command for LDAP:
config_ant.bat -buildfile WC_INSTALL/components/common/xml/enableFeature.xml -DinstanceName=instance -DfeatureName=ldap -DdbUserPassword=db_passwordRun the following command for SSO:
config_ant.bat -buildfile WC_INSTALL/components/common/xml/enableFeature.xml -DinstanceName=instance -DfeatureName=sso -DdbUserPassword=db_password
- Copy the components/sso/properties/ltpa.properties file to WCDE_INSTALL/setup/ltpa.properties and modify the file accordingly.
- Copy the components/ldap/properties/vmm.properties file to WCDE_INSTALL/setup/vmm.properties and modify the file accordingly.
- Run the following command for LDAP:
enableFeature.bat -DfeatureName=ldapRun the following command for SSO:
enableFeature.bat -DfeatureName=sso
What to do next
For security purposes, when single sign-on is enabled, close all Web browsers after logging out of Management Center.