[IBM i]

Configuring single sign-on capability with Enterprise Identity Mapping

The Enterprise Identity Mapping (EIM) identity token connection factory is a type of Java™ 2 Connector (J2C) connection factory. Using EIM identity token connection factories along with EIM identity token-enabled products, such as IBM® Toolbox for Java, provides a single sign-on capability for WebSphere® Application Server applications that need to access server data and resources through your user ID.

Before you begin

The EIM identity token connection factory is supported on the following WebSphere Application Server products.
[IBM i]Attention: Either Lightweight Third Party Authentication (LTPA) or Simple WebSphere Authentication Mechanism (SWAM) may be used with the EIM identity token connection factory. Enabling web security single sign-on (SSO) is optional when LTPA is used with the EIM identity token connection factory. See the information about implementing single sign-on to minimize web user authentications.
Table 1. Supported editions per product .

This table lists the supported edition names per product.
Edition name Supported products
Version 8.0 WebSphere Application Server (base)

, Network Deployment EditionWebSphere Application Server Network Deployment for IBM i ()
Version 6.1 WebSphere Application Server (base)

WebSphere Application Server Network Deployment for IBM i (Network Deployment Edition)
Version 6.0.x WebSphere Application Server (base)

WebSphere Application Server Network Deployment for IBM i (Network Deployment Edition)

You can configure EIM identity token connection factories for Version 8.5 only. Information about a sample application that might be helpful to you when you develop your own applications is provided.

Attention: Configuration tasks can vary slightly for other WebSphere Application Server products and editions.

About this task

The sample application uses an EIM identity token connection factory to provide EIM identity tokens for use with IBM Toolbox for Java com.ibm.as400.access.AS400 objects. For example, if the sample application is deployed on SERVER A, you can log in once to WebSphere Application Server and use the sample application to perform IBM i server commands under your IBM i user profiles on SERVER B, SERVER C, or SERVER D.

When you make a request to the sample application, you must log in with your WebSphere Application Server user ID and password. Each request contains the server command and the target server name where the command runs. When the request is received, the application calls the connection factory to generate an identity token. The connection factory extracts your user ID from a Java Authentication and Authorization Service (JAAS) subject object that is provided by WebSphere Application Server security, and it collaborates with the EIM domain controller to create the identity token that is returned to the application. The application then creates a com.ibm.as400.access.AS400 object for SERVER B and provides it with the identity token (instead of your IBM i user profile) before it passes the server command to run.

Attention: A new identity token and com.ibm.as400.access.AS400 object are created each time that you send a request that contains a new target server. All com.ibm.as400.access.AS400 objects are stored in an HTTP Session for use with subsequent requests.

Procedure

  1. Verify that you have all of the prerequisites that are installed to use the EIM token connection factory.
    You must verify that you have installed the necessary program temporary fixes (PTF) to your server and applications. For more information, see Verifying Enterprise Identity Mapping identity token connection factory prerequisite applications.
  2. Configure EIM work with the identity token connection factory.
    These instructions explain how to complete the following tasks:
    1. Create a domain in EIM.
    2. Add the domain to domain management.
    3. Create a source user registry definition.
    4. Create a user identifier.
    5. Create a target association.
    6. Create a source association.
    7. Test the connection to the EIM domain controller
    For more information, see Configuring Enterprise Identity Mapping.
  3. Configure the EIM identity token connection factory.
    This step involves configuring two Java Archive (JAR) files and a shared library. For more information, see Configuring the Enterprise Identity Mapping identity token connection factory.
  4. Configure the connection factory.
    For more information, see Automatically configuring the connection factory.

Results

After completing the previous steps, you have configured single sign-on for Enterprise Identity Mapping.