IBM Tivoli Monitoring > Version 6.3 Fix Pack 2 > Administrator's Guide > Enable user authentication > LDAP user authentication through the portal server
IBM Tivoli Monitoring, Version 6.3 Fix Pack 2
About single sign-on
The single sign-on (SSO) feature provides users with the ability to start other Tivoli web-based or web-enabled applications from the Tivoli Enterprise Portal, or to start the Tivoli Enterprise Portal from other applications, without having to re-enter their credentials. It is also used when IBM Dashboard Application Services Hub retrieves monitoring data from the portal server or the IBM Tivoli Monitoring charting web service is being used by another application.
Authenticated credentials are shared among participating applications using LTPA (Lightweight Third Party Authentication) tokens. Read this topic to understand SSO usage and requirements.
- User logon
- Users log onto one of the participating applications, have their user ID and password authenticated, and then start another application from within the original application to view related data or perform required actions without having to re-enter their user ID and password.
- Tivoli Enterprise Portal browser client or Java Web Start client
- Use a browser client or Java Web Start client, you can start another participating Tivoli web application from the Tivoli Enterprise Portal by using Launch Application or by typing the URL of the application into a browser view.
- You can start the Tivoli Enterprise Portal browser client from an SSO-enabled web application. SSO is also supported when launching to the Java Web Start client.
If you are using SSO and you want to use the browser client on the same computer as the Tivoli Enterprise Portal Server, you must reconfigure the client to use the fully qualified name of the host computer.
- Tivoli Enterprise Portal desktop client
- Use the desktop client, you can start another application from a workspace by using SSO. To do this, you must enter the URL of the application in the address field of a browser view. However, you cannot start the Tivoli Enterprise Portal from another application to the desktop client.
- Dashboard Application Services Hub
- Dashboard users log onto IBM Dashboard Application Services Hub. When they access a dashboard that displays monitoring data, the dashboard hub sends a request to the dashboard data provider component of the portal server and includes the logged in user's LTPA token. The portal server validates the LTPA token, extracts the LDAP user ID from the LTPA token, and determines what monitored resources the user is allowed to access.
- IBM Tivoli Monitoring charting web service
- When users log onto Tivoli Integrated Portal, they access a page with a chart configured to use the IBM Tivoli Monitoring charting web service. A request is sent to the charting web service on the portal server and includes the logged in user's LTPA token. The portal server validates the LTPA token, extracts the LDAP user ID from the LTPA token, and determines what monitored resources the user is allowed to access.
- SSO-enabled applications belong to the same security domain and realm
- For SSO to be enabled, authentication must be configured through the Tivoli Enterprise Portal Server for an external LDAP user registry that is shared by all participating Tivoli applications. This is also called a federated LDAP user registry. All the participating applications must be configured for SSO and must belong to the same Internet or intranet domain and realm.
- The domain is the Internet or Intranet domain for which SSO must be configured, for example mycompany.com. Only applications available in this domain or its sub-domains are enabled for the SSO. Users who access applications that support SSO must specify the fully qualified hostname when entering the URL of the application, for example, the URL of Dashboard Application Services Hub. The hostname is included in the LTPA tokens that are sent to the other application servers participating in SSO, and those other servers need the fully qualified hostname so that they can verify the request came from a server in the same domain.
- The realm is a parameter shared across different applications that are using the LTPA SSO implementation.
- LTPA tokens
- Authenticated credentials are shared among participating applications using LTPA tokens. An LTPA token is encrypted data containing the authentication-related data for a user who has already been authenticated using the shared LDAP user registry. Participating SSO applications pass the user's LTPA token using a browser cookie.
- LTPA tokens are secure because they are created using secure cryptography. The tokens are both encrypted and signed. The server creating an LTPA token uses a set of cryptographic keys. The cryptographic keys are used to encode the token, so that the encoded token traveling to the user's browser cannot be decoded by someone who does not have the cryptographic keys. The cryptographic keys also are used to validate the token ensuring that the token integrity is verifiable and tampering can be readily detected. When an SSO server receives an HTTP request and sees that the LTPA token is included, the server verifies the token using its copy of the shared cryptographic keys, and the information in the valid token allows the server to recognize the logged-in user.
- Accordingly, LTPA keys must be exchanged among participating SSO servers so that all servers are using the same LTPA key. Choose one of the servers to be the source of the LTPA key. Then export its LTPA key and provide it to the administrators of the other servers so that they can import it. When you perform the export step, you must export the key into a key file. You must provide a name for the key file and the password to use to encrypt the key. The key file and password must be provided to the administrators of the other participating SSO applications so that they can import the LTPA key.
- For example, if multiple applications can launch the Tivoli Enterprise Portal client, you can export the LTPA key from the portal server and provide the key file and password to the administrators of the other applications so that they can import the LTPA key.
- Synchronize the time across participating servers
- LTPA tokens are time sensitive. Verify that the date, time, and time zone on the portal server computer and the computers of the participating SSO applications are correctly set and relative to Coordinated Universal Time (UTC). For example, the portal server in New York is set to UTC -5:00 and the Dashboard Application Services Hub in Paris is set to UTC+1:00.
Parent topic:
LDAP user authentication through the portal serverRelated tasks:
Reconfigure the browser client for SSO