Configuring SSO support in the embedded web application server

When you enable application login security settings for the embedded web application server, you can specify information that enables users to search secure sources that support single sign-on (SSO) authentication.

About this task

To extend SSO authentication to users who query SSO-enabled collections, you can configure the system to use Lightweight Third-Party Authentication (LTPA) tokens. You can generate a new LTPA key file, export the key file so that it can be shared by other applications in your enterprise, or import an existing key file to the search server. The same key file, which is used to decrypt the LTPA token, must exist on all servers that share the SSO session.

If your collections include sources that require WebSphere® Application Server, such as sources are hosted on WebSphere Portal servers, you can import and export the LTPA key file in format that is required in WebSphere Application Server. For example, to enable SSO for secure search, you can import the key file from WebSphere Application Server into Watson Content Analytics, or export the key file from Watson Content Analytics to WebSphere Application Server.

Procedure

To configure the system to support SSO authentication:

  1. Click Security to open the Security view.
  2. In the application login security area, click Actions > Configure application login settings.
  3. Configure the LTPA tokens and key file to support SSO security. Gather SSO configuration data from the system that you use for SSO authentication. All parameters that you specify in the Watson Content Analytics administration console must match the configuration parameters in your primary SSO system.
    1. Specify a time limit for SSO sessions (the number of minutes before the LTPA token expires).
    2. Specify a domain where the LTPA cookie can be accessed by all servers that share the SSO session, such as ltpa.example.com.
    3. If you share the LTPA key file with a WebSphere Application Server server that uses a federated repository, copy the additional user name suffix value from federated repository base entry in WebSphere Application Server.
    4. If you share the LTPA key file with an application that does not support attribute propagation, such as older versions of WebSphere Application Server, select the check box to enable interoperability.
    5. If the key file exists on the search server, specify the path and file name. The default location for the key file is ES_NODE_ROOT/master_config/.
    6. If a key file does not exist, you can generate one or import it from another location. If you import the key file and specify only the file name, the default location is ES_NODE_ROOT/master_config/.
    7. To ensure that the same key file is shared by all applications that share the SSO session, you can export the key file and then import it into your other applications. When you export the key file, the file is created as ES_NODE_ROOT/master_config/export.hostname.key.
    8. If you share the LTPA key file with a WebSphere Application Server server that uses a federated repository, copy the additional realm name value from the federated repository configuration in WebSphere Application Server.
  4. Restart the Watson Content Analytics system:

    esadmin system stopall
    esadmin system startall

  5. Ensure that LTPA SSO is correctly configured:
    1. Log in to a data source server that supports SSO and then move to the Watson Content Analytics application by using the same browser window.
    2. If you can reach the application interface without being prompted to log in, setup is successfully completed. The My Profile page is not a login prompt. Do not mistake the profile page for a login screen.
    3. Try to log in by using the opposite order. First log in to the enterprise search application or content analytics miner, then move to the data source server in the same browser window.

What to do next

There are two configuration settings for configuring crawlers to support SSO authentication:
  • When you configure the identity management component on the Security page, select the check box for each crawler type in the collection that you want to enable to support SSO.
  • When you configure security settings for an individual crawler, enable SSO.
When both of these settings are configured to support SSO authentication, secure SSO search is in effect. The application stops requiring users to enter credentials in the My Profile dialog.
Related concepts:
Support for single sign-on authentication
Identity management and SSO authentication
Related tasks:
Configuring application login security in the embedded web application server
Configuring identity management