Creating identifier associations for John Day

You must create the appropriate associations between the EIM identifier, John Day, and the user identities that the person represented by the identifier uses. These identifier associations, when properly configured, enable the user to participate in a single sign-on environment.

In this scenario, you need to create one source association and two target associations for the John Day identifier:
  • A source association for the jday Kerberos principal, which is the user identity that John Day, the person, uses to log in to Windows and the network. The source association allows the Kerberos principal to be mapped to another user identity as defined in a corresponding target association.
  • A target association for the JOHND IBM® i user profile, which is the user identity that John Day, the person, uses to log in to IBM i model and to other IBM i applications on System A. The target association specifies that a mapping lookup operation can map to this user identity from another one as defined in a source association for the same identifier.
  • A target association for the DAYJO IBM i user profile, which is the user identity that John Day, the person, uses to log in to IBM Navigator for i and other IBM i applications on System B. The target association specifies that a mapping lookup operation can map to this user identity from another one as defined in a source association for the same identifier.

Use the information from your planning work sheets to create the associations.

To create the source association for John Day's Kerberos principal, follow these steps:

  1. In IBM Navigator for i on System A, expand IBM i Management > Security > All Tasks > Enterprise Identity Mapping.
  2. Click Domain Management.
  3. Right-click MyCoEimDomain and select Open.
    Note: You might be prompted to connect to the domain controller. In that case, the Connect to EIM Domain Controller dialog box is displayed. You must connect to the domain before you can perform actions in it. To connect to the domain controller, provide the following information and click OK:
    • User type: Distinguished name
    • Distinguished name: cn=administrator
    • Password: mycopwd
      Note: Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration.
  4. Right-click Identifiers and select Open.
  5. Right-click John Day and select Properties.
  6. On the Associations page, click Add.
  7. In the Add Association dialog box, specify or Browse to select the following information, and click OK.
    • Registry: MYCO.COM
    • User: jday
    • Association type: Source
  8. Click OK to close the Add Associations dialog box.

To create a target association for John Day's IBM i user profile on System A, follow these steps:
  1. On the Associations page, click Add.
  2. In the Add Association dialog box, specify or Browse to select the following information, and click OK:
    • Registry: SYSTEMA.MYCO.COM
    • User: JOHND
    • Association type: Target
  3. Click OK to close the Add Associations dialog box.
To create a target association for John Day's IBM i user profile on System B, follow these steps:
  1. On the Associations page, click Add.
  2. In the Add Association dialog box, specify or Browse to select the following information, and click OK:
    • Registry: SYSTEMB.MYCO.COM
    • User: DAYJO
    • Association type: Target
  3. Click OK to close the Add Associations dialog box.
  4. Click OK to close the Properties dialog box.

Now that you have created the identifier associations that map John Day's user identities to his EIM identifier, you can create similar associations for Sharon Jones.