ISIM web services in a single sign-on environment

The single sign-on (SSO) application in ISIM installed example directory, achieves single sign-on using ISIM web services using the LTPA token identity token in the HTTP header. The user can access WebSphere Application Server resources without having to re-login to WAS. The SSO application inserts the LTPA token into the SOAP header and then makes a web service call. The ISIM security domain that scopes to a WAS instance is ISIMSecurityDomain. If your WAS instance is in a separate ISIM domain, configure a trusted realm for your your instance in ISIMSecurityDomain.

If the SSO application runs on the same WebSphere Application Server and uses ISIMSecurityDomain. When deployed in a separate server than ISIM, the SSO application must be configured to share ISIM user registry. Upon successful authentication, the SSO application receives an LTPA cookie in the response header from the WebSphere Application Server. The sample application extracts the LtpaToken2 cookie from the HTTP header and sets it in the session. The WebServiceCall servlet starts the getPrincipalPerson web service API.

If the SSO application is not accessed from a WebSEAL junction then a form-based login is used. ISAM users can log in to the sample application using the same credentials as ISIM account.

When the SSO application is accessed from a WebSEAL junction, the Trust Association Interceptor (TAI) prevents WebSphere security from requiring multiple authentications. ISAM users can log in to the sample application using the credentials from the WebSEAL authentication server. Because the SSO application is deployed with the same ISIMSecurityDomain in the same WebSphere Application Server, the SSO application can log in to ISAM seamlessly with the LTPA token from WebSEAL. When run on a separate WebSphere Application Server, the SSO application must run under a separate domain and the user security realm must be configured as a trusted realm in ISIMSecurityDomain.

The SSO application demonstrates that we can achieve SSO authentication with ISIM web services in various deployment scenarios using the WS-Security header. Modify the SOAP message to add the WS-Security header BinarySecurityToken. The BinarySecurityToken element has the LTPA identity token embedded. To enable ISIM web services for processing the security headerr modify the SOAP message with the outgoing request of the ClientHandler. Provide the WS-Security header with the actor attribute:

See also:

Parent topic: Configuration of single sign-on