Enabling single sign-on between z/OSMF instances

Single sign-on (SSO) enables users to log into one z/OSMF instance and to access other z/OSMF instances without getting prompted to log in again. z/OSMF uses the Lightweight Third Party Authentication (LTPA) security protocol to enable a secure single sign-on environment among z/OSMF instances.

The LTPA protocol uses an LTPA token to authenticate a user with the z/OSMF servers that are enabled for single sign-on. The LTPA token contains information about the user and is encrypted using a cryptographic key. The z/OSMF servers pass the LTPA token to other z/OSMF servers through cookies for web resources. If the receiving server uses the same key as the primary z/OSMF server -- the server that generated the key to be used for SSO, the receiving server decrypts the token to obtain the user information, verifies that the token has not expired, and confirms that the user ID exists in its user registry. After the receiving server validates the LTPA token, the server authenticates the user with that z/OSMF instance, and allows the user to access any resource to which the user is authorized.

To establish a single sign-on environment for z/OSMF, the following requirements must be satisfied:
  • The z/OSMF servers participating in the single sign-on environment must reside in the same LTPA domain as the primary z/OSMF server. The LTPA domain name is the parent portion of the fully qualified hostname of the z/OSMF servers. For example, if the fully-qualified hostname is server.yourco.com, the LTPA domain is yourco.com. Due to browser restrictions, the hostname must be qualified with at least three levels (for example server.yourco.com). The domain name must have at least two levels (for example, yourco.com).
  • The servers must share the same LTPA key. For z/OSMF, this is accomplished by invoking the Enable Single Sign-on action to synchronize the LTPA key on the primary and secondary z/OSMF servers. For instructions, see the z/OSMF online help.
  • The user ID of the user must exist and be the same in all System Authorization Facility (SAF) user registries. It is recommended that you use the same user registry settings for all z/OSMF servers so that users and groups are the same, regardless of the server.
  • The value specified for the SAF prefix during the z/OSMF configuration process must be the same for each z/OSMF server you want to enable for single sign-on. By default, the z/OSMF SAF prefix is IZUDFLT.
z/OSMF generates an LTPA keys file when you start the primary z/OSMF sever if an LTPA keys file does not exist. The file is encrypted with a randomly generated key, and a default password of WebAS is initially used to protect the file. When establishing a single sign-on environment, it is recommended that administrators change the default password on the primary z/OSMF server, restart the server to generate a new LTPA keys file, and then proceed with enabling single sign-on between one or more z/OSMF instances. For more information about changing the LTPA key password and enabling single sign-on, see the z/OSMF online help.
Parent topic: Using z/OSMF in a multi-system environment