we are integrating ITIM with the desktop SSO solution of Evidan. This solution provides us with web services which can be invoked for recording the new password when it is changed from ITIM. We have validated that it is working as expected.
Once the integration has been got, it is needed to define a relation between ITIM services and SSO application used for loggin on the systems. For instance, when the password of an AIX account is changed by ITIM, it is needed to ask the SSO Manager to update the password for that user on the 'Putty' application. At the same way, when a change password for Oracle instances are changed by ITIM, the password of SQLPlus application is needed to be updated.
As far as we know on the IBM desktop SSO solution , this needed relation between ITIM Services and SSO Application is got by defining key pars on an attribute of an special ITIM Service, for instance, <AIXService1|Putty>, <OracleInstace1|SQLPLus>... From our point of view it is not a good idea to set a fixed relation with the name of the service.
Looking back the former IBM desktop SSO solution based on Passlogic, it was needed to extend the ITIM schema, more concise the erRemoteServiceItem class, for defining a new attribute. It sounds better. In additional to take care the migration to new ITIM versions, has anyone experience on that extending the ITIM schema?.
NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
This topic has been locked.
6 replies Latest Post - 2012-04-19T14:41:42Z by SystemAdmin
Pinned topic Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-04-19T14:41:42Z at 2012-04-19T14:41:42Z by SystemAdmin
HomerJSimpson 270003289F157 PostsACCEPTED ANSWER
Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?2012-04-12T16:44:25Z in response to SystemAdminHi frisdale...
You appear to be referring to the (VERY) old version of the ITIM/ESSO(Passlogix) integration.
You should look at the install/config guide that comes with the latest TAMESSOAdapter (ITIM/ESSO 8.x integration). It is quite a bit different than what you're referring to below...and integrates much more seamlessly (no longer requires the pipe-delimited mapping you point out below).
Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?2012-04-18T11:05:31Z in response to HomerJSimpsonThanks HomerJSimpson.
I am not sure if I am in mistake, but the pipe-delimited mapping method is the current way used by the lastest version as you can see on the attached screenshoot. A new ITIM service type is added for recording the SSO parameters, ITIM service and SSO Application mapping inclusive. :-(
HomerJSimpson 270003289F157 PostsACCEPTED ANSWER
Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?2012-04-18T17:00:33Z in response to SystemAdminfrisdale...that is the old way of mapping ITIM Services to ESSO Auths.
here is an excerpt from the TAMESSOAdapter guide, that explains how to tell ITIM which Auth ID each Service should pass creds to:
Define Tivoli Access Manager E-SSO Authentication Service ID
As a prerequisite, all application services in Tivoli Identity Manager are required to
have a Tivoli Access Manager E-SSO Authentication Service ID defined on its
service form. Otherwise, sign-on automation will not work.
Because there is no Tivoli Access Manager E-SSO Authentication Service ID field
on the service form by default, the following steps need to be completed to create
this field on the service form:
1. Select Configure System and then Design Forms.
2. Double-click Service and then double-click the specific service .
3. From the Attribute List, double-click the erservicessomapping attribute, which
then appears under the service Tab on the design form.
4. From the Properties menu, change the Label for this attribute to be TAM
E-SSO Authentication Service ID.
5. Click OK and then save the design form.
6. Go to the service form, and fill in the authentication service ID under the TAM
E-SSO Authentication Service ID field.
Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?2012-04-19T10:57:36Z in response to HomerJSimpsonHi HomerJSimpson,
you are right, we have just checked. So, this approach is going in line with my initial intentions "...needed to extend the ITIM schema, more concise the erRemoteServiceItem class, for defining a new attribute". I suppose the ESSO profile installation extends the service class for including erservicessomapping attribute, although we are not able to identify where it is documentated.
Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?2012-04-19T11:45:39Z in response to SystemAdminI am pretty sure that will not be a supported configuration...
I am also pretty sure that there is no any adapters that extends objectclasses - there are no mechanisms for that. In case this should be part of the profile jar...
erservicessomapping should be in your erRemoteServiceItem class already - it is on my systems.
Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?2012-04-19T14:41:42Z in response to SystemAdminThanks Frank for your point of view. On our ITIM, relase 5.0 FP13, erservicessomapping is not an attribute of Service objectclass, so it must have been defined on ITIM 5.1.