Configuring single sign-on

To configure a single sign-on environment you must use a compatible authentication method as your authentication method and Enterprise Identity Mapping (EIM) to create and manage your user profiles and identity mappings.

In the case of IBM® i single sign-on solutions, the authentication method is network authentication service (Kerberos).

Because a single sign-on environment can be complex to configure, you might find it useful to create a test environment before you implement single sign-on across your enterprise. The create a test single sign-on environment scenario demonstrates how to configure such a test environment so that you can learn more about the planning needs of implementing single sign-on as well as gain a better understanding of how a single sign-on environment can work for you.

After you work with a test environment, you can use what you learn to plan how to implement single sign-on on a larger scale in your enterprise. You might find it useful to work through the enable single sign-on for i5/OS scenario to learn about the more advanced configuration options that you can employ when you implement a single sign-on environment.

After you have reviewed these and the other single sign-on scenarios, you can use the single sign-on planning worksheets to create an informed single sign-on implementation plan that fits the needs of your enterprise. With these planning worksheets in hand, you are ready to continue with the configuration process.

Configuring single sign-on involves a number of detailed configuration steps, this information describes the high-level configuration tasks for single sign-on and provides links to the more detailed configuration information for both EIM and network authentication service where appropriate.

Perform these tasks to configure a single sign-on environment:
  1. Create your Windows 2000 domain
    1. Configure the KDC on the Active Directory (AD) Server.
      Note: You can choose to create and run your KDC on IBM i PASE rather than create a Windows domain and run the KDC on a windows server.
    2. Add IBM i service principals to the Kerberos server.
    3. Create a home directory for each Kerberos user who will participate in your single sign-on environment.
    4. Verify TCP/IP domain information.
  2. Create an EIM domain by running the both the network authentication service wizard and the EIM configuration wizard on a server. When you have completed these wizards, you have actually accomplished the following tasks:
    1. Configured IBM i interfaces to accept Kerberos tickets.
    2. Configured the Directory server on System i® to be the EIM domain controller.
    3. Created an EIM domain.
    4. Configured a user identity for IBM i and IBM i applications to use when conducting EIM operations.
    5. Added a registry definition to EIM for the local IBM i registry and the local Kerberos registry (if Kerberos is configured).
  3. For servers running IBM i V5R3, or later, see the Scenario: Propagate network authentication service and EIM across multiple systems for a detailed demonstration on how to use the Synchronize Functions wizard in System i Navigator to propagate a single sign-on configuration across multiple servers in a mixed IBM i release environment. Administrators can save time by configuring single sign-on once and propagating that configuration to all of their systems instead of configuring each system individually.
  4. Finish your configuration for the network authentication service. Based on your single sign-on implementation plan, create a home directory for users on your servers.
  5. Based on your implementation plan, customize your EIM environment by setting up associations for the user identities in your enterprise.
    1. Configure other servers to participate in the EIM domain.
    2. Create EIM identifiers and identifier associations as needed.
    3. Add additional registry definitions as needed.
    4. Create policy associations as needed.
  6. Test your single sign-on configuration.

    To verify that you have configured the network authentication service and EIM correctly, sign on to the system with a user ID, and then open System i Navigator. If no IBM i sign-on prompt displays, EIM successfully mapped the Kerberos principal to an identifier on the domain.

    Note: If you find that your test of your single sign-on configuration fails, there might be a problem with your configuration. You can troubleshoot single sign-on and learn how to recognize and fix common problems with your single sign-on configuration.
Parent topic: Single sign-on
Related concepts:
Scenario: Creating a single sign-on test environment
Scenario: Enabling single sign-on for i5/OS
Single sign-on planning worksheets
Related tasks:
Planning for single sign-on
Troubleshooting single sign-on
Related information:
Configuring network authentication service
Configuring Enterprise Identity Mapping