Support for Single Sign-on (SSO)
IBM® Content Navigator supports single sign-on (SSO). The SSO method that is supported depends on the web application server on which IBM Content Navigator is deployed.
When using SSO with FileNet® P8, you configure IBM Content Navigator with any SSO methodology that is supported by the application server on which IBM Content Navigator is deployed.
When IBM Content Navigator is configured for SSO and the user is connecting to an IBM Content Manager repository, the user is prompted for logon credentials unless the IBM Content Manager repository is configured for trusted logon. For more information, see: Configuring single sign-on for IBM Content Navigator (IBM Content Manager).
When using SSO with IBM Content Manager OnDemand, you must configure the IBM Content Manager OnDemand user accounts to match the accounts used by the IBM Content Navigator LDAP. For more information about how to configure IBM Content Manager OnDemand with SSO, see: Single sign-on (SSO) for IBM Content Navigator (ICN) and IBM Content Manager OnDemand (CMOD).
IBM CMIS is not affected by the use of the SSO technology.
Applications that connect to multiple repositories
If you are going to connect to multiple repository types, you must ensure that all the criteria that are mentioned in the previous section are met.For supported versions of the various software components for your specific release, refer to the Software Product Compatibility Reports.
The following tables identify which combinations of SSO provider, IBM Content Navigator component, and repository type are supported. The Related Documentation column provides links to guidelines that document how to configure IBM Content Navigator with specific types of SSO providers.
| SSO Provider | IBM Content Navigator web client | IBM Content Navigator for Microsoft Office desktop client | IBM Navigator Sync desktop client | IBM Content Navigator task manager services* | IBM Edit Service client | Related Documentation |
|---|---|---|---|---|---|---|
| SPNEGO/Kerberos |
✓
Repositories: IBM FileNet P8, Content Manager 8, IBM Content Manager OnDemand |
✓
Repositories: IBM FileNet P8, Content Manager 8 |
✓
Repositories: IBM FileNet P8 |
✓
Repositories: IBM FileNet P8, Content Manager 8 |
✓
Repositories: IBM FileNet P8 |
Configuring single sign-on for IBM Content Navigator using SPNEGO/Kerberos on WebSphere Application Servers |
| Layer7 SiteMinder (Formerly CA Single Sign-On) |
✓
Repositories: IBM FileNet P8, Content Manager 8 |
IBM FileNet P8, Content Manager 8 | IBM FileNet P8 |
✓
Repositories: IBM FileNet P8, Content Manager 8 |
IBM FileNet P8 | Configuring single sign-on for IBM Content Navigator by using Layer7 SiteMinder (Formerly CA Single Sign-On) on WebSphere Application Servers |
| Security Assertion Markup Language (SAML)** |
✓
Repositories: IBM FileNet P8, Content Manager 8, IBM Content Manager OnDemand |
✓
Repositories: IBM FileNet P8, Content Manager 8 |
✓
Repositories: IBM FileNet P8 |
✓
Repositories: IBM FileNet P8, Content Manager 8 |
✓
Repositories: IBM FileNet P8 |
Configuring IBM Content Navigator by using Security Assertion Markup Language (SAML) single sign-on on WebSphere Application Server |
| IBM Security Access Manager |
✓
Repositories: IBM FileNet P8, Content Manager 8 |
IBM FileNet P8 | IBM FileNet P8 |
✓
Repositories: IBM FileNet P8, Content Manager 8 |
IBM FileNet P8 | Configuring single sign-on for IBM Content Navigator using IBM Security Access Manager (ISAM) on a WebSphere Application Server |
| *Note
The Task Manager does not support SSO. It supports Basic Authentication only. In addition, Task Manager is not compatible with User Management Service (UMS). UMS provides an SSO experience by providing a common login page for IBM applications that are enabled to delegate authentication to the service. When an unauthenticated user requests a protected URL from an application, the browser is redirected to UMS for authentication. Upon authentication in UMS, a session with UMS is established that uses cookies. Task Manager is unable to process the cookies and hence, does not support UMS. When IBM Content Navigator is configured for SSO, the SSO configuration must exclude the Task Manager from the SSO authentication configuration. For example, if you are using the Kerberos protocol, you must configure it to allow fall back to Basic Authentication. For IBM Security Access Manager, the IBM Security Access Manager junction must be configured to not include the task manager application. |
||||||
| **Note The repositories are supported as authentication repositories, only if they are configured with SSO for Content Manager OnDemand and as trusted logins for Content Manager 8. |
||||||
For information about configuring SAML SSO in a container environment, see Configuring federated single sign-on for IBM Content Navigator on docker container by using SAML 2.0
| SSO Provider | IBM Content Navigator web client | IBM Content Navigator for Microsoft Office desktop client | IBM Navigator Sync desktop client | IBM Content Navigator task manager services* | IBM Edit Service client | Related Documentation |
|---|---|---|---|---|---|---|
| SPNEGO/Kerberos |
✓
Repositories: IBM FileNet P8, IBM Content Manager OnDemand |
✓
Repositories: IBM FileNet P8 |
Configuring single sign-on for IBM Content Navigator by using SPNEGO/Kerberos on Oracle WebLogic Server | |||
| CA Single Sign-on |
✓
Repositories: IBM FileNet P8 |
✓
Repositories: IBM FileNet P8 |
Configuring single sign-on for IBM Content Navigator by using CA SiteMinder on WebSphere Application Server | |||
| *Note
The Task Manager does not support SSO. It only supports Basic Authentication. When IBM Content Navigator is configured for SSO, the SSO configuration must exclude the Task Manager from the SSO authentication configuration. For example, if you are using the Kerberos protocol, you must configure it to allow fall back to Basic Authentication. For IBM Security Access Manager, the IBM Security Access Manager junction must be configured to not include the task manager application. |
||||||