Configure IBM® Connections
to use single sign-on with IBM Tivoli® Access Manager and SPNEGO.
Before you begin
- Complete the task described in the Configuring web browsers
to support SPNEGO topic.
- Ensure that IBM Tivoli Access Manager for e-business,
version 6.1 Fix Pack 4, is installed.
- This task describes how to enable single sign-on (SSO) for Tivoli Access Manager on the Windows operating system. For
information about other operating systems, go to the Configuring Windows desktop
single signon (UNIX) page
in the Tivoli Access Manager
information center.
- IBM Connections supports
the WebSphere® cookie-based
lightweight third-party authentication (LTPA) mechanism as an SSO
solution for Tivoli Access
Manager. IBM Connections does
not support other SSO solutions that WebSEAL supports such as WebSphere Trust Association
Interceptor (TAI), Forms SSO, Cross-domain SSO, or E-community SSO.
- IBM Connections supports the use of encrypted connection
Transparent Path junctions with Tivoli Access Manager. IBM Connections does not support TCP type junctions or Tivoli Access Manager Standard junctions.
- Verify that you can access IBM Connections
applications from a web browser.
- Set the IBM WebSphere Application Server single sign-on
domain to the same value as the domain of the Tivoli Access Manager server.
About this task
Single sign-on (SSO) enables users to log in to an IBM Connections application and
switch to other applications within the product without having to
authenticate again.
There are several different ways to configure
SSO. The IBM Connections DefaultAuthenticator
protocol allows your users and Tivoli Access
Manager to prove their identities to one another in a secure manner.
After users sign in to their Active Directory Windows client systems, they are automatically
signed into both Tivoli Access
Manager and IBM Connections.
To
set up SSO using Tivoli Access
Manager with SPNEGO, complete the following steps:
Procedure
- Create a user account for WebSEAL in your Active Directory
domain. When creating the user account, ensure that you specify the
following options:
- The user cannot change the password
- The password never expires
For example, if you create an account for A User, where the
Active Directory domain is tamspnego.example.com, the user identity
is auser@tamspnego.example.com.
- Map a Kerberos principal to an Active Directory user. Map
the service principal name to the account that you created in Step
1 by running the ktpass command on the domain controller. Use the Tivoli Access Manager server
through which users access IBM Connections
as the instance in the service principal name.
- Run the following ktpass command:
ktpass
–princ SPN -mapuser account_name -mapOp
set –pass account_password
where
- SPN is the Kerberos service principal name.
The host name specified in the SPN should match
the host name of the WebSEAL server. For example, if users contact
the WebSEAL server at diamond.subnet2.example.com and the WebSEAL
server is part of the EXAMPLE.COM Active Directory domain, the Kerberos
principal name is HTTP/diamond.subnet2.example.com@EXAMPLE.COM.
- account_name is the account name that you specified
in Step 1.
- account_password is the password associated
with the account that you specified in Step 1.
- Modify the Windows service
for the WebSEAL instance so that it starts using the new user account
that you just created. On the WebSEAL server, complete the following
steps:
- Click .
- Right-click on Access Manager WebSEAL-default and
select Properties.
- Click Log On and then click This
account.
- Enter the details of the user account and password that you created
in Step 1.
- Click OK to save your changes.
- Grant administrator privileges for the local system
to the account that you created in step 1.
- Enable SPNEGO for WebSEAL:
- Stop the WebSEAL server.
- Enable SPNEGO over encrypted connections by adding the following lines to the WebSEAL
configuration file:
[spnego]
spnego-auth =
https
[authentication-mechanisms]
auth-challenge-type
= spnego
kerberosv5 = fully_qualified_path to the authentication
library
For example: kerberosv5 =
TDI_root\bin\stliauthn.dll
where TDI_root is
the installation directory of Tivoli Access
Manager.
- Enable TAI authentication as follows:
- In the WebSphere Application Server administrative console, navigate
to .
- Enter the following name and value pair:
- Name
- com.ibm.websphere.security.performTAIForUnprotectedURI
- Value
- true
- Click OK and then click Save to
preserve your update.
- Restart WebSEAL from the Services Control Panel. On Windows, WebSEAL must be running
as a service for SPNEGO authentication to work properly. Otherwise,
it runs using the credentials of the logged in user.
- Configure form-based authentication with transparent junctions.
Complete all the steps in the Enabling single sign-on for Tivoli Access Manager topic
except the steps about updating interService URLs ,
adding a Tivoli Allow access to the Embedded Experience gadget, and adding a Tivoli Access Manager authenticator
property. You need to use the IBM HTTP
Server URLs and the DefaultAuthenticator property in this configuration.
Note: This
procedure enables a fallback authentication method for user systems
that do not support SPNEGO. This alternative is important for users
of Lotus Notes®, mobile
devices, and other extensions for IBM Connections.
Results
After users sign in to the Windows desktop,
they are automatically signed into IBM Connections.
Note: If you are using on-ramp
plug-ins or mobile services, your data traffic is not authenticated
by Kerberos tickets or SPNEGO tokens. It is instead authenticated
through Java EE form-based authentication.
What to do next
For more information about Kerberos and SPNEGO, go to the SPNEGO protocol and Kerberos authentication page
in the Tivoli Access Manager
information center.