Topic
6 replies Latest Post - ‏2012-04-19T14:41:42Z by SystemAdmin
SystemAdmin
SystemAdmin
9855 Posts
ACCEPTED ANSWER

Pinned topic Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?

‏2012-04-12T12:16:47Z |
Hi all,
we are integrating ITIM with the desktop SSO solution of Evidan. This solution provides us with web services which can be invoked for recording the new password when it is changed from ITIM. We have validated that it is working as expected.

Once the integration has been got, it is needed to define a relation between ITIM services and SSO application used for loggin on the systems. For instance, when the password of an AIX account is changed by ITIM, it is needed to ask the SSO Manager to update the password for that user on the 'Putty' application. At the same way, when a change password for Oracle instances are changed by ITIM, the password of SQLPlus application is needed to be updated.

As far as we know on the IBM desktop SSO solution , this needed relation between ITIM Services and SSO Application is got by defining key pars on an attribute of an special ITIM Service, for instance, <AIXService1|Putty>, <OracleInstace1|SQLPLus>... From our point of view it is not a good idea to set a fixed relation with the name of the service.

Looking back the former IBM desktop SSO solution based on Passlogic, it was needed to extend the ITIM schema, more concise the erRemoteServiceItem class, for defining a new attribute. It sounds better. In additional to take care the migration to new ITIM versions, has anyone experience on that extending the ITIM schema?.
Updated on 2012-04-19T14:41:42Z at 2012-04-19T14:41:42Z by SystemAdmin
  • HomerJSimpson
    HomerJSimpson
    157 Posts
    ACCEPTED ANSWER

    Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?

    ‏2012-04-12T16:44:25Z  in response to SystemAdmin
    Hi frisdale...

    You appear to be referring to the (VERY) old version of the ITIM/ESSO(Passlogix) integration.

    You should look at the install/config guide that comes with the latest TAMESSOAdapter (ITIM/ESSO 8.x integration). It is quite a bit different than what you're referring to below...and integrates much more seamlessly (no longer requires the pipe-delimited mapping you point out below).
    • SystemAdmin
      SystemAdmin
      9855 Posts
      ACCEPTED ANSWER

      Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?

      ‏2012-04-18T11:05:31Z  in response to HomerJSimpson
      Thanks HomerJSimpson.

      I am not sure if I am in mistake, but the pipe-delimited mapping method is the current way used by the lastest version as you can see on the attached screenshoot. A new ITIM service type is added for recording the SSO parameters, ITIM service and SSO Application mapping inclusive. :-(
      • HomerJSimpson
        HomerJSimpson
        157 Posts
        ACCEPTED ANSWER

        Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?

        ‏2012-04-18T17:00:33Z  in response to SystemAdmin
        frisdale...that is the old way of mapping ITIM Services to ESSO Auths.

        here is an excerpt from the TAMESSOAdapter guide, that explains how to tell ITIM which Auth ID each Service should pass creds to:

        Define Tivoli Access Manager E-SSO Authentication Service ID
        As a prerequisite, all application services in Tivoli Identity Manager are required to
        have a Tivoli Access Manager E-SSO Authentication Service ID defined on its
        service form. Otherwise, sign-on automation will not work.
        Because there is no Tivoli Access Manager E-SSO Authentication Service ID field
        on the service form by default, the following steps need to be completed to create
        this field on the service form:
        1. Select Configure System and then Design Forms.
        2. Double-click Service and then double-click the specific service .
        3. From the Attribute List, double-click the erservicessomapping attribute, which
        then appears under the service Tab on the design form.
        4. From the Properties menu, change the Label for this attribute to be TAM
        E-SSO Authentication Service ID.
        5. Click OK and then save the design form.
        6. Go to the service form, and fill in the authentication service ID under the TAM
        E-SSO Authentication Service ID field.
        • SystemAdmin
          SystemAdmin
          9855 Posts
          ACCEPTED ANSWER

          Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?

          ‏2012-04-19T10:57:36Z  in response to HomerJSimpson
          Hi HomerJSimpson,
          you are right, we have just checked. So, this approach is going in line with my initial intentions "...needed to extend the ITIM schema, more concise the erRemoteServiceItem class, for defining a new attribute". I suppose the ESSO profile installation extends the service class for including erservicessomapping attribute, although we are not able to identify where it is documentated.
          • SystemAdmin
            SystemAdmin
            9855 Posts
            ACCEPTED ANSWER

            Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?

            ‏2012-04-19T11:45:39Z  in response to SystemAdmin
            I am pretty sure that will not be a supported configuration...

            I am also pretty sure that there is no any adapters that extends objectclasses - there are no mechanisms for that. In case this should be part of the profile jar...

            erservicessomapping should be in your erRemoteServiceItem class already - it is on my systems.

            HTH

            Regards
            Franz Wolfhagen
            • SystemAdmin
              SystemAdmin
              9855 Posts
              ACCEPTED ANSWER

              Re: Integrating ITIM and desktop SSO solutions. Extend the ITIM schema?

              ‏2012-04-19T14:41:42Z  in response to SystemAdmin
              Thanks Frank for your point of view. On our ITIM, relase 5.0 FP13, erservicessomapping is not an attribute of Service objectclass, so it must have been defined on ITIM 5.1.