You must install the single sign-on application by using the IBM WebSphere Application
Server administrative console.
Before you begin
Familiarize yourself with the SSO application details and installation requirements before you
install it.
You must install the IBM WebSphere Application Server fixes that are specified in the IBM Verify Identity Governance Release Notes. Use the installation instructions in
the Release Notes to install the fixes. Install the SSO application on the IBM WebSphere Application
Server where the IBM Security Identity Manager is installed.
About this task
When the SSO application is installed on a separate system, the IBM® Security Verify Access is positioned as a single sign-on front. It
returns an LTPA token from the WebSphere® Application Server or the
IBM Security Verify Access depending on if the junction has
LTPA enabled.
Procedure
-
Prepare the WebSphere Application Server environment.
-
Build the SSO application to create the itim_ws.war file.
-
Use File Transfer Protocol (FTP) to copy the itim_ws.war file to the
location in the system where the SSO application is going to be deployed.
-
Install the application by using the IBM WebSphere Application Server administrative
console.
-
Log on to the IBM WebSphere Application Server administrative console.
For example, http://localhost:9060/ibm/console
-
Click .
-
In the Path to the new application area, select Local file
system.
-
Click Browse to set Full path to the location of
the itim_ws.war file.
-
Click Next.
-
In the How do you want to install the application area, select
Detailed - Show all installation options and parameters.
-
Click Next.
-
At the Application Security Warnings window, click
Continue.
-
Click the Map context roots for Web modules step and specify the context
root value as /itim_ws.
-
Click Map security roles to users or groups step. Select the
ITIM_CLIENT role
-
Click .
-
Click Next repeatedly until the Summary window is
displayed.
-
Click Finish.
-
Click Save to save your changes directly to the master
configuration.
-
Update the class loader properties
-
Click .
-
Click itim_ws.war.
-
Under Detailed Properties, click Class loading and update
detection.
-
Select Classes loaded with local class loader first (parent last) for
the Class loader order and Single class loader for
application for the WAR class loader policy.
-
Click OK.
-
Click Save to save your changes directly to the master
configuration.
-
Ensure that you properly export and import the LTPA keys for correct encryption and decryption
of the identity tokens (LTPA). See the IBM WebSphere Application Server documentation for setting up
SSO by using LTPA with multiple servers.
-
Make the security realm that the sample SSO application is deployed a trusted realm of the
IBM Verify Identity Governance server.
Perform the following steps where IBM Verify Identity Governance is installed.
-
Log on to the IBM WebSphere Application Server administrative console.
For example, http://localhost:9060/ibm/console
-
Click .
-
Click Add External Realm
Type in the security realm of the SSO application.
For example,
appCustomRealm
-
In the ISIM_HOME/data directory, modify the
enRoleAuthentication.properties file.
Change enrole.authentication.idmapper
to
com.ibm.itim.authentication.mapping.SSOIDMapper
.
-
Restart the IBM Verify Identity Governance server.
What to do next
The SSO application works only with its own authentication by using the IBM Verify Identity Governance user registry. You must enable authentication with
WebSEAL.