Configuring single sign-on (SSO) for federated IBM BPM environments by using LTPA keys
In single sign-on (SSO) environments, Lightweight Third Party Authentication (LTPA) keys are exchanged between Process Portal, Process Federation Server, and each IBM® BPM server in the federated environment. When users log in to one server, they can access all the other servers in the federated environment for which they are authorized without getting prompted again for their credentials.
Before you begin
- Domains: The Process Federation Server and the IBM BPM servers, including the server that hosts Process Portal, must be in the same domain.
- User registries for Process Federation Server and IBM BPM servers:
- The user registries must be shared. Different federated IBM BPM environments
can use different user registries but you must configure these user
registries on both Process Federation Server and
the IBM BPM server
that hosts Process Portal too. Restriction: You cannot mix LDAP servers with other authentication services, such as a basic user registry or a custom user registry.
- The user registries must use the same realm. The realm name must be the same as the one that you set for Process Federation Server. To do so, in the WebSphere® Application Server administration console, go to , then, in the User account repository section, set your LDAP directory to use a federated repository and name the realm ldap_realm. For more information, see the Federated repositories page of the WebSphere Application Server knowledge center.
- The user registries must be shared. Different federated IBM BPM environments
can use different user registries but you must configure these user
registries on both Process Federation Server and
the IBM BPM server
that hosts Process Portal too.
- LTPA key file:
- The keys are active.
- All the IBM BPM servers, including the server that hosts Process Portal, share an LTPA key file.
- System times: To avoid problems with LTPA expiry intervals, ensure that the system times on Process Federation Server and each IBM BPM server in the production environment are the same.
About this task
Procedure
What to do next
- From a web browser, go to a URL on any federated IBM BPM system
or the IBM BPM server
that hosts Process Portal,
for example, the Process Portal URL: https://bpm_host.mycompany.com:9443/ProcessPortal.
Import the signer certificate if prompted to do so by the browser.Tip: Before you are directed to Process Portal, you should be prompted for your user ID and password the first time you access the URL.
- From the same web browser, go to a URL on any other IBM BPM system
in your federated environment, for example, the Process Portal URL: https://bpm_host.mycompany.com:9443/ProcessPortal.
Import the signer certificate if prompted to do so by the browser.Tip: You should be automatically directed to Process Portal without having to log in again.
- From the same web browser, go to a Process Federation Server URL,
for example, the systems REST service: https://pfs_host.mycompany.com:9443/rest/bpm/federated/v1/systems.
Import the signer certificate if prompted to do so by the browser.Tip: The REST service request should complete without having to log in again.
If you are not prompted to log in at steps 2 and 3, SSO is working correctly.
If you are prompted to log in at either step 2 or step 3, SSO is not working correctly. Verify the SSO configuration and restart your IBM BPM server or Process Federation Server if you updated the configuration. Before you verify SSO again, clear your browser cookies to remove the LTPA cookie that is used for SSO.