38 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
Single sign-on (SSO)
The concept of single sign-on (SSO) is fairly straightforward: When a user
accesses a Web application, the user is challenged for a password only once,
and from that point forward in the user experience with all Web content, no
additional passwords are requested. Tivoli Access Manager provides SSO
capabilities through WebSEAL with a software library that authenticates the
user-provided name and password against information stored within a user
registry. Access Manager for e-business SSO can be provided through several
authentication methods: Basic Authentication (BA), as provided via an HTML
standard authentication mechanism, X.509 certificates, biometrics, and so on.
Once authenticated via WebSEAL, there are techniques to configure the Access
Manager framework to pass certificate information to back-end Web resources
transparently to the user.
Virtual hosting
Multiple instances of WebSEAL can be created on a single machine using the
WebSEAL configuration utility. Also, a single WebSEAL instance can listen to
multiple interfaces and multiple ports. Different IP and SSL configuration
information can be associated with each interface.
2.2.4 Plug-In for Web servers
The Plug-In for Web servers architecture provides a solution where the customer
has decided to deploy a Web plug-in architecture rather than taking a reverse
proxy approach.
Figure 2-5 shows an architectural overview of the Plug-In for Web servers
implementation.
Chapter 2. Planning 39
Figure 2-5 Access Manager Plug-In for Web servers architecture
In most Web server environments, there are multiple server threads in operation
on the machine. These might be different threads of the same Web server
instance or threads of different Web server instances. Having a distinct
authorization engine for each thread would be inefficient, but would also mean
that session information would have to be shared between them somehow.
The architecture used contains two parts:
򐂰 Interceptor
This is the real
plug-in part of the solution. Each Web server thread has a
plug-in running in it that gets to see and handle each request/response that
the thread deals with. The interceptor does not authorize the decisions itself;
it sends details of each request (via an inter-process communication
interface—IPC) to the Plug-In Authorization Server.
򐂰 Plug-In Authorization Server
This is where authorization decisions are made and the action to be taken is
decided. There is a single Plug-In Authorization Server on each machine and
it can handle requests from all plug-in types. The Plug-In Authorization Server
is a local cache mode aznAPI application that handles authentication and
authorization for the plug-ins. The Authorization Server receives intercepted
requests from the plug-ins and responds with a set of commands that tell the
plug-in how to handle the request.
PDMGRD
ACL DB
Master
LDAP
Plug-in Auth Server
PDRTE
Web Server Instance
Plug
In
Web Server Instance
Plug
In
Web Server Instance
Plug
In
Web Server Instance
Plug
In
ACL DB
Replica
IPC
PDRTE

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.