158 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
The important options for setting up GSO junctions are:
–b gso Specifies that GSO should provide authentication
information for all requests crossing this junction.
–T resource Specifies the GSO resource or resource group. The
resource name used as the argument to this option must
exactly match the resource name as listed in the GSO
database. Required for gso junctions.
To create a resource you can use WPM or pdadmin CLI:
pdadmin> rsrc create resource_name [–desc description]
At the end, you need to have mappings of resources to specific authentication
information. The authentication information is a user name and password
combination known as a resource credential. A resource credential is a
credential that is used to identify a user’s authentication information. A user’s
authentication information is used by WebSEAL when accessing a back-end
Web resource or resource group through a GSO-enabled junction on behalf of
For example, to create the Web resource credential named engwebs01 for the
resource user ID 4807ws01 and password pwd4lucas given to Access Manager
user dlucas, execute following command:
pdadmin sec_master> rsrccred create engwebs01 rsrcuser 4807ws01 rsrcpwd
pwd4lucas rsrctype web user dlucas
4.9.2 Forms-based single sign-on
Forms-based single sign-on authentication supports existing applications that
use HTML forms for authentication that cannot be modified to directly trust the
authentication performed by WebSEAL. Forms-based single sign-on is built on
the following process:
1. WebSEAL interrupts the authentication process initiated by the back-end
2. WebSEAL supplies the data required by the login form and submits the login
on behalf of the user.
3. WebSEAL saves and restores all cookies and headers.
4. The user is unaware of the second login taking place between WebSEAL and
the back-end application.
5. The back-end application is unaware that the login form is not coming directly
from the user.