Configuring Enterprise Identity Mapping

 

In order to enable Single sign-on (SSO) with WebSphere® and iSeries™ Access for Web, configure Enterprise Identity Mapping (EIM). This topic provides an overview of the steps to configure EIM. These steps are intended as a guide to administrators when planning and configuring the EIM environment. EIM is part of the Network subcomponent of iSeries Navigator. For information about EIM, see the Enterprise Identity Mapping topic. Configuring EIM involves these steps:

Steps to configure Enterprise Identity Mapping:

  1. Create an EIM domain. EIM domain information is stored on a Lightweight Directory Access Protocol (LDAP) directory server. The LDAP administrator distinguished name and password is required in order to create an EIM domain. To create an EIM domain, follow these steps:

    1. In iSeries Navigator, expand <ServerName> > Network > Enterprise Identity Mapping.
    2. Right-click Configuration and select Configure (or Reconfigure, if EIM has been previously configured) to start the EIM configuration wizard.
    3. On the Welcome page, select Create and join a new domain. Select Next.
    4. On the Specify EIM Domain Location page, select one of these as appropriate:

      • On the local Directory server

      • On a remote Directory server
      Select Next.
    5. On the Configure Network Authentication Service page, select No. Select Next.

      Network Authentication Service is not required for EIM in WebSphere environments. For more information about Network Authentication Service, see the "Network authentication service" topic.

    6. Either the Specify User for Connection or the Configure Directory Server page is displayed. Specify the Distinguished name and Password of the directory server administrator, as well as the Directory server port number, as appropriate. For example:

      Distinguished name: cn=administrator  
      Password: myadminpwd
      Port: 389 Select Next.

    7. On the Specify Domain page, provide a name for the EIM domain. For example: Domain: EimDomain Select Next.
    8. On the Specify Parent DN for Domain page, select No. Select Next.
    9. If the directory server is active, a message is displayed indicating to end and restart the directory server for the changes to take effect. Select Yes to restart the directory server.
    10. On the Registry Information page, select Local i5/OS and de-select Kerberos. Write down the Local i5/OS® registry name. This registry name will be used when creating associations for EIM identifiers. For example: MYISERIES.MYCOMPANY.COM Select Next.
    11. On the Specify EIM System User page, let it default to using the directory server administrator distinguished name and password when performing EIM operations on behalf of operating system functions. Select Next.
    12. On the Summary page, confirm the EIM configuration information. Select Finish.
  2. Add EIM domain to Domain Management. To add the EIM domain to Domain Management, follow these steps:

    1. In iSeries Navigator, expand <ServerName> > Network > Enterprise Identity Mapping.

    2. Right-click Domain Management, and select Add Domain.

    3. On the Add Domain dialog, select the EIM domain name specified in step 1.g of the Create an EIM domain step. For example: EimDomain. Select OK.

    4. The domain is added to iSeries Navigator. Expand the domain by Selecting the + next to the domain name.

    5. Specify the directory server administrator distinguished name and password at the Connect to EIM domain controller prompt.

    6. Two subcategories are displayed, User Registries and Identifiers.
  3. Create EIM source user registry. To create an EIM source user registry, follow these steps.

    1. In iSeries Navigator, expand <ServerName> > Network > Enterprise Identity Mapping > Domain Management > <DomainName> > User Registries.

    2. Right-click User Registries, and select Add Registry > System.
    3. On the Add System Registry dialog, provide a registry name. For example: Registry: WebSphereUserRegistry

    4. Select LDAP - short name from the registry type selection list. Registry type LDAP - short name is not available in iSeries Navigator releases prior to V5R4M0. If you are using an earlier release of iSeries Navigator, specify 1.3.18.0.2.33.14-caseIgnore as the registry type. This is the ObjectIdentifier-normalization (OID) form of registry types whose principals are identified by the LDAP short name attribute. This OID is mapped to "LDAP - short name" in V5R4M0 iSeries Navigator. Select OK.
  4. Create EIM identifier for each user. An EIM identifier must be created for each user in the WebSphere user registry. When new users are added to the WebSphere user registry, an EIM identifier must be created for each new user. To create an EIM identifier for a user in the WebSphere user registry, follow these steps:

    1. In iSeries Navigator, expand <ServerName> > Network > Enterprise Identity Mapping > Domain Management > <DomainName> > Identifiers.
    2. Right-click Identifiers, and select New Identifier.
    3. On the New EIM Identifier dialog, provide a unique identifier name and optional description. For example: Thomas R. Smith. Select OK.

    4. Repeat steps 4.b and 4.c for each WebSphere user that uses iSeries Access for Web.
  5. Add associations to EIM identifiers. Each EIM identifier requires two EIM associations. These associations link the WebSphere user identity (source identity) to an i5/OS user profile (target identity). To add associations to an EIM identifier, follow these steps. When new EIM identifiers are added to represent new users in the WebSphere user registry, repeat these steps to create the corresponding EIM associations.

    1. In iSeries Navigator, expand <ServerName> > Network > Enterprise Identity Mapping > Domain Management > <DomainName> > Identifiers. A list of identifiers is displayed in the right pane of iSeries Navigator.
    2. Right-click an identifier and select Properties. For example: Thomas R. Smith
    3. From the Associations tabbed page, select Add to add a WebSphere user registry source association.
    4. On the Add Association dialog, provide values for the following fields. You can specify a value or select Browse... to select from a list of known values.

      • Registry: Specify the source registry name from step 3.c of the Create EIM source user registry step. For example: WebSphereUserRegistry

      • User: Specify the user's WebSphere user identity. For example: tsmith

      • Association type: Source

      Select OK.

    5. From the Associations tabbed page, select Add to add an i5/OS user profile target association.
    6. On the Add Association dialog, provide values for following fields. You can specify a value or select Browse... to select from a list of known values.

      • Registry: Specify the target registry name from step 1.j of the Create EIM domain step. For example: MYISERIES.MYCOMPANY.COM

      • User: Specify the user's i5/OS user profile name. For example: TOMSMITH

      • Association type: Target

      Select OK to add the target association.

    7. Select OK to close the Properties dialog.

 

Parent topic:

Single sign-on considerations
Related information
Enterprise Identity Mapping Network authentication service