IBM® Content Navigator supports single sign-on (SSO) for IBM FileNet® P8, IBM Content Manager, and IBM Content Manager OnDemand repositories. However, the supported SSO methods are different for each type of repository. Additionally, other IBM Content Navigator components support or require SSO.
The SSO method that is supported for each IBM Content Navigator component varies depending on the type of repository that the component connects to and the web application server on which the component is deployed.
The SSO method that is supported for IBM FileNet P8 repositories requires the use of an additional SSO technology, such as Tivoli® Access Manager for e-business, SPNEGO/Kerberos, or CA SiteMinder. The exception to this rule is IBM CMIS for FileNet Content Manager, which supports only the use of LTPA and LDAP (on WebSphere Application Server) or trust between domains (on Oracle WebLogic Suite) for SSO.
If you use IBM Content Navigator to connect to only IBM FileNet P8 repositories, you can configure the IBM Content Navigator web client to use SSO and then deploy IBM Content Navigator to an SSO environment.
SSO provider | IBM Content Navigator web client | IBM Content Navigator for Microsoft Office desktop client | IBM Content Navigator Sync desktop client | IBM CMIS for FileNet Content Manager web application | IBM FileNet Collaboration Services web application |
---|---|---|---|---|---|
Tivoli Access Manager for e-business | ✓ | ✓ | |||
Security Assertion Markup Language (SAML) | ✓ | ||||
IBM Security Access Manager (ISAM 7.0) | ✓ | ||||
SPNEGO/Kerberos | ✓ | ✓ Remember: This component
is not deployed to your web application server.
|
✓ Remember: This component
is not deployed to your web application server. However, the sync
services are deployed with the IBM Content
Navigator web client.
|
✓ | |
CA SiteMinder | ✓ | ✓ | |||
LTPA and LDAP | ✓ Important: You must configure
LTPA and LDAP when you configure and deploy IBM CMIS
for FileNet Content Manager. Therefore, no additional
tasks are required to configure IBM CMIS
for FileNet Content Manager for SSO.
|
SSO provider | IBM Content Navigator web client | IBM Content Navigator for Microsoft Office desktop client | IBM Content Navigator Sync desktop client | IBM CMIS for FileNet Content Manager web application | IBM FileNet Collaboration Services web application |
---|---|---|---|---|---|
Tivoli Access Manager for e-business | This component is not supported on Oracle WebLogic Server | ||||
Security Assertion Markup Language (SAML) | This component is not supported on Oracle WebLogic Server | ||||
IBM Security Access Manager (ISAM 7.0) | This component is not supported on Oracle WebLogic Server | ||||
SPNEGO/Kerberos | ✓ | ✓ Remember: This component
is not deployed to your web application server.
|
✓ Remember: This component
is not deployed to your web application server. However, the sync
services are deployed with the IBM Content
Navigator web client.
|
This component is not supported on Oracle WebLogic Server | |
CA SiteMinder | ✓ | This component is not supported on Oracle WebLogic Server | |||
Trust between domains | ✓ Important: If you plan
to deploy Content Platform Engine or Content Engine and IBM CMIS
for FileNet Content Manager in different domains,
you must enable trust between the domains.
IBM CMIS for FileNet Content Manager supports Cross Domain Security or Global Trust. |
See the following topic in the IBM Content Navigator documentation for enabling trust between Oracle WebLogic Server domains: Enabling trust between the Content Platform Engine domain and the IBM Content Navigator domain.
Identity Providers (IdPs) | IBM Content Navigator web client | IBM Content Navigator for Microsoft Office desktop client | IBM Content Navigator Sync desktop client | IBM CMIS for FileNet Content Manager web application | IBM FileNet Collaboration Services web application | Further information |
---|---|---|---|---|---|---|
IBM Tivoli Federated Identity Manager | ✓ | |||||
Active Directory Federation Services | Important: This Identity Provider
is not supported for IBM Content
Navigator version
2.0.3
|
|||||
ping Federate | Important: This Identity Provider
is not supported for IBM Content
Navigator version
2.0.3
|
The SSO method that is supported for IBM Content Manager repositories requires you to configure trusted logon on your IBM Content Manager library server and LDAP on WebSphere Application Server.
SSO Method | IBM Content Navigator web client | IBM Content Navigator for Microsoft Office desktop client | IBM CMIS for Content Manager web client |
---|---|---|---|
Trusted logon and LDAP | ✓ | ✓ |
If trusted logon and LDAP are configured, you can configure the IBM Content Navigator client to use SSO to log on to IBM Content Manager repositories. For more information, see Configuring single sign-on for IBM Content Navigator (IBM Content Manager).
The SSO method that is supported for IBM Content Manager OnDemand repositories requires you to create a security user exit to authenticate users.
SSO Method | IBM Content Navigator web client | IBM CMIS for Content Manager OnDemand web client |
---|---|---|
Security user exit | ✓ |