Install the SSO application on a separate system than where ISIM is installed

You must install the single sign-on application by using the WebSphere Application Server administrative console.

Familiarize ourself with the SSO application details and installation requirements before we install it..

You must install the WebSphere Application Server fixes that are specified in ISIM Release Notes. Use the installation instructions in the Release Notes to install the fixes. Install the SSO application on the WebSphere Application Server where ISIM is installed.

When the SSO application is installed on a separate system, the ISAM is positioned as a single sign-on front. It returns an LTPA token from the WebSphere Application Server or the ISAM depending on if the junction has LTPA enabled.

1. Prepare the WebSphere Application Server environment. See Preparing the WebSphere Application Server

2. Build the SSO application to create the itim_ws.war file. For information about building the application, see Building the SSO application.

3. Use File Transfer Protocol (FTP) to copy the itim_ws.war file to the location in the system where the SSO application is going to be deployed.

4. Install the application by using the WebSphere Application Server administrative console.

   1. Log on to the WebSphere Application Server administrative console. For example, http://localhost:9060/ibm/console

   2. Click Applications > New Applications > New Enterprise Application.

   3. In the Path to the new application area, select Local file system.

   4. Click Browse to set Full path to the location of the itim_ws.war file.

   5. Click Next.

   6. In the How do to install the application area, select Detailed - Show all installation options and parameters.

   7. Click Next.

   8. At the Application Security Warnings window, click Continue.

   9. Click the Map context roots for Web modules step and specify the context root value as /itim_ws.

   10. Click Map security roles to users or groups step. Select the ITIM_CLIENT role

   11. Click Map Special Subjects > All Authenticated in Trusted Realms.

   12. Click Next repeatedly until the Summary window is displayed.

   13. Click Finish.

   14. Click Save to save your changes directly to the master configuration.

5. Update the class loader properties

   1. Click Applications > Application Types > WebSphere enterprise applications.

   2. Click itim_ws.war.

   3. Under Detailed Properties, click Class loading and update detection.

   4. Select Classes loaded with local class loader first (parent last) for the Class loader order and Single class loader for application for the WAR class loader policy.

   5. Click OK.

   6. Click Save to save your changes directly to the master configuration.

6. Ensure that you properly export and import the LTPA keys for correct encryption and decryption of the identity tokens (LTPA). See the WebSphere Application Server documentation for setting up SSO by using LTPA with multiple servers.

7. Make the security realm that the sample SSO application is deployed a trusted realm of ISIM server. Perform the following steps from ISIM virtual appliance.
   1. From the top-level menu of the Appliance Dashboard, click Configure > Manage Server Setting > Single Sign-On Configuration.
   2. In the Single Sign-On Configuration page, click the Trusted Realms tab and configure the trusted realm. See Manage the single sign-on configuration.

The SSO application works only with its own authentication by using ISIM user registry. You must enable authentication with WebSEAL.

• Enabling authentication on a separate system with WebSEAL
  Enabling authentication with WebSEAL eliminates the need for a separate password to access IBM Security Identity Manager.

Parent topic: IBM Security Identity Manager web services in a single sign-on environment