Identity management and SSO authentication

If documents in a collection were crawled by a crawler that provides support for single sign-on (SSO) authentication, you can specify that you want to use SSO security to control access to documents when you configure identity management options.

Users are not prompted for credentials when they query sources that support SSO authentication. The identity management component is used if all of the following conditions are true:
  • SSO is properly enabled in the web application server and the target domains so that the LTPA tokens and domain names can be shared.
  • Security is enabled in at least one of the collections that the application can search.
  • The options to use the identity management component and SSO security are configured in the administration console.
  • The option to use SSO authentication and options to enforce document-level security (such as indexing access controls or validating current credentials during query processing) were selected when the following crawler types were configured:
    • Quickr for Domino (available for crawlers that use the DIIOP protocol only)
    • Seed list (available for IBM® Connections sources only)

If you use the Search portlet in WebSphere® Portal, secure search of sources through the portlet is supported only from the Search portlet. As with SSO authentication that is enabled through the stand-alone search application, portlet users do not need to create a profile on the My Profile page of an application to specify credentials.

SSO enablement

Single sign-on authentication enables a user to be authenticated one time and gain access to many resources without being prompted to present credentials again. SSO authentication eases the burden of managing the many user names and passwords that users must specify to access documents in secure collections.

The embedded web application server, WebSphere Application Server, and Lotus® Domino® support a form of SSO that is known as Lightweight Third-Party Authentication (LTPA). When a user attempts to access an application, the user is asked to authenticate with a user name and password. This user name and password are verified against an LDAP repository that the products share. After the user is authenticated, a session cookie is created to contain the LTPA token. The user can then access other resources on any server that has the same authentication configuration without being prompted to specify credentials again. This token persists as long as the browser session is valid.

If you use the embedded web application server, the LTPA key file must be on the search server. When you configure application login settings in the administration console, you can generate an LTPA key file. If you create the key file on another system, such as the data source server, you can import the key file to Watson Explorer Content Analytics. You can also export the key file from Watson Explorer Content Analytics and then import the key file into your other systems.

If you use WebSphere Application Server, use the following guidelines to enable SSO support for your collections:
  • Ensure that WebSphere Application Server global security and a valid LDAP registry are enabled on the search servers. The LDAP registry can be any valid LDAP product supported by WebSphere Application Server.
  • Ensure that the WebSphere authentication mechanism is configured to use an active authentication mechanism of LTPA. When you configure LTPA, specify a valid but flexible domain name, such as your.server.com.
  • Ensure that the LTPA key was exported from WebSphere Application Server and imported into other products in the same domain on which you want to enable support for LTPA.
After you use a browser to verify that the above security configuration is working properly, you can use the administration console to configure crawlers that support SSO authentication.