To configure a single sign-on environment you must use
a compatible authentication method as your authentication method and
Enterprise Identity Mapping (EIM) to create and manage your user profiles
and identity mappings.
In the case of IBM® i single
sign-on solutions, the authentication method is network authentication
service (Kerberos).
Because a single sign-on environment can
be complex to configure, you might find it useful to create a test
environment before you implement single sign-on across your enterprise.
The create a test single sign-on environment scenario demonstrates
how to configure such a test environment so that you can learn more
about the planning needs of implementing single sign-on as well as
gain a better understanding of how a single sign-on environment can
work for you.
After you work with a test environment,
you can use what you learn to plan how to implement single sign-on
on a larger scale in your enterprise. You might find it useful to
work through the enable single sign-on for IBM i scenario to learn
about the more advanced configuration options that you can employ
when you implement a single sign-on environment.
After
you have reviewed these and the other single sign-on scenarios, you
can use the single sign-on planning worksheets to create an informed
single sign-on implementation plan that fits the needs of your enterprise.
With these planning worksheets in hand, you are ready to continue
with the configuration process.
Configuring single sign-on involves
a number of detailed configuration steps, this information describes
the high-level configuration tasks for single sign-on and provides
links to the more detailed configuration information for both EIM
and network authentication service where appropriate.
Perform these tasks to configure a single sign-on environment:
- Create your Windows domain
- Configure the KDC on the Active Directory (AD) Server.
Note: You can choose to create and run your KDC on IBM i PASE rather than create
a Windows domain and run the KDC on a windows
server.
- Add IBM i service
principals to the Kerberos server.
- Create a home directory for each Kerberos user who will
participate in your single sign-on environment.
- Verify TCP/IP domain information.
- Create an EIM domain by running the both the network authentication
service wizard and the EIM configuration wizard on a server.
When you have completed these wizards, you have actually accomplished
the following tasks:
- Configured IBM i interfaces
to accept Kerberos tickets.
- Configured the Directory server on IBM i to be the EIM domain
controller.
- Created an EIM domain.
- Configured a user identity for IBM i and IBM i applications to use
when conducting EIM operations.
- Added a registry definition to EIM for the local IBM i registry and the local
Kerberos registry (if Kerberos is configured).
- For servers running IBM i 5.4, or later, see
the Scenario: Propagate network
authentication service and EIM across multiple systems for
a detailed demonstration on how to use the Synchronize Functions wizard
in System
i Navigator to propagate
a single sign-on configuration across multiple servers in a mixed IBM i release environment.
Administrators can save time by configuring single sign-on once
and propagating that configuration to all of their systems instead
of configuring each system individually.
- Finish your configuration for the network authentication
service.
Based on your single sign-on implementation plan,
create a home directory for users on your servers.
- Based on your implementation plan, customize your EIM environment
by setting up associations for the user identities in your enterprise.
- Configure other servers to participate in the EIM domain.
- Create EIM identifiers and identifier associations as
needed.
- Add additional registry definitions as needed.
- Create policy associations as needed.
- Test your single sign-on configuration.
To
verify that you have configured the network authentication service
and EIM correctly, sign on to the system with a user ID, and then
start a 5250 emulator session from IBM i
Access Client Solutions. If no IBM i sign-on prompt displays,
EIM successfully mapped the Kerberos principal to an identifier on
the domain.
Note: If you find that your test of
your single sign-on configuration fails, there might be a problem
with your configuration. You can troubleshoot single sign-on and learn
how to recognize and fix common problems with your single sign-on
configuration.