Configuring SSO for TRIRIGA on traditional WebSphere with IIS and AD
There are several steps for configuring single sign-on (SSO) with traditional WebSphere® Application Server, Microsoft Internet Information Services (IIS), and Microsoft Active Directory (AD).
Contents
I. Installing WebSphere Application Server web server plug-in on IIS
Install the WebSphere Application Server web server plug-ins. The plug-ins are available in the Supplements package for WebSphere Application Server on Passport Advantage. As with the WebSphere Application Server installation, you use the IBM Installation Manager to install the web server plug-ins.
For details on obtaining the Supplements package from Passport Advantage, see: Part numbers of WebSphere software used by IBM TRIRIGA (http://www-01.ibm.com/support/docview.wss?uid=swg21692375).
II. Configuring traditional WebSphere property trustedSensitiveHeaderOrigin
There was a change on traditional WAS 9.0.0.11 that added a new configuration property named trustedSensitiveHeaderOrigin.
See reference: Potential WebSphere Application Server problems when deployed behind a WebSphere-aware proxy server
On traditional WebSphere, the property is configured as an HTTP channel custom property. This property has a default value of "none", which means that a subset of WebSphere-specific HTTP headers will not be trusted from any host. The property also accepts value a of "*" (all), or a comma-separated list of IP addresses. For a secure deployment in which proxy servers are used, the trustedSensitiveHeaderOrigin property should be configured with a comma-separated list of IP addresses corresponding to those of any WebSphere-aware proxy servers in front of the WebSphere server.
Alternatively, to enable the original unsecured behavior, set trustedSensitiveHeaderOrigin="*", which will direct the WebSphere server to trust all headers sent from any host or proxy. This value must only be used for testing, or if the WebSphere server is isolated from external connections.
For traditional WAS, set trustedSensitiveHeaderOrigin as a custom property of HTTP channel.
See reference: HTTP transport channel custom properties
III. Configuring IIS to pass web requests to WebSphere Application Server
About this task
If you are using an already installed web server plug-in on the web server, reconfigure it to use the web server plug-in by using the following procedure.
Procedure
IV. Configuring SSO with Microsoft IIS
About this task
After configuring IIS to pass web requests to WebSphere, the next step is to set up SSO.