To enable single sign-on:
- Ensure that the following prerequisites have been met:
- There must be an existing LDAP server installed and configured. To configure an LDAP server see the WebSphere Commerce Additional Software Guide.
- WebSphere Commerce must be installed and configured to use LDAP.
- WebSphere Application Server security is enabled with an LDAP user registry.
- Enable single sign-on within the WebSphere Application Server. For more information, search for "single sign-on" in the WebSphere Application Server Information Center. Select Single Sign-On: WebSphere Application Server and complete the following sections:
- Configuring SSO for WebSphere Application Server.
- Modify WebSphere Application Server security settings.
Note: The step that details how to fill in the LDAP fields can be safely ignored.
- Export the LTPA keys to a file.
- Modify WebSphere Application Server security settings.
- Configuring SSO for WebSphere Application Server.
- On your WebSphere Commerce machine, start the WebSphere Commerce Configuration Manager.
- To configure the Member Subsystem node:
- Under WebSphere Commerce expand host_name -> Instance List -> instance_name -> Instance Properties -> Member Subsystem.
- In the Authentication Mode drop-down menu, select LDAP.
- Enable the Single sign-on check box.
- In the Host field, enter the fully qualified host name of your LDAP server.
- Enter the administrator's distinguished name in the Administrator Distinguished Name field. This should be the same name that was used on your LDAP server.
- In the Administrator Password field, enter the administrator's password. This should be the same password that was used on your LDAP server. Confirm the password in the Confirm Password field.
- Complete each of the remaining fields.
- Click Apply, then click OK.
- Configure the roles that will be assigned to users coming in to the system from single sign-on (SSO). Every time a user connects to the system by SSO WebSphere Commerce will try to assign the roles from the MemberRegistrationAttributes.xml file with registration type = "SSO". For more information, see the topic "MemberRegistrationAttributes XML and DTD files" in the WebSphere Commerce Developer information center.
- Restart the WebSphere Application Server.
Configure roles for SSO users
In WebSphere Commerce, security roles are assigned as part of the registration process. With single sign-on, the customer can bypass the registration step for your site if they have successfully authenticated to a collaborating system. The ability to be implicitly authenticated to a WebSphere Commerce site has very little value if the user will simply end up being denied access to the facilities that they want to use, for example, shopping at a store.
Therefore, the same functionality of automated role assignment that happens with user registration also happens in the session management code. In this case your would configure the roles for SSO shoppers using the 'SSO' registration type. This way, when a customer authenticates onto the system, WebSphere Commerce will automatically provide all of the roles that they should have for the site. Keep in mind that the SSO role assignment happens on a site level and not on a store level (as with the typical user registration). Therefore, you should ensure that the storeAncestor attribute specified is actually an ancestor of the site (store 0).
Example:
<User registrationType="SSO" memberAncestor="o=Default Organization,o=Root Organization" storeAncestor="o=Root Organization"><BR> <Role name="Registered Customer" roleContext="explicit" DN="o=Reseller Organization,o=Root Organization"/><BR> <Role name="Registered Customer" roleContext="explicit" DN="o=Seller Organization,o=Root Organization"/><BR> <Role name="Registered Customer" roleContext="explicit" DN="o=Supplier Organization,o=Root Organization"/><BR> <Role name="Registered Customer" roleContext="explicit" DN="ou=Supplier Hub Organization,o=Business Indirect Supplier Organization, o=Root Organization"/><BR> </User>
This example will give four roles to any shopper who comes in to the system from SSO if the shopper exists on the LDAP server somewhere below the 'default organization' (because of the memberAncestor specified).