Enabling single sign-on without LDAP
Enabling single sign-on (SSO) preserves user authentication on different web applications in WebSphere Commerce. By using HTTP single sign-on, the user is not prompted multiple times for security credentials within a trust domain.
- Fix Pack 9 (8.0.0.9) or later
- Mod Pack 1 Fix Pack 1 (8.0.1.1) or later
Before you begin
Procedure
-
Enable single sign-on in the WebSphere Commerce instance configuration file.
- Optional:
If you are using the WebSphere Application Server LTPA token for single sign-on, enable LTPA
in WebSphere Application Server.
- Open the WebSphere Application Server Administrative Console.
- Expand the Security node.
- Click Global Security.
- In the Authentication section, expand Web and SIP security.
- Click Single sign-on (SSO).
- Check the Requires SSL option.
- Click .
-
Configure the roles that are assigned to users that access the system from single
sign-on (SSO).
Every time a user connects to the system by SSO, WebSphere Commerce tries to assign the roles from the
MemberRegistrationAttributes.xml
file with registration type = "SSO".For more information, see MemberRegistrationAttributes XML and DTD files.
In WebSphere Commerce, security roles are assigned as part of the registration process. With single sign-on, the customer can bypass the registration step for your site if they have successfully authenticated to a collaborating system. The ability to be implicitly authenticated to a WebSphere Commerce site has little value when a user is denied access to the facilities that they want to use, such as shopping in a store. Therefore, the same functionality of automated role assignment that happens with user registration also happens in the session management code. In this case, configure the roles for SSO shoppers by using the 'SSO' registration type. This way, when a customer authenticates onto the system, WebSphere Commerce automatically provides all of the roles that they need for the site. Keep in mind that the SSO role assignment happens on a site level and not on a store level (as with the typical user registration). Therefore, ensure that the storeAncestor attribute specified is actually an ancestor of the site (store 0).
-
Enable single sign-on for Management Center.
- Optional:
If you configured WebSphere Commerce to generate the LTPA
token (previously selected Configure JAAS Login Module), you must
update the properties for the LogonCmd,
UserRegistrationAddCmd,
PersonProcessServicePersonRegister, and
LogOffCmd.
- Optional:
If LTPA tokens are being used, it is possible to allow them to keep a session alive
beyond the standard WebSphere Commerce cookie-based session timeout.
The LTPA token is only checked when the session is expired. If valid it refreshes the session.
- Deploy your changes to the WebSphere Commerce enterprise archive (EAR).
- Restart the WebSphere Application Server.