Connecting a user registry
To provide single sign-on capabilities for one
or more IBM® Business
Automation Workflow systems,
the User Management Service must
have access to user and group information for authenticating and asserting
users to connected systems.
You must configure the User Management Service to use the
same user repository that is used by your IBM Business
Automation Workflow, typically,
for example, it must connect to the same LDAP server. Because the
server template cannot make any assumptions about your user repository,
by default a basicRegistry with a single administrative user account
of your choice is created. Use this basicRegistry for system accounts
only, for example, an administrator account. It is not suitable for
user accounts for the following reasons:
- The users are local to the User Management Service and are therefore unknown in a connected IBM Business Automation Workflow system.
- basicRegistry supports only two attributes for users: username and password. However, there are situations in which a connected system might need to retrieve the user’s full name.
- basicRegistry does not support nesting of groups.
Create an XML file of any name in wlp/usr/servers/serverName/configDropins/overrides and
add the configuration information about the user registry. You can
easily copy and share this configuration later when you create server
clones for load-balancing and high-availability.
Optional: You can customize or further delegate
authentication by configuring Liberty to
use SAML, SPENGO or other authentication schemes. For more information,
see Authenticating users in Liberty.
Next, perform Creating User Management Service server clones.