Network Deployment (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Implement single sign-on to minimize web user authentications > Configure single sign-on capability with Tivoli Access Manager or WebSEAL


Configure Tivoli Access Manager plug-in for web servers for use with WAS

Tivoli Access Manager plug-in for web servers can be used as a security gateway for your protected WAS resources. With such an arrangement the plug-in authorizes all user requests before passing the credentials of the authorized user to WAS in the form of an iv-creds header. Trust between the plug-in and WAS is established through use of basic authentication headers containing the single sign-on (SSO) user password.


Procedure

  1. The Tivoli Access Manager plug-in for web servers configuration shows IV headers configured for post-authorization processing, and basic authentication that is configured as the authentication mechanism and for post-authorization processing, as shown in the example below.

  2. After a request is authorized, the basic authentication header is removed from the request (strip-hdr=always) and a new one is added (add-hdr=supply).

  3. Included in this new header is the password that is set when the SSO user is created in Create a trusted user account in Tivoli Access Manager.

  4. Specify this password in the supply-password parameter and it is passed in the newly created header. This basic authentication header enables trust between WAS and the plug-in.
  5. An iv-creds header is also added (generate=iv-creds), which contains the credential information of the user passed onto WAS. Session cookies are used to maintain session state.


Example 

[common-modules]
authentication = BA
session = session-cookie
post-authzn = BA
post-authzn = iv-headers

[iv-headers]
accept = all generate = iv-creds

[BA]
strip-hdr = always add-hdr = supply supply-password = sso_user_password


What to do next


Configure single sign-on using trust association or Configure single sign-on using trust association interceptor ++
Create a trusted user account in Tivoli Access Manager
Configure single sign-on capability with Tivoli Access Manager or WebSEAL

+

Search Tips   |   Advanced Search