Using the SSO debug tool
The Authentication Service client SDK provides a single sign-on (SSO) debug command-line tool to help investigate problems with basic authentication and SSO between applications in your environment.
The ssodebug tool can validate initial user name and password authentication or SSO to either an HTTP server or to a Jazz™ for Service Management application server on which the Authentication Service is installed.
Many customers can have the following SSO issues:
- LTPA Key synchronization issues, for example, servers are not configured with the same LTPA keys. Incorrectly configured servers can cause failures in validating the tokens on the target SSO server.
- Clock synchronization issues, for example, a server's time and date are not synchronized, which can cause failures with premature token expiration.
- User registry synchronization, for example, servers are not configured to use the same user registry. Incorrectly configured servers can cause failures in recognizing the user on the target SSO server.
- HTTP Cookie domain issues, for example, the cookie domain that issued by the initial server to ensure that a browser forwards the cookie to the target SSO server is not valid.
Before you can use the SSO debug tool, consider the following points:
- An HTTP server can be accessed by the SSO debug tool if it supports WebSphere® LTPA SSO.
- A server must be configured with the SSO debug tool before you can run the relevant operations to validate basic authentication or SSO authentication to the server.
- The SSO debug tool can authenticate directly with an HTTP server by using a URL.
- The SSO debug tool can also access the Jazz for Service Management application server with the Authentication Service to validate a user's authentication.
- You can use a SSO token generated by any server to authenticate to another server if SSO is correctly set up between the two servers.
Use different SSO debug tool operations to perform the following tasks:
- Check which version of the Authentication Service client SDK is installed on the machine
- The ssodebug versionInfo operation returns the version information for the Authentication Service client SDK.
- Validate that you can reach the Jazz for Service Management application server with the Authentication Service and authenticate to it
- The ssodebug configureAuthnSvcConnection operation configures a connection to the Authentication Service.
- The ssodebug initialLoginToAuthnSvc operation connects to the configured Authentication Service to validate a user name and password.
- Validate that a SSO token received from the Jazz for Service Management application server with the Authentication Service can be validated on other servers
- The ssodebug configureAuthnSvcConnection operation configures a connection to the Authentication Service.
- The ssodebug ssoToAuthnSvc operation connects to the configured Authentication Service to validate an existing LTPA token.
- Validate that you can reach an HTTP server with WebSphere LTPA SSO and authenticate to it
- The ssodebug configureServerUrlConnection operation configures a connection to a web server URL.
- The ssodebug initialLoginToUrl operation connects to the configured web server URL to validate a user name and password.
- Validate that a SSO token received from one HTTP server can be validated on other servers
- The ssodebug configureServerUrlConnection operation configures a connection to a web server URL.
- The ssodebug ssoToUrl operation connects to the configured web server URL to validate an existing LTPA token.
After your run the SSO debug tool operation, the tool displays the results of the token authentication calls and any problems detected in the command window.