4.4 Single Sign-On (SSO)
Prior to the introduction of a Single Sign-On (SSO), LANSA users had to supply a user name and password when connecting to each Windows and IBM i system. Single Sign-On gives users access to multiple computer systems within an organization after signing on only once.
Whether to use the Single Sign-On option is specified by selecting the option on the dialog, or the dialog.
The concept of Single Sign-On is to allow a user who is logged onto Windows to have their Windows credentials silently authenticated when they wish to use i5/OS machines.
The two key technologies that underpin the SSO mechanism are the Kerberos Network Authentication Protocol, and the IBM i Enterprise Identity Mapping (EIM) mechanism. These technologies must be understood and in use before using Single Sign-On with LANSA.
The necessary software and set up must be completed and fully tested before LANSA's SSO can be used. It is beyond the scope of the LANSA documentation to explain how to configure these two technologies.
Set up Single Sign-On
Following are the basic steps you will follow:
1. Ask your system administrator to configure your IBM i for Single Sign On from your Windows domain (ensure that the HOST principal name is added to the keytab file), and also to configure EIM on your IBM i to map each required Windows domain user to a corresponding IBM i user profile. Note that these must be working and tested before continuing with the next step.
The LANSA listener job user, its group profile or its Supplemental group profile must have the following authorities to the directories and files listed below:
Note: The names used may be different in your system
Configuration file requires data authority of *R and the path must have data authority of *X
/QIBM/UserData/OS400/NetworkAuthentication/krb5.conf
Credential cache file requires data authority of *RW and the path must have data authority of *X
/QIBM/UserData/OS400/NetworkAuthentication/creds/krbcred_xxxxxx
Keytab file requires data authority of *R and the path must have data authority of *X
/QIBM/UserData/OS400/NetworkAuthentication/keytab/krb5.keytab
2. On the IBM i, run the LANSA CONFIGURE command, and choose the COMMS_EXTENSIONS facility to setup COMMS_EIM_USER with the username and password of an LDAP user authorized to query EIM. This step needs to be done only once per LANSA system on the IBM i.
3. Stop and restart the Listener job before continuing.
4. Repeat these next steps for each user to be included in Single Sign-On.
a. Assuming that one of the mappings set up in EIM maps from, say, Windows domain user [email protected] to LANSA user DEVUSER, log onto Windows as [email protected].
b. Start Visual LANSA, and from the Logon dialog, perform a using the user name and password of the LANSA user DEVUSER (as per example). It is necessary to do this at least once for a LANSA user before the option may be used to perform a Single Sign-On as that user.
c. When System Initialization is complete, check(select) the option and click to log on. Any values in the User ID and Password are ignored.
If the logon fails and a message box appears with the message "User [email protected] specified is not known to LANSA", then this indicates that one of the above steps may not have been completed successfully.
Also see