180 WebSphere Portal Express and Express Plus V5 for the IBM Eserver iSeries Server
This redbook explains how to enable and use the mechanisms provided for this approach. For
more information about the LTPA mechanism, consult IBM WebSphere V5.0 Security
WebSphere Handbook Series, SG24-6573.
For a more complete security solution, IBM provides Tivoli Access Manager.
SSO prerequisites
Before you configure SSO, you must configure and meet the following prerequisites and
conditions:
򐂰 Verify that all servers are configured as part of the same DNS domain. For example, if the
DNS domain is specified as mycompany.com, then SSO is effective with any Domino server
or WebSphere Application Server on a host that is part of the mycompany.com domain, for
example, a.mycompany.com and b.mycompany.com.
򐂰 Verify that all servers share the same user registry.
򐂰 Define all users in a single LDAP directory.
򐂰 Enable HTTP cookies in browsers because the authentication information that is
generated by the server is transported to the browser in a cookie. The cookie is then used
to propagate the user's authentication information to other servers. This makes the user
exempt from entering the authentication information for every request to a different server.
򐂰 Verify that all servers participating in a protection domain have their time, date, and time
zone synchronized. If not, LTPA tokens appear as prematurely expired and cause
authentication or validation failures. LTPA is time sensitive.
5.2 Portal authentication via WebSphere Application Server
security
This section applies the concepts that are discussed in 5.1, “Web application authentication
concepts” on page 176, to explain WebSphere Portal authentication.
5.2.1 WebSphere Portal Form-based authentication
By default, WebSphere Portal uses the Custom Form-based authentication mechanism of
WebSphere Application Server to prompt users for a user ID and password. Form-based
authentication means that a user is prompted through an HTML form for the user ID and
password when he or she tries to access the protected page. The portal requests WebSphere
Application Server to validate the authentication information against a user registry.
To use WebSphere Application Server security, WebSphere Portal is configured as a secure
Web application. The following figures illustrate the main security-related configuration values
of the WebSphere Portal Server Web application.
Figure 5-1 shows the WebSphere Portal Server Enterprise Application Deployment descriptor
(application.xml) with details about Web modules and security roles. We use WebSphere
Development Studio Client for iSeries to work with the application.xml file.
Chapter 5. WebSphere Portal and single signon 181
Figure 5-1 WebSphere Portal Server enterprise application Web module
Figure 5-2 shows the context root for the Web module (context root becomes part of the URI
to invoke the Web application). This means that all resources under this URI, such as
/wps/myportal, become protected.
Figure 5-2 WebSphere Portal Server Web application module context root
Figure 5-3 shows the defined security roles for this Web application and the corresponding
WebSphere bindings.
Figure 5-3 Security roles and WebSphere binding

Get WebSphere Portal Express and Express Plus V5 for the IBM eServer iSeries Server now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.