Use the following information to enable single sign-on
to WebSphere® Application Server using either
WebSEAL or the plug-in for web servers.
About this task
Either Tivoli® Access Manager WebSEAL or Tivoli Access
Manager plug-in for web servers can be used as reverse proxy servers
to provide access management and single sign-on (SSO) capability to WebSphere Application Server resources.
With such an architecture, either WebSEAL or the plug-in authenticates
users and forwards the collected credentials to WebSphere Application
Server in the form of an IV Header. Two types of single sign-on are
available, the TAI interface and the TAI++ interface, so named as
both use WebSphere Application Server trust association
interceptors (TAI). With the TAI, the end-user name is extracted from
the HTTP header and forwarded to embedded Tivoli Access
Manager where the end-user name is used to construct the client credential
information and authorize the user. With the TAI++, all of the user
credential information is available in the HTTP header and not just
the user name. The TAI++ is the more efficient of the two solutions
because a Lightweight Directory Access Protocol (LDAP) call is not
required. TAI functionality is retained for backwards compatibility.Complete
the following tasks to enable single sign-on to WebSphere Application
Server using either WebSEAL or the plug-in for web servers. These
tasks assume that embedded Tivoli Access Manager is configured
for use.
Procedure
- Create a trusted user account
for Tivoli Access Manager in the shared Lightweight Directory Access Protocol (LDAP) user
registry.
- Configure either WebSEAL or the Tivoli Access
Manager plug-in for web servers to work with WebSphere Application Server.
- Configure single sign-on using either the TAI or TAI++ interface.