Single sign-on with the Security Token Service

Examples of the Security Token Service token types that can be used for single sign-on:

• LTPA tokens.
• SAML tokens.

WebSEAL can obtain tokens, which can be used for single sign-on to junctions, from the Security Token Service, which can generate SSO tokens using STS modules. WebSEAL retrieves the tokens by delegating the token request to the module in the following manner:

1. The client authenticates to WebSEAL over HTTPS or HTTP and requests an object on the junctioned server. However, an STS SSO credential is required before access can be granted to the junctioned server.

2. WebSEAL sends a Simple Object Access Protocol (SOAP) request to the STS module, requesting an SSO token.

3. The STS generates the token, which is based on the requirements of the STS module.

4. The STS returns the token to WebSEAL, and then WebSEAL forwards the token to the junction.

A trust chain must be created in the STS to handle the generation of the security token. The following table highlights the configuration requirements for the trust chain.

Trust Chain Element	Requirement
Request Type	Issue Oasis URI
Lookup Type	Use Traditional WS-Trust Elements (AppliesTo, Issuer, and TokenType)
AppliesTo	Address Corresponds to the applies-to option in the [tfimsso:<jct id>]stanza of the WebSEAL configuration file. Service Name Corresponds to the service-name option in the [tfimsso:<jct id>] stanza of the WebSEAL configuration file Set fields in this entry to either: Asterisk (*) to match all service names, or The second field must be set to the value defined by [tfimsso:<jct id>]service-name Refer to the Security Token Service documentation for further details on configuring Trust Chains. Port Type Not set.
Issuer	Address amwebrte-sts-client Service name Not set. Port Type Not set.
TokenType	One of the supported Security Token Service SSO token types
Trust Service Chain Modules	com.tivoli.am.fim.trustserver.sts.modules.STSTokenIVCred: -mode = validate com.tivoli.am.fim.trustserver.sts.modules. any_STS_module: -mode = issue

To create a junction for the STS single sign-on, use the junction create command (server task create) with option -Y. For information, see "Options" under server task create or server task virtualhost create. The WebSEAL configuration file must be configured to support the specific junctions for the STS single-sign-on before we can use the junction create command with option -Y.

Configuration options for using the STS single sign-on approach is specified in the [tfimsso:<jct-id>] stanza. This stanza contains the STS single sign-on configuration information for a single junction. For standard junctions, the stanza name must be qualified with the name of the junction point, including the leading forward slash; for example: [tfimsso:/junction_a]. For virtual host junctions, the stanza name must be qualified with the virtual host label, for example: [tfimsso:www.ibm.com].

The tfim-cluster-name option in the [tfimsso:<jct-id>] stanza defines the name of the server that is hosting the STS. Use the corresponding [tfim-cluster:<cluster>] stanza to specify options for the cluster.

In the [tfim-cluster:<cluster>] server stanza entry, specify the priority level and URL for a web server that acts as a proxy for STS. The [tfim-cluster:<cluster>] stanza can contain multipleserver entries, which used to specify multiple server entries for failover and load balancing purposes. WebSEAL checks the status of the STS proxy web server every minute after the STS cluster is configured.

For information about these configuration options, see the [tfimsso:<jct-id>] and [tfim-cluster:<cluster>] stanzas in the IBM Security Web Gateway appliance: web reverse proxy Stanza Reference.

This method of single sign-on can be implemented only using a module in the STS. For information, refer to the Security Token Service documentation.

• GSKit configuration for connections with Security Token Service
  
• Use of Kerberos credentials
  

Parent topic: Single Sign-on Solutions