Topic
  • 6 replies
  • Latest Post - ‏2012-04-19T14:41:42Z by SystemAdmin
SystemAdmin
SystemAdmin
9855 Posts

Pinned topic Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?

‏2012-04-12T12:16:47Z |
Hi all,
we are integrating ITIM with the desktop SSO solution of Evidan. This solution provides us with web services which can be invoked for recording the new password when it is changed from ITIM. We have validated that it is working as expected.

Once the integration has been got, it is needed to define a relation between ITIM services and SSO application used for loggin on the systems. For instance, when the password of an AIX account is changed by ITIM, it is needed to ask the SSO Manager to update the password for that user on the 'Putty' application. At the same way, when a change password for Oracle instances are changed by ITIM, the password of SQLPlus application is needed to be updated.

As far as we know on the IBM desktop SSO solution , this needed relation between ITIM Services and SSO Application is got by defining key pars on an attribute of an special ITIM Service, for instance, <AIXService1|Putty>, <OracleInstace1|SQLPLus>... From our point of view it is not a good idea to set a fixed relation with the name of the service.

Looking back the former IBM desktop SSO solution based on Passlogic, it was needed to extend the ITIM schema, more concise the erRemoteServiceItem class, for defining a new attribute. It sounds better. In additional to take care the migration to new ITIM versions, has anyone experience on that extending the ITIM schema?.
Updated on 2012-04-19T14:41:42Z at 2012-04-19T14:41:42Z by SystemAdmin
  • HomerJSimpson
    HomerJSimpson
    157 Posts

    Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?

    ‏2012-04-12T16:44:25Z  
    Hi frisdale...

    You appear to be referring to the (VERY) old version of the ITIM/ESSO(Passlogix) integration.

    You should look at the install/config guide that comes with the latest TAMESSOAdapter (ITIM/ESSO 8.x integration). It is quite a bit different than what you're referring to below...and integrates much more seamlessly (no longer requires the pipe-delimited mapping you point out below).
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?

    ‏2012-04-18T11:05:31Z  
    Hi frisdale...

    You appear to be referring to the (VERY) old version of the ITIM/ESSO(Passlogix) integration.

    You should look at the install/config guide that comes with the latest TAMESSOAdapter (ITIM/ESSO 8.x integration). It is quite a bit different than what you're referring to below...and integrates much more seamlessly (no longer requires the pipe-delimited mapping you point out below).
    Thanks HomerJSimpson.

    I am not sure if I am in mistake, but the pipe-delimited mapping method is the current way used by the lastest version as you can see on the attached screenshoot. A new ITIM service type is added for recording the SSO parameters, ITIM service and SSO Application mapping inclusive. :-(
  • HomerJSimpson
    HomerJSimpson
    157 Posts

    Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?

    ‏2012-04-18T17:00:33Z  
    Thanks HomerJSimpson.

    I am not sure if I am in mistake, but the pipe-delimited mapping method is the current way used by the lastest version as you can see on the attached screenshoot. A new ITIM service type is added for recording the SSO parameters, ITIM service and SSO Application mapping inclusive. :-(
    frisdale...that is the old way of mapping ITIM Services to ESSO Auths.

    here is an excerpt from the TAMESSOAdapter guide, that explains how to tell ITIM which Auth ID each Service should pass creds to:

    Define Tivoli Access Manager E-SSO Authentication Service ID
    As a prerequisite, all application services in Tivoli Identity Manager are required to
    have a Tivoli Access Manager E-SSO Authentication Service ID defined on its
    service form. Otherwise, sign-on automation will not work.
    Because there is no Tivoli Access Manager E-SSO Authentication Service ID field
    on the service form by default, the following steps need to be completed to create
    this field on the service form:
    1. Select Configure System and then Design Forms.
    2. Double-click Service and then double-click the specific service .
    3. From the Attribute List, double-click the erservicessomapping attribute, which
    then appears under the service Tab on the design form.
    4. From the Properties menu, change the Label for this attribute to be TAM
    E-SSO Authentication Service ID.
    5. Click OK and then save the design form.
    6. Go to the service form, and fill in the authentication service ID under the TAM
    E-SSO Authentication Service ID field.
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?

    ‏2012-04-19T10:57:36Z  
    frisdale...that is the old way of mapping ITIM Services to ESSO Auths.

    here is an excerpt from the TAMESSOAdapter guide, that explains how to tell ITIM which Auth ID each Service should pass creds to:

    Define Tivoli Access Manager E-SSO Authentication Service ID
    As a prerequisite, all application services in Tivoli Identity Manager are required to
    have a Tivoli Access Manager E-SSO Authentication Service ID defined on its
    service form. Otherwise, sign-on automation will not work.
    Because there is no Tivoli Access Manager E-SSO Authentication Service ID field
    on the service form by default, the following steps need to be completed to create
    this field on the service form:
    1. Select Configure System and then Design Forms.
    2. Double-click Service and then double-click the specific service .
    3. From the Attribute List, double-click the erservicessomapping attribute, which
    then appears under the service Tab on the design form.
    4. From the Properties menu, change the Label for this attribute to be TAM
    E-SSO Authentication Service ID.
    5. Click OK and then save the design form.
    6. Go to the service form, and fill in the authentication service ID under the TAM
    E-SSO Authentication Service ID field.
    Hi HomerJSimpson,
    you are right, we have just checked. So, this approach is going in line with my initial intentions "...needed to extend the ITIM schema, more concise the erRemoteServiceItem class, for defining a new attribute". I suppose the ESSO profile installation extends the service class for including erservicessomapping attribute, although we are not able to identify where it is documentated.
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?

    ‏2012-04-19T11:45:39Z  
    Hi HomerJSimpson,
    you are right, we have just checked. So, this approach is going in line with my initial intentions "...needed to extend the ITIM schema, more concise the erRemoteServiceItem class, for defining a new attribute". I suppose the ESSO profile installation extends the service class for including erservicessomapping attribute, although we are not able to identify where it is documentated.
    I am pretty sure that will not be a supported configuration...

    I am also pretty sure that there is no any adapters that extends objectclasses - there are no mechanisms for that. In case this should be part of the profile jar...

    erservicessomapping should be in your erRemoteServiceItem class already - it is on my systems.

    HTH

    Regards
    Franz Wolfhagen
  • SystemAdmin
    SystemAdmin
    9855 Posts

    Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?

    ‏2012-04-19T14:41:42Z  
    I am pretty sure that will not be a supported configuration...

    I am also pretty sure that there is no any adapters that extends objectclasses - there are no mechanisms for that. In case this should be part of the profile jar...

    erservicessomapping should be in your erRemoteServiceItem class already - it is on my systems.

    HTH

    Regards
    Franz Wolfhagen
    Thanks Frank for your point of view. On our ITIM, relase 5.0 FP13, erservicessomapping is not an attribute of Service objectclass, so it must have been defined on ITIM 5.1.