Single signon (SSO) concepts
Understand single signon concepts so that you can implement
a solution that allows users to access resources with one initial
login.
Client identity in HTTP BA headers
You can configure WebSEAL junctions to supply the back-end
server with original or modified client identity information. Understand
the options available so that you can specify the required information
in the HTTP basic authentication headers.
Client identity and generic password
As an administrator, you must know how client identity
and passwords are handled so that you understand how WebSEAL manages
authentication in some scenarios.
Forwarding of original client BA header information
Understand how original client basic authentication information
is sent to the back-end server without interference and the conditions
that are required for this implementation.
Removal of client BA header information
Understand how basic authentication header information
is removed from client requests and the conditions that are required
for this implementation.
User names and passwords from GSO
Understand how authentication information is obtained from
a server that handles global signon and the conditions for this implementation.
Client identity information across junctions
A junction can be set up to specify client identity information
in BA headers. You must know the available options so that you can
use the correct combination of options.
Client identity in HTTP headers (–c)
Use the –c junction option
to insert client identity, group membership, and credential information
specific to Security Access Manager.
You can insert the information into the HTTP headers of requests that
are destined for junctioned third-party application servers.
Conditions of use -c junctions
Understand how to use the -c junction option
so that you can use the correct combinations to insert information
into HTTP headers of requests.
Global sign-on overview
Global sign-on grants users access to the computing resources
that they are authorized to use through a single login. This feature
is designed for large enterprises that consist of multiple systems
and applications within heterogeneous, distributed computing environments.
GSO eliminates the need for users to manage multiple user names and passwords.
Authentication information mapping
The following example illustrates how the user
registry
provides authentication information to WebSEAL.
Configuration of the GSO cache
Use the global signon (GSO) cache function to improve the
performance of GSO junctions in a high load environment.
LTPA overview
WebSEAL can provide authentication and authorization services
and protection to an IBM® WebSphere® environment. WebSphere provides support
for the cookie-based lightweight third-party authentication mechanism
(LTPA).
Forms single signon concepts
Forms single signon authentication supports existing applications
that use HTML forms for authentication. It cannot be modified to directly
trust the authentication that is done by WebSEAL.
How to enable forms single signon
Learn the command options to enable forms single signon
so that you can configure the appropriate junction to support forms
single signon.
Forms single sign-on example
The following help site sample invokes its
own forms-based
login. The example shows how a forms single sign-on solution can provide
seamless access to the site for its enrolled users.
Single sign-on using Kerberos constrained delegation
You can set up constrained delegation by allowing WebSEAL
to request a Windows Kerberos ticket on behalf of the client from
the key distribution centre (KDC). The ticket can then be used by
WebSEAL to impersonate the client to authenticate with the junctioned
Web server.
E-community single signon
E-community single signon (sometimes referred to as ECSSO)
allows authenticated users to access protected resources across multiple
servers in multiple domains without requiring additional logins.
Single sign-off
You can configure WebSEAL to initiate single
sign-off from
multiple protected web resources located on junctioned backend servers.