Secure >
Single sign-on
HTTP single sign-on preserves user authentication on different Web Applications. By using HTTP single sign-on the user is not prompted multiple times for security credentials within a given trust domain.
The trust domain includes:
- Cooperating but disparate WebSphere Application Server servers.
- Cooperating applications such as LDAP servers, for example, IBM Directory Server.
In a single sign-on (SSO) scenario, an HTTP cookie is used to propagate a user's authentication information to disparate Web servers relieving the user from entering authentication information for every new client-server session (assuming basic authentication).
WebSphere Commerce generates the Lightweight Third Party Authentication (LTPA) cookie, where it can be used by other WebSphere Application Server applications. This enables WebSphere Commerce to be the authentication engine. A JAAS login module named WCLogin is created and used during authentication to enable WebSphere Commerce to generate the LTPA cookie.
WebSphere Commerce requires LDAP to be used as the user repository when generating the LTPA cookie to be used by other WebSphere Application Server applications.
The login module is called during the logon process, where LogonCmd is mapped to the LTPATokenGenerationEnabledBaseAction Struts action. It proceeds to authenticate against the WCLogin JAAS login module to create the LTPA cookies if the user authenticates successfully.
Attention: There are several key limitations of single sign-on when it is used with WebSphere Commerce. These limitations are:
- The LTPA cookies might flow across different Web server ports.
- Applications that can read and issue the WebSphere Application Server LTPA token are supported.
- Web browsers that accept cookies are supported, so that LTPA cookies can be written.
- Enable single sign-on
Enabling single sign-on (SSO) preserves user authentication on different Web Applications in WebSphere Commerce. By using HTTP single sign-on, the user is not prompted multiple times for security credentials within a given trust domain.