Enable single sign-on

You can enable sign sign-on (SSO) by following the steps on this page.

To enable single sign-on:

1. Ensure that the following prerequisites have been met:

   • There must be an existing LDAP server installed and configured. To configure an LDAP server see Configure directory services with WebSphere Commerce.

   • WebSphere Commerce must be installed and configured to use LDAP.

   • Enabling only global security with an LDAP user registry.

2. Enable single sign-on within the WAS. For details, refer to the Implementing single sign-on to minimize Web user authentications topic in the WAS Information Center.

3. On your WebSphere Commerce machine, start the WebSphere Commerce Configuration Manager.

4. To configure the Member SubSystem node:

   1. Under WebSphere Commerce expand node > Commerce > Instance List > instance > Instance Properties > Member SubSystem.

   2. In the Authentication Mode drop-down menu, select Member Manager.

   3. In the Entry File Name field, enter the path to the XML file. The default value is ldap/ldapentry.xml.

   4. Enable the Single sign-on check box.

   5. Click Apply, then click OK.

   6. Ensure the instance server is started prior to exiting the Configuration Manager. The Configuration Manager requires a connection to publish changes to the deployed WebSphere Commerce application.

   7. Exit the Configuration Manager.

   8. Restart the WebSphere Commerce server.

5. Configure the roles that will be assigned to users coming in to the system from single sign-on (SSO). Every time a user connects to the system by SSO WebSphere Commerce will try to assign the roles from the MemberRegistrationAttributes.xml file with registration type = "SSO".

   For more information, see MemberRegistrationAttributes XML and DTD files.

6. Restart the WAS.

Configure roles for SSO users

In WebSphere Commerce, security roles are assigned as part of the registration process. With single sign-on, the customer can bypass the registration step for your site if they have successfully authenticated to a collaborating system. The ability to be implicitly authenticated to a WebSphere Commerce site has very little value if the user will simply end up being denied access to the facilities that they want to use, for example, shopping at a store.

Therefore, the same functionality of automated role assignment that happens with user registration also happens in the session management code. In this case your would configure the roles for SSO shoppers using the 'SSO' registration type. This way, when a customer authenticates onto the system, WebSphere Commerce will automatically provide all of the roles that they should have for the site. Keep in mind that the SSO role assignment happens on a site level and not on a store level (as with the typical user registration). Therefore, you should ensure that the storeAncestor attribute specified is actually an ancestor of the site (store 0). Example:

<User registrationType="SSO" memberAncestor="o=Default Organization,o=Root Organization" storeAncestor="o=Root Organization"><BR>
    <Role name="Registered Customer" roleContext="explicit" DN="o=Reseller Organization,o=Root Organization"/><BR>
    <Role name="Registered Customer" roleContext="explicit" DN="o=Seller Organization,o=Root Organization"/><BR>
    <Role name="Registered Customer" roleContext="explicit" DN="o=Supplier Organization,o=Root Organization"/><BR>
    <Role name="Registered Customer" roleContext="explicit" DN="ou=Supplier Hub Organization,o=Business Indirect Supplier Organization,
           o=Root Organization"/><BR>
  </User>

This example will give four roles to any customer who comes in to the system from SSO if the customer exists on the LDAP server somewhere below the 'default organization' (because of the memberAncestor specified).

 

Related Concepts

Single sign-on

 

Related tasks

Enabling WAS security
Enabling security with an LDAP user registry