Manage the single sign-on configuration

Manage the single sign-on configuration

Use the Single Sign-On Configuration page to configure, reconfigure, or unconfigure the single sign-on for the IBM Security Identity Manager (ISIM) virtual appliance. We can also set tracing for troubleshooting single sign-on.

From the top-level menu of the Appliance Dashboard, click...
Configure > Manage Server Setting > Single Sign-On Configuration

The Single Sign-On Configuration page displays these tabs:

IBM Security Access Manager (ISAM) SSO
LTPA Keys
Trusted Realms

In the Single Sign-On Configuration page, do one of the actions on the following tabs.

BM Security Access Manager (ISAM) SSO tab

Configure a new single sign-on:

Click Configure.
In the Single Sign-On Configuration Details window set.

Policy server detail A list of ISAM policy servers to which the application server can communicate. The format of this entry is host name, TCP/IP port number, and numerical rank, which is separated by colons. Multiple servers can be specified by separating them with commas.For example, the following 2 policy servers both use the available default TCP/IP port 7135.
primary.myco.com:7135:1,secondary.myco.com:7135:2

The host name of policy server with rank 1 is used to configure the Java Runtime Environment component for ISAM.
Authorization server detail A list of ISAM authorization servers to which the application server can communicate. The format of this entry is host name, TCP/IP port number, and numerical rank, which is separated by colons. Multiple servers can be specified by separating them with commas.For example, the following 2 authorization servers both use the available default TCP/IP port 7136.
secazn.myco.com:7136:2,primazn.myco.com:7136:1

ISAM administrator An ISAM user with administrative privileges.
ISAM administrator password The password associated with the specified ISAM administrative user.
ISAM user The ISAM user that we created.
Account Mapping Single sign-on, account mapping occurs between ISAM and IBM Security Identity Manager during login authentication. The following values are used.

True
No mapping is attempted. The ISAM user account that is passed in the iv-user HTTP request header must be identical to an IBM Security Identity Manager user account. This user account is defined in the IBM Security Identity Manager directory for the user to log in to IBM Security Identity Manager.
False
The ISAM user account that is passed in the iv-user HTTP request header searches the ISAM directory for a matching IBM Security Identity Manager user account.

Logout page This option is for ISIM logout page for its console and the self-service user interface. We can use the default logout page provided with ISIM, or provide our own logout page.

Webseal default
This logout option is the most secure. Use it when we want the following combined behavior when we click Logoff:

End the logon session.
End the logon session, and the pkmslogout function is started.

Single Sign-On default
Use this logout page for the following combined behavior when we click Logoff:

End the current logon session and provide a link to return to IBM Security Identity Manager.
Remain logged in to ISAM. The iv-user HTTP header information is still available. For example, this action provides for continued use of a portal page or a return to ISAM without a logon prompt.

Other
Select this option to specify the logout page to use. In Specify, browse to the location to specify the .jsp file for the logout page.

Click Save Configuration.

Reconfigure an existing single sign-on:

Before reconfiguring, create a snapshot to recover from any configuration failures. See Manage the snapshots.

From the Single Sign-On Configuration table, select a record.
Click Reconfigure.
In the Edit Single Sign-On Configuration Details window, edit the configuration variables.

Policy server detail
Provides a list of ISAM policy servers to which the application server can communicate. The format of this entry is host name, TCP/IP port number, and numerical rank, which is separated by colons. Multiple servers can be specified by separating them with commas.For example, the following two policy servers both use the available default TCP/IP port 7135.
primary.myco.com:7135:1,secondary.myco.com:7135:2

The host name of policy server with rank 1 is used to configure the Java Runtime Environment component for ISAM.
Authorization server detail
Provides a list of ISAM authorization servers to which the application server can communicate. The format of this entry is host name, TCP/IP port number, and numerical rank, which is separated by colons. Multiple servers can be specified by separating them with commas.For example, the following two authorization servers both use the available default TCP/IP port 7136.
secazn.myco.com:7136:2,primazn.myco.com:7136:1

IBM Security Access Manager administrator
An ISAM user with administrative privileges.
IBM Security Access Manager administrator password
The password associated with the specified ISAM administrative user.
IBM Security Access Manager user
The ISAM user that we created from this link: Create a user in ISAM that WebSEAL uses to connect to the backend server
Account Mapping
Single sign-on, account mapping occurs between ISAM and IBM Security Identity Manager during login authentication. The following values are used.

True
No mapping is attempted. The ISAM user account that is passed in the iv-user HTTP request header must be identical to an IBM Security Identity Manager user account. This user account is defined in the IBM Security Identity Manager directory for the user to log in to IBM Security Identity Manager.
False
The ISAM user account that is passed in the iv-user HTTP request header searches the ISAM directory for a matching IBM Security Identity Manager user account. See Account mapping between ISAM and ISIM during login

Logout page
This option is for ISIM logout page for its console and the self-service user interface. We can use the default logout page provided with ISIM, or provide our own logout page.

Webseal default
This logout option is the most secure. Use it when we want the following combined behavior when we click Logoff:

End the logon session.
End the logon session, and the pkmslogout function is started.

Single Sign-On default
Use this logout page for the following combined behavior when we click Logoff:

End the current logon session and provide a link to return to ISIM.
Remain logged in to ISAM. The iv-user HTTP header information is still available. For example, this action provides for continued use of a portal page or a return to ISAM without a logon prompt.

Other
Select this option to specify the logout page to use. In Specify, browse to the location to specify the .jsp file for the logout page.

Click Save Configuration.

Unconfiguring an existing single sign-on

Before reconfiguring, create a snapshot to recover from any configuration failures. See Manage the snapshots.

From the Single Sign-On Configuration table, select Single-Sign-On.
Click Unconfigure.
Click Yes to confirm the operation.

Trace Settings

This option is enabled only when single sign-on is configured.

From the Single Sign-On Configuration table, select Single-Sign-On.
Click Trace Setting.
In the dialog, click the check boxes to enable either or both of the tracing components.

ISAM Java runtime tracing
Application level ISAM Java runtime tracing

Click Save Configuration.

LTPA Keys tab

To export the LTPA keys, do these steps:

Enter a password for the LTPA keys.
Enter the password again to confirm it.
Click Export LTPA Keys to save the LTPA key file on your local computer.
Use this key to establish single sign-on between the client application server and the application server on which ISIM is installed. The application that is installed in the application server of the client communicates with ISIM.

Trusted Realms tab
To configure the Trusted Realms, do the following steps:

Specify a realm or a list of realms to configure as trusted realm.
Specify a realm or a list of realms to configure as a trusted realm. Separate each realm in the list with the pipe character (|). For example: realm1|realm2|realm.
Click Configure Trusted Realms.
By applying this configuration, we are ensuring that the security realm of the sample single sign-on application is deployed as a trusted realm of ISIM server.

Parent topic: Virtual appliance configuration

Policy server detail	A list of ISAM policy servers to which the application server can communicate. The format of this entry is host name, TCP/IP port number, and numerical rank, which is separated by colons. Multiple servers can be specified by separating them with commas.For example, the following 2 policy servers both use the available default TCP/IP port 7135. primary.myco.com:7135:1,secondary.myco.com:7135:2 The host name of policy server with rank 1 is used to configure the Java Runtime Environment component for ISAM.
Authorization server detail	A list of ISAM authorization servers to which the application server can communicate. The format of this entry is host name, TCP/IP port number, and numerical rank, which is separated by colons. Multiple servers can be specified by separating them with commas.For example, the following 2 authorization servers both use the available default TCP/IP port 7136. secazn.myco.com:7136:2,primazn.myco.com:7136:1
ISAM administrator	An ISAM user with administrative privileges.
ISAM administrator password	The password associated with the specified ISAM administrative user.
ISAM user	The ISAM user that we created.
Account Mapping	Single sign-on, account mapping occurs between ISAM and IBM Security Identity Manager during login authentication. The following values are used. True No mapping is attempted. The ISAM user account that is passed in the iv-user HTTP request header must be identical to an IBM Security Identity Manager user account. This user account is defined in the IBM Security Identity Manager directory for the user to log in to IBM Security Identity Manager. False The ISAM user account that is passed in the iv-user HTTP request header searches the ISAM directory for a matching IBM Security Identity Manager user account.
Logout page	This option is for ISIM logout page for its console and the self-service user interface. We can use the default logout page provided with ISIM, or provide our own logout page. Webseal default This logout option is the most secure. Use it when we want the following combined behavior when we click Logoff: End the logon session. End the logon session, and the pkmslogout function is started. Single Sign-On default Use this logout page for the following combined behavior when we click Logoff: End the current logon session and provide a link to return to IBM Security Identity Manager. Remain logged in to ISAM. The iv-user HTTP header information is still available. For example, this action provides for continued use of a portal page or a return to ISAM without a logon prompt. Other Select this option to specify the logout page to use. In Specify, browse to the location to specify the .jsp file for the logout page.