Single sign-on

Portal Express, Version 6.0
Operating systems: i5/OS, Linux, Windows

Single sign-on

+
Search Tips | Advanced Search

Overview

The goal of single sign-on is to provide a secure method of authenticating a user one time within an environment and using that single authentication (for the duration of the session) as a basis for access to other applications, systems, and networks. In the context of IBM^® WebSphere^® Portal Express, there are two single sign-on realms; ...

Realm from the client to portal and other web applications
Realm from the portal to the backend applications

Single sign-on for the client realm is established either via the LTPA token functionality of WebSphere Application Server or via an Authentication Proxy.
Backend single sign-on can be established with the LTPA token functionality if accepted by the backend application either via the Credential Vault Portlet Service or the Java Connector architecture.

Credential vault provides a mechanism that assists a portlet in retrieving one of several representations of a user's authenticated identity, which the portlet can then pass to a backend application. This is much like WebSphere Portal Express and the portlet acting as an authentication proxy to the backend application.
Using single sign-on, a user can authenticate once when logging in to WebSphere Portal Express, and the user's identity is passed on to applications without requiring additional identity verification from the user.
The Credential vault features two levels of single sign-on:

Active Credentials Encapsulates the functionality of single sign-on for the portlet writer in an object provided by the Service.
Passive Credentials More flexible but requires portlet writers to manage their own connections and authentication to backend applications with the Credentials (i.e. userid and password) they retrieved from the Credential Vault.

WebSphere Portal Express and JAAS

The single sign-on functions of WebSphere Portal Express use the authentication portion of JAAS. WebSphere Portal Express does not support true JAAS authorization.
WebSphere Portal Express builds a JAAS Subject for each logged on user...

Principals Piece of data, such as the user ID or user's DN that gives the identity of the Subject.
Credentials Piece of data, such as a password or a CORBA Credential that can be used to authenticate a subject

The Subject carries around the Principals and Credentials that can be used by the portlet directly or through the credential service.

Related information

IBM Support Site
Credential Vault

Parent topic:
Authentication

Active Credentials	Encapsulates the functionality of single sign-on for the portlet writer in an object provided by the Service.
Passive Credentials	More flexible but requires portlet writers to manage their own connections and authentication to backend applications with the Credentials (i.e. userid and password) they retrieved from the Credential Vault.

Principals	Piece of data, such as the user ID or user's DN that gives the identity of the Subject.
Credentials	Piece of data, such as a password or a CORBA Credential that can be used to authenticate a subject