Single sign-on considerations

 

There are several considerations for using Single sign-on (SSO) with iSeries™ Access for Web in the Web application server and portal environments.

iSeries Access for Web supports participating in WebSphere® SSO environments. When enabled, users provide WebSphere credentials when accessing i5/OS® resources with iSeries Access for Web. The user is authenticated with the active WebSphere user registry and Enterprise Identity Mapping (EIM) is used to map the authenticated WebSphere user identity to an i5/OS user profile. The i5/OS user profile is used to authorize access to the requested i5/OS resources. Single sign-on with WebSphere is supported in both the Web application server and portal environments.

SSO with WebSphere and iSeries Access for Web require the following configurations:

 

WebSphere global security

For information on WebSphere global security, search for "Configuring global security" in the appropriate version of the WebSphere Application Server information center. Links to the WebSphere information centers are in the IBM® WebSphere Application Server documentation.

 

EIM domain configuration

For information on EIM domain configuration, see the "Configure Enterprise Identity Mapping" topic.

 

EIM Identity Token Connector

The EIM Identity Token Connector is a resource adapter that must be installed and configured into WebSphere when enabling iSeries Access for Web for WebSphere SSO. The iSeries Access for Web application and portal application request identity tokens from the connector. Identity tokens are encrypted data strings that represent the currently authenticated WebSphere user. Identity tokens are input to EIM lookup operations, which map an authenticated WebSphere user identity to an i5/OS user profile.

The connector supports J2C connection factories with JNDI names eis/IdentityToken and eis/iwa_IdentityToken. By default, iSeries Access for Web attempts to use configuration values from the factory defined with JNDI name eis/iwa_IdentityToken. If this factory is not found, configuration values from the factory defined with JNDI name eis/IdentityToken are used.

For information about EIM Identity Token Connector configuration, refer to the Configure the Enterprise Identity Mapping (EIM) Identity Token Connection Factory topic in the WebSphere Application Server for OS/400®, Version 6 Information Center.

 

Configuration examples

See "WebSphere Application Server V6.0 for OS/400 with Single sign-on" topic for an example of configuring iSeries Access for Web with SSO in a Web application server environment.

See "WebSphere Portal - Express for Multiplatforms V5.0.2 (iSeries) with Single sign-on" topic for an example of configuring iSeries Access for Web with SSO in a portal application environment.

 

Parent topic:

Security considerations

Related concepts
IFrame Login template Default page content

Related tasks
Configuring WebSphere Application Server V6.0 for OS/400 with Single sign-on Configuring WebSphere Portal - Express for Multiplatforms V5.0.2 (iSeries) with Single sign-on
Related reference
Configuring iSeries Access for Web in a Web application server environment Configuring iSeries Access for Web in a portal environment
Related information
Enterprise Identity Mapping