Managing the single sign-on configuration

Use the Single Sign-On Configuration page to configure, reconfigure, or unconfigure the single sign-on for the IBM® Security Identity Manager virtual appliance. You can also set tracing for troubleshooting single sign-on.

Procedure

  1. From the top-level menu of the Appliance Dashboard, click Configure > Manage Server Setting > Single Sign-On Configuration.
    The Single Sign-On Configuration page displays these tabs:
    • ISAM SSO
    • LTPA Keys
    • Trusted Realms
  2. In the Single Sign-On Configuration page, do one of the actions on these tabs.
    See Table 1.
    Table 1. Tabs and their actions
    Tab Actions
    ISAM SSO
    Configure a new single sign-on:
    1. Click Configure.
    2. In the Single Sign-On Configuration Details window, specify the expected variable values.
      Policy server detail
      A list of IBM Security Access Manager policy servers to which the application server can communicate. The format of this entry is host name, TCP/IP port number, and numerical rank, which is separated by colons. Multiple servers can be specified by separating them with commas.
      For example, the following 2 policy servers both use the available default TCP/IP port 7135.
      primary.myco.com:7135:1,secondary.myco.com:7135:2
      The host name of policy server with rank 1 is used to configure the Java™ Runtime Environment component for IBM Security Access Manager.
      Authorization server detail
      A list of IBM Security Access Manager authorization servers to which the application server can communicate. The format of this entry is host name, TCP/IP port number, and numerical rank, which is separated by colons. Multiple servers can be specified by separating them with commas.
      For example, the following 2 authorization servers both use the available default TCP/IP port 7136.
      secazn.myco.com:7136:2,primazn.myco.com:7136:1
      IBM Security Access Manager administrator
      An IBM Security Access Manager user with administrative privileges.
      IBM Security Access Manager administrator password
      The password that is associated with the specified IBM Security Access Manager administrative user.
      user
      The IBM Security Access Manager user that you created from this link: http://www-01.ibm.com/support/knowledgecenter/SSRMWJ_7.0.0/com.ibm.isim.doc_7.0/securing/tsk/tsk_ic_security_sing_tai_tamuser.htm
      Account Mapping
      Single sign-on, account mapping occurs between IBM Security Access Manager and IBM Security Identity Manager during login authentication. The following values are used.
      True
      No mapping is attempted. The IBM Security Access Manager user account that is passed in the iv-user HTTP request header must be identical to an IBM Security Identity Manager user account. This user account is defined in theIBM Security Identity Manager directory for the user to log in to IBM Security Identity Manager.
      False
      The IBM Security Access Manager user account that is passed in the iv-user HTTP request header searches the IBM Security Access Manager directory for a matching IBM Security Identity Manager user account. For more information, see http://www-01.ibm.com/support/knowledgecenter/SSRMWJ_7.0.0/com.ibm.isim.doc_7.0/securing/cpt/cpt_ic_security_sing_tai_acctmap.htm
      Logout page
      This option is for the IBM Security Identity Manager logout page for its console and the self-service user interface. You can use the default logout page that is provided with IBM Security Identity Manager, or provide your own logout page.
      Webseal default
      This logout option is the most secure. Use it when you want the following combined behavior when you click Logoff:
      • End the logon session.
      • End the logon session, and the pkmslogout function is started.
      Single Sign-On default
      Use this logout page for the following combined behavior when you click Logoff:
      • End the current logon session and provide a link to return to IBM Security Identity Manager.
      • Remain logged in to IBM Security Access Manager. The iv-user HTTP header information is still available. For example, this action provides for continued use of a portal page or a return to IBM Security Access Manager without a logon prompt.
      Other
      Select this option to specify the logout page that you want to use. In Specify, browse to the location to specify the .jsp file for the logout page.
    3. Click Save Configuration.
    Reconfigure an existing single sign-on:
    Note: Before you reconfigure, create a snapshot to recover from any configuration failures. See Managing the snapshots.
    1. From the Single Sign-On Configuration table, select a record.
    2. Click Reconfigure.
    3. In the Edit Single Sign-On Configuration Details window, edit the configuration variables.
      Policy server detail
      Provides a list of IBM Security Access Manager policy servers to which the application server can communicate. The format of this entry is host name, TCP/IP port number, and numerical rank, which is separated by colons. Multiple servers can be specified by separating them with commas.
      For example, the following two policy servers both use the available default TCP/IP port 7135.
      primary.myco.com:7135:1,secondary.myco.com:7135:2
      The host name of policy server with rank 1 is used to configure the Java Runtime Environment component for IBM Security Access Manager.
      Authorization server detail
      Provides a list of IBM Security Access Manager authorization servers to which the application server can communicate. The format of this entry is host name, TCP/IP port number, and numerical rank, which is separated by colons. Multiple servers can be specified by separating them with commas.
      For example, the following two authorization servers both use the available default TCP/IP port 7136.
      secazn.myco.com:7136:2,primazn.myco.com:7136:1
      IBM Security Access Manager administrator
      An IBM Security Access Manager user with administrative privileges.
      IBM Security Access Manager administrator password
      The password that is associated with the specified IBM Security Access Manager administrative user.
      IBM Security Access Manager user
      The IBM Security Access Manager user that you created from this link: http://www-01.ibm.com/support/knowledgecenter/SSRMWJ_7.0.0/com.ibm.isim.doc_7.0/securing/tsk/tsk_ic_security_sing_tai_tamuser.htm
      Account Mapping
      Single sign-on, account mapping occurs between IBM Security Access Manager and IBM Security Identity Manager during login authentication. The following values are used.
      True
      No mapping is attempted. The IBM Security Access Manager user account that is passed in the iv-user HTTP request header must be identical to an IBM Security Identity Manager user account. This user account is defined in theIBM Security Identity Manager directory for the user to log in to IBM Security Identity Manager.
      False
      The IBM Security Access Manager user account that is passed in the iv-user HTTP request header searches the IBM Security Access Manager directory for a matching IBM Security Identity Manager user account. For more information, see http://www-01.ibm.com/support/knowledgecenter/SSRMWJ_7.0.0/com.ibm.isim.doc_7.0/securing/cpt/cpt_ic_security_sing_tai_acctmap.htm
      Logout page
      This option is for the IBM Security Identity Manager logout page for its console and the self-service user interface. You can use the default logout page that is provided with IBM Security Identity Manager, or provide your own logout page.
      Webseal default
      This logout option is the most secure. Use it when you want the following combined behavior when you click Logoff:
      • End the logon session.
      • End the logon session, and the pkmslogout function is started.
      Single Sign-On default
      Use this logout page for the following combined behavior when you click Logoff:
      • End the current logon session and provide a link to return to IBM Security Identity Manager.
      • Remain logged in to IBM Security Access Manager. The iv-user HTTP header information is still available. For example, this action provides for continued use of a portal page or a return to IBM Security Access Manager without a logon prompt.
      Other
      Select this option to specify the logout page that you want to use. In Specify, browse to the location to specify the .jsp file for the logout page.
    4. Click Save Configuration.
    Unconfiguring an existing single sign-on
    Note: Before you reconfigure, create a snapshot to recover from any configuration failures. See Managing the snapshots.
    1. From the Single Sign-On Configuration table, select Single-Sign-On.
    2. Click Unconfigure.
    3. Click Yes to confirm the operation.
    Trace Settings
    Note: This option is enabled only when single sign-on is configured.
    1. From the Single Sign-On Configuration table, select Single-Sign-On.
    2. Click Trace Setting.
    3. In the dialog, click the check boxes to enable either or both of the tracing components.
      • ISAM Java runtime tracing
      • Application level ISAM Java runtime tracing
    4. Click Save Configuration.
    LTPA Keys
    To export the LTPA keys, do these steps:
    1. Enter a password for the LTPA keys.
    2. Enter the password again to confirm it.
    3. Click Export LTPA Keys to save the LTPA key file on your local computer.

      Use this key to establish single sign-on between the client application server and the application server on which the IBM Security Identity Manager is installed. The application that is installed in the application server of the client communicates with IBM Security Identity Manager.
    Trusted Realms To configure the Trusted Realms, do the following steps:
    1. Specify a realm or a list of realms to configure as trusted realm.

      Specify a realm or a list of realms to configure as a trusted realm. Separate each realm in the list with the pipe character (|). For example: realm1|realm2|realm3

    2. Click Configure Trusted Realms.

      By applying this configuration, you are ensuring that the security realm of the sample single sign-on application is deployed as a trusted realm of the IBM Security Identity Manager server.