Configuring single sign-on for portlets with SAM and SPNEGO | HCL Digital Experience
Configure HCL Connections portlets to use single sign-on with IBM Security Access Manager and SPNEGO.
About this task
Single sign-on (SSO) enables users to log in to an HCL Connections application and switch to other applications within the product without having to authenticate again.
There are several different ways to configure SSO. This procedure describes an approach that uses the Kerberos authentication protocol. This authentication method allows Security Access Manager and users web browsers to prove their identities to one another in a secure manner. After users sign in to their Active Directory Windows™ client systems, they are automatically signed into both Security Access Manager and HCL Connections.
Configuring HCL Connections and HCL Portal to share a single deployment manager saves on administration time by combining administration tasks for the two applications. Establishing a single-sign on environment benefits the users by creating a more seamless environment between the two applications.
Procedure
-
Before federating Portal as a managed node of the deployment manager of HCL Connections, make sure the realms match between HCL Connections deployment manager and Portal.
If you must change the realm names so they match, follow the steps in Changing the realm name.
-
Complete the following steps to collect files from the primary node and copy them to the
deployment manager:
-
To augment a deployment manager profile, run the following command from the AppServer_root/bin directory:
manageprofiles.bat -augment -templatePath c:/IBM/WebSphere/AppServer/profileTemplates/management.portal.augment -profileName Dmgr01
- Restart the deployment manager.
- Add the same Portal administration group as an administrators group on the HCL Connections deployment manager.
-
Run the following command from the wp_profile_root/bin directory to federate the primary node:
For example:addNode.bat dmgr_hostname dmgr_port -includeapps -includebuses -username was_admin_user -password was_admin_password
addNode.bat DMhost.cn.ibm.com 8879 -includeapps -includebuses -username adminuser -password adminpwd
-
On the Portal server, run
syncNode.bat
and then restart the deployment manager and all node agents. - To configure the IBM® HTTP Server with single sign-on, delete and readd the web server on the WebSphere® Application Server Integrated Solutions Console. This configuration remaps all applications, including Portal, and imports the Portal certificate into IBM® HTTP Server.
-
Skip this step if you are deploying on Portal 8. To configure the same SPNEGO single sign-on
for Portal and Connections:
-
Configure Security Access Manager on the Portal server, following the
directions in the Configuring Security® Access Manager
article that corresponds to your Portal server:
Note: For the connections integration with the portlets, it is important that WebSEAL session cookies are sent to the junction server. This action can be defined by adding the -k option to the commands that create a junction.For example, on Portal 7:
server task default-webseald-TAMhost.cn.ibm.com create -t ssl -b filter -A -F C:\WASLTPA.key -Z password -h DMhost.cn.ibm.com -c all -f -k -j -J trailer /wpsv70 ConfigEngine.bat run-svrssl-config -Dwp.ac.impl.PDAdminPwd=password ConfigEngine.bat validate-pdadmin-connection -DWasPassword=password -Dwp.ac.impl.PDAdminPwd=password ConfigEngine.bat enable-tam-all -DWasPassword=password
-
Configure the ACL for WebSEAL to allow HTTP PUT requests by adding an ACL to the Portal
junction.