To configure a single sign-on environment you must use a compatible
authentication method as your authentication method and Enterprise Identity
Mapping (EIM) to create and manage your user profiles and identity mappings.
In the case of IBM® i single
sign-on solutions, the authentication method is network authentication service
(Kerberos).
Because a single sign-on environment can be complex to configure,
you might find it useful to create a test environment before you implement
single sign-on across your enterprise. The create a test single sign-on environment
scenario demonstrates how to configure such a test environment so that you
can learn more about the planning needs of implementing single sign-on as
well as gain a better understanding of how a single sign-on environment can
work for you.
After you work with a test environment,
you can use what you learn to plan how to implement single sign-on on a larger
scale in your enterprise. You might find it useful to work through the enable
single sign-on for i5/OS scenario to learn about the more advanced configuration
options that you can employ when you implement a single sign-on environment.
After you have reviewed these and the other single sign-on
scenarios, you can use the single sign-on planning worksheets to create an
informed single sign-on implementation plan that fits the needs of your enterprise.
With these planning worksheets in hand, you are ready to continue with the
configuration process.
Configuring single sign-on involves a number
of detailed configuration steps, this information describes the high-level
configuration tasks for single sign-on and provides links to the more detailed
configuration information for both EIM and network authentication service
where appropriate.
Perform these tasks to configure a single sign-on environment:
- Create your Windows 2000 domain
- Configure the KDC on the Active Directory (AD) Server.
Note: You can choose to create and run your KDC on IBM i PASE
rather than create a Windows domain and run the KDC on a
windows server.
- Add IBM i service
principals to the Kerberos server.
- Create a home directory for each Kerberos user who will participate
in your single sign-on environment.
- Verify TCP/IP domain information.
- Create an EIM domain by running the both the network authentication
service wizard and the EIM configuration wizard on a server. When
you have completed these wizards, you have actually accomplished the following
tasks:
- Configured IBM i interfaces
to accept Kerberos tickets.
- Configured the Directory server on System i® to
be the EIM domain controller.
- Created an EIM domain.
- Configured a user identity for IBM i and IBM i applications to use when conducting
EIM operations.
- Added a registry definition to EIM for the local IBM i registry
and the local Kerberos registry (if Kerberos is configured).
- For servers running IBM i V5R3,
or later, see the Scenario: Propagate network
authentication service and EIM across multiple systems for a detailed
demonstration on how to use the Synchronize Functions wizard in System
i Navigator to
propagate a single sign-on configuration across multiple servers in a mixed IBM i release environment. Administrators can save time by configuring single sign-on once and
propagating that configuration to all of their systems instead of configuring
each system individually.
- Finish your configuration for the network authentication service. Based on your single sign-on implementation plan, create a home directory
for users on your servers.
- Based on your implementation plan, customize your EIM environment
by setting up associations for the user identities in your enterprise.
- Configure other servers to participate in the EIM domain.
- Create EIM identifiers and identifier associations as needed.
- Add additional registry definitions as needed.
- Create policy associations as needed.
- Test your single sign-on configuration.
To verify
that you have configured the network authentication service and EIM correctly,
sign on to the system with a user ID, and then open System
i Navigator.
If no IBM i sign-on prompt
displays, EIM successfully mapped the Kerberos principal to an identifier
on the domain.
Note: If you find that your test of your
single sign-on configuration fails, there might be a problem with your configuration.
You can troubleshoot single sign-on and learn how to recognize and fix common
problems with your single sign-on configuration.