Creating identifier associations for Sharon Jones

You must create the appropriate associations between the EIM identifier, Sharon Jones, and the user identities that the person represented by the identifier uses. These associations, when properly configured, enable the user to participate in a single sign-on environment.

In this scenario, you need to create one source association and two target associations for the Sharon Jones identifier:
  • A source association for the sjones Kerberos principal, which is the user identity that Sharon Jones, the person, uses to log in to Windows and the network. The source association allows the Kerberos principal to be mapped to another user identity as defined in a corresponding target association.
  • A target association for the SHARONJ IBM® i user profile, which is the user identity that Sharon Jones, the person, uses to log in to IBM Navigator for i and other IBM i applications on System A. The target association specifies that a mapping lookup operation can map to this user identity from another one as defined in a source association for the same identifier.
  • A target association for the JONESSH IBM i user profile, which is the user identity that Sharon Jones, the person, uses to log in to IBM Navigator for i and other IBM i applications on System B. The target association specifies that a mapping lookup operation can map to this user identity from another one as defined in a source association for the same identifier.

Use the information from your planning work sheets to create the associations:

To create the source association for Sharon Jones' Kerberos principal, follow these steps:
  1. In IBM Navigator for i on System A, expand IBM i Management > Security > All Tasks > Enterprise Identity Mapping.
  2. Click Domain Management.
  3. Right-click MyCoEimDomain and select Open.
    Note: You might be prompted to connect to the domain controller. In that case, the Connect to EIM Domain Controller dialog box is displayed. You must connect to the domain before you can perform actions in it. To connect to the domain controller, provide the following information and click OK:
    • User type: Distinguished name
    • Distinguished name: cn=administrator
    • Password: mycopwd
      Note: Any and all passwords specified in this scenario are for example purposes only. To prevent a compromise to your system or network security, you should never use these passwords as part of your own configuration.
  4. Right-click Identifiers and select Open.
  5. Right-click Sharon Jones and select Properties.
  6. On the Associations page, click Add.
  7. On the Add Association dialog box, specify or Browse to select the following information, and click OK.
    • Registry: MYCO.COM
    • User: sjones
    • Association type: Source
  8. Click OK to close the Add Associations dialog box.

To create a target association to Sharon Jones' IBM i user profile on System A, follow these steps:

  1. On the Associations page, click Add.
  2. On the Add Association dialog box, specify or Browse to select the following information, and click OK:
    • Registry: SYSTEMA.MYCO.COM
    • User: SHARONJ
    • Association type: Target
  3. Click OK to close the Add Associations dialog box.

    To create a target association to Sharon Jones' IBM i user profile on System B, follow these steps:

  4. On the Associations page, click Add.
  5. On the Add Association dialog box, specify or Browse to select the following information, and click OK:
    • Registry: SYSTEMB.MYCO.COM
    • User: JONESSH
    • Association type: Target
  6. Click OK to close the Add Associations dialog box.
  7. Click OK to close the Properties dialog box.

Now that you have created the identifier associations that map Sharon Jones' user identities to her EIM identifier, you can create the default registry policy associations that map all of your Kerberos registry users to a specific user profile in each of the IBM i model user registries.