Enabling SPNEGO single sign-on for IBM Security Access Manager (formerly Tivoli® Access Manager)
Configure IBM® Connections to use single sign-on with IBM® Security Access Manager (ISAM) formerly Tivoli® Access Manager and SPNEGO.
Before you begin
- Complete the task described in the Configuring web browsers to support SPNEGO topic.
- Ensure that ISAM is installed.
- This task describes how to enable single sign-on (SSO) for Security Access Manager on the Windows™ operating system.
- IBM® Connections supports the WebSphere® cookie-based, lightweight, third-party authentication (LTPA) mechanism as an SSO solution for ISAM. IBM® Connections does not support other SSO solutions that WebSEAL supports such as WebSphere® Trust Association Interceptor (TAI), Forms SSO, Cross-domain SSO, or E-community SSO.
- IBM® Connections supports the use of encrypted connections, Transparent Path junctions with Security Access Manager. IBM® Connections does not support TCP type junctions or ISAM Standard junctions.
- Verify that you can access IBM® Connections applications from a web browser.
- Set the IBM® WebSphere® Application Server single sign-on domain to the same value as the domain of the ISAM server.
About this task
Single sign-on (SSO) enables users to log in to an IBM® Connections application and switch to other applications within the product without having to authenticate again.
There are several different ways to configure SSO. The IBM® Connections DefaultAuthenticator protocol allows your users and Security Access Manager to prove their identities to one another in a secure manner. After users sign in to their Active Directory Windows™ client systems, they are automatically signed into both Security Access Manager and IBM® Connections.
To set up SSO using Security Access Manager with SPNEGO, complete the following steps:
Procedure
-
Create a user account for WebSEAL in your Active Directory domain. When creating the user
account, ensure that you specify the following options:
- The user cannot change the password
- The password never expires
For example, if you create an account for A User, where the Active Directory domain is isamspnego.example.com, the user identity is auser@isamspnego.example.com.
-
Map a Kerberos principal to an Active Directory user. Map the service principal name to the
account that you created in Step 1 by running the ktpass command on the domain controller. Use the
ISAM server through which users access IBM® Connections as the
instance in the service principal name.
-
Enable SPNEGO for WebSEAL:
- Stop the WebSEAL server.
- Enable SPNEGO over encrypted connections by adding the following lines to the WebSEAL
configuration file:
[spnego]
spnego-auth = https
[authentication-mechanisms]
auth-challenge-type = spnego
kerberosv5 = fully_qualified_path to the authentication library
For example: kerberosv5 = TDI_root\bin\stliauthn.dll
where TDI_root is the installation directory of Security Access Manager.
-
Enable TAI authentication as follows:
- In the WebSphere Application Server administrative console, navigate to .
- Enter the following name and value pair:
- Name
- com.ibm.websphere.security.performTAIForUnprotectedURI
- Value
- true
- Click OK and then click Save to preserve your update.
- Restart WebSEAL from the Services Control Panel. On Windows™, WebSEAL must be running as a service for SPNEGO authentication to work properly. Otherwise, it runs using the credentials of the logged in user.
-
Configure form-based authentication with transparent junctions. Complete all the steps in the
Enabling single sign-on for IBM Security Access
Manager topic except the steps about updating interService URLs
, adding a Tivoli Allow access to the Embedded Experience gadget, and adding an authenticator property. You need to use the IBM® HTTP Server URLs and the DefaultAuthenticator property in this configuration.Note: This procedure enables a fallback authentication method for user systems that do not support SPNEGO. This alternative is important for users of IBM Notes®, mobile devices, and other extensions for IBM® Connections.
-
Files and wikis display the log in button in Siteminder and SPNEGO
configuration even though the user is logged in. This occurs in public files and
wikis pages as the server does not require user authentication for public pages.
To solve this issue, you need to disable anonymous for wikis by mapping 'reader'
to 'All authenticated in application's realm'. This change needs to be done for
all SPNEGO-related configurations and not just Siteminder and SPNEGO
configuration. To remove the log in string for both Files and Wikis on SPNEGO
configurations, follow these steps:
- Log in to the WebSphere® Application Server admin console.
- Go to Applications and click Applications types.
- Click Websphere enterprise applications, then click Wikis/Files in the list.
- When the page loads, click User group mapping in Security role pane.
- Tick box beside Everyone.
- Click Map special subjects in the drop-down menu, then click All authenicated in application's realm.
- Click OK, then click
Save.Note: These steps need to be completed for Files and Wikis. Once the steps are done, restart the configuration to see the changes.
Results
After users sign in to the Windows™ desktop, they are automatically signed into IBM® Connections.