Before you begin
With single signon (SSO) support, Web users can authenticate once when accessing Web resources across multiple WebSphere Application Servers. Form login mechanisms for Web applications require that SSO is enabled.
SSO is supported only when Lightweight Third Party Authentication (LTPA) is the authentication mechanism.
When SSO is enabled, a cookie is created containing the LTPA token and inserted into the HTTP response. When the user accesses other Web resources in any other WebSphere Application Server process in the same domain name service (DNS) domain, the cookie is sent in the request. The LTPA token is then extracted from the cookie and validated. If the request is between different cells of WebSphere Application Servers, you must share the LTPA keys and the user registry between the cells for SSO to work. The realm names on each system in the SSO domain are case sensitive and must match identically.
For
local OS on the Windows platform, the realm name is the domain name if a domain
is in use. If a domain is not used, the realm name is the machine name.
On the Linux or UNIX platforms, the realm
name is the same as the host name.
For the Lightweight Directory Access Protocol (LDAP) the realm name is the host:port realm name of the LDAP server. The LTPA authentication mechanism requires that you enable SSO if any of the Web applications have form login as the authentication method.
Because single signon is a subset of LTPA, it is recommended that you read Lightweight Third Party Authentication for more information.
Token type | Purpose | How to specify |
---|---|---|
LtpaToken only | This token type is used for the same SSO behavior existing in WebSphere Application Server Version 5.1 and previous releases. Also, this token type is interoperable with those previous releases. | Disable the Web inbound security attribute propagation option
located in the SSO configuration panel in the administrative console. To access
this panel, complete the following steps:
|
LtpaToken2 only | This token type is used for Web inbound security attribute propagation and uses the AES, CBC, PKCS5 padding encryption strength (128 bit key size). However, this token type is not interoperable with releases prior to WebSphere Application Server Version 5.1.1. The token type allows for multiple attributes specified in the token (mostly containing information to contact the original login server). | Enable the Web inbound security attribute propagation option
in the SSO configuration panel within the administrative console. Disable
the Interoperability mode option in the SSO configuration panel within
the administrative console. To access this panel, complete the following steps:
|
LtpaToken and LtpaToken2 | These tokens together support both of the previous two options. The token types are interoperable with releases prior to WebSphere Application Server Version 5.1.1 because LtpaToken is present. The security attribute propagation function is enabled because the LtpaToken2 is present. | Enable the Web inbound security attribute propagation option
in the SSO configuration panel within the administrative console. Enable the Interoperability
mode option in the SSO configuration panel within the administrative console.
To access this panel, complete the following steps:
|
Why and when to perform this task
The following steps are required to configure SSO for the first time.
Steps for this task
When you specify multiple domains, you can use the following delimiters: a semicolon (;), a space ( ), a comma (,), or a pipe (|). WebSphere Application Server searches the specified domains in order from left to right. Each domain is compared with the host name of the HTTP request until the first match is located. For example, if you specify ibm.com; austin.ibm.com and a match is found in the ibm.com domain first, WebSphere Application server does not continue to search for a match in the austin.ibm.com domain. However, if a match is not found in either the ibm.com or austin.ibm.com domains, then WebSphere Application Server does not set a domain for the LtpaToken cookie.
You can configure the Domain name field using any of the following values:
Domain name value type | Example |
---|---|
Blank | |
Single domain name | austin.ibm.com |
UseDomainFromURL | UseDomainFromURL |
Multiple domain names | austin.ibm.com;raleigh.ibm.com |
Multiple domain names and UseDomainFromURL |
|
For more information, see Single signon settings.
What to do next
For the changes to take effect, save, stop, and restart all the product servers (deployment managers, nodes and Application Servers).
Related concepts
Web component security
Lightweight Third Party Authentication
Security attribute propagation
Related tasks
Configuring Lightweight Third Party Authentication
Related reference
Security: Resources for learning