Chapter 4. Configuration and customization 155
Depending on integration requirements, different data should be sent to the
WebSEAL-secured Web application using different formats. However, most of
the Web applications support standard HTTP-based mechanisms for the user
identification, which are exploited by WebSEAL.
4.9.1 Tivoli Global Sign-On (GSO) lockbox
Most Web applications support basic authentication or forms-based login for
checking authenticity and obtaining a users identity information. When using this
support, an application or the server the application is running on maintains a
database with user IDs and passwords (in the most simple case). After
challenging a user and obtaining a user ID and password, an application looks
up the matching entry and, if one is found, the user is considered authenticated
and his or her identity is associated with the provided user ID. In more
sophisticated environments’ relational databases, legacy applications or
LDAP-based repositories are targeting that scope.
Access Manager supports a flexible single sign-on solution that features the
ability to provide alternative user IDs and passwords to the Web application
servers in two ways:
򐂰 By supplying user ID and password information via basic authentication
headers
򐂰 By performing forms-based single sign-on
The integration is achieved by creating SSO-aware junctions between WebSEAL
and Web servers hosting the applications. GSO resources and GSO resource
groups must first be created in Access Manager for every application that
requires a different logon. When WebSEAL receives a request for a resource
located on the SSO-junctioned server, WebSEAL queries the Access Manager
user registry for the appropriate authentication information. The user registry
contains mappings for each user registered for using that application, which
provides alternative user IDs and passwords for specific resources. Evidently,
that information has to be in the repository prior to initial use. The values (user
IDs and passwords) should match those stored in the application home registry.
Note: Although junctions are set up on a Web server basis, it is possible to
provide different SSO data to different applications hosted on the same server.
In order to achieve this, multiple GSO junctions to the same Web server are
created. However, using access control lists, the access to the resources is
defined that way, so that only appropriate URLs can be requested through a
specified junction.
156 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
The visible advantage of the solution is that no changes are supposed to be
made on the application side. However, synchronization of the user IDs and
passwords in the application’s home user registry and Access Manager user
registry is required. (Registry synchronization can be accomplished with IBM
Tivoli Directory Integrator.)
A special situation emerges if Access Manager and the secured application
share the same repository for storing user data, as shown in Figure 4-9 on
page 157. An LDAP directory is the most suitable platform for maintaining
application-specific information about users and groups. Given compatible LDAP
schemes, many applications may share the same LDAP directory. LDAP
provides a standardized way of authenticating users based on user ID and
password stored as user attributes. However, it provides no flexibility in defining
object classes to be used for authenticating a user rather than performing a call
based on primary identification attributes of a user (user ID and password).
While using an Access Manager GSO junction, Access Manager uses specific
LDAP attributes for storing GSO information for every GSO user. As a result, the
GSO user ID and password provided for a specific junction are not necessarily
the same as the primary ones. However, a junctioned application sharing the
same LDAP repository would then try to authenticate a user using these values
against primary ones (by doing LDAP bind or compare). The need arises to keep
the values of primary user IDs and passwords the same as GSO IDs and
passwords.

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.