This information explains the i5/OS® considerations for the enablement of single signon, and which i5/OS applications and programs can participate in a single signon environment.
The i5/OS implementation of Enterprise Identity Mapping (EIM) and Kerberos (referred to as network authentication services) provides a true multi-tier single signon environment. The network authentication service is IBM's implementation of Kerberos and the Generic Security Service (GSS) APIs. You can use EIM to define associations that will provide a mapping between a Kerberos principal and an i5/OS user profile. You can then use this association to determine which EIM identifier corresponds to a local i5/OS user profile or Kerberos principal. This is one of the benefits of enabling single signon in i5/OS on the server.
To enable a single signon environment, IBM® exploits two technologies that work together: EIM and Network authentication service, which is IBM's implementation of Kerberos and the GSS APIs. By configuring these two technologies, an administrator can enable a single signon environment. Windows® 2000, XP, AIX®, and zSeries® use Kerberos protocol to authenticate users to the network. Kerberos involves the use of a network-based, secure, key distribution center which authenticates principals (Kerberos users) to the network. The fact that a user has authenticated to the KDC is represented by a Kerberos ticket. A ticket can be passed from a user to a service that accepts tickets. The service accepting a ticket uses it to determine who the user claims to be (within the Kerberos user registry and realm) and that they are in fact who they claim to be.
While network authentication service allows a server to participate in a Kerberos realm, EIM provides a mechanism for associating these Kerberos principals to a single EIM identifier that represents that user within the entire enterprise. Other user identities, such as an i5/OS user name, can also be associated with this EIM identifier. Based on these associations, EIM provides a mechanism for i5/OS and applications to determine which i5/OS user profile represents the person or entity represented by the Kerberos principal. You can think of the information in EIM as a tree with an EIM identifier as the root, and the list of user identities associated with the EIM identifier as the branches.
Enabling single signon for your server simplifies the task of managing i5/OS user profiles and reduces the number of sign-ons that a user must perform to access multiple i5/OS applications and servers. Additionally, it reduces the amount of time that is required for password management by each user. Single signon allows each user to remember and use fewer passwords to access applications and servers, thereby simplifying their iSeries™ experience.