This document summarizes SSO authentication support in IBM Content Analytics with Enterprise Search.
There are two distinct implementations of SSO support: application SSO and secure search SSO.
With application SSO, users can log in one time and be authenticated across several systems. For example, users can log in to the content analytics miner or enterprise search application and then open links to see documents in the results without being prompted to log in to the native data sources. This type of SSO authentication relies on Lightweight Third-Party Authentication (LTPA tokens).
The embedded web application server supports LTPA token-based application SSO. If you use WebSphere Application Server, the LTPA key file can be shared between IBM Content Analytics with Enterprise Search and WebSphere Application Server. The authenticated credential is conveyed as a cookie. This cookie is issued to the user's browser the first time the user logs in to a web server that participates in the SSO realm.
LTPA tokens are widely used in IBM products, such as Domino, IBM Connections, and WebSphere Portal. IBM Content Analytics with Enterprise Search behaves like a member of the SSO realm. To support SSO, the LTPA key file must be identical among all servers in the realm.
To summarize the steps, you must:
- Secure your applications to data sources through the same LDAP server.
- Configure an LTPA key file to be shared by multiple servers.
If you use the embedded web application server, you can configure LDAP server and LTPA settings when you configure application login settings on the Security dashboard. You can generate the LTPA key file and then export it so that it can be imported by other systems. You can also import the LTPA key file from another system to ensure that the same token is used by IBM Content Analytics with Enterprise Search. For details, see Configuring SSO support in the embedded web application server.
- Restriction: There is a known issue in Version 3.0: currently, the key that you export from IBM Content Analytics with Enterprise Search cannot be used for importing to other systems. Until this issue is resolved, export the key from another system and import it into IBM Content Analytics with Enterprise Search.
Even though WebSphere Application Server can refer to multiple LDAP servers through federated repository support, also known as Virtual Member Manager, IBM Content Analytics with Enterprise Search can use only one LDAP server. When you configure embedded application server security, you must configure one LDAP server as a user repository.
If you use WebSphere Application Server instead of the embedded web application server, you can configure LTPA settings when you configure global security in the WebSphere Application Server administrative console. For details, see Configuring SSO support in WebSphere Application Server.
- Restriction: In WebSphere Application Server, the LDAP server name is case-sensitive. The SSO configuration data must be the same in WebSphere Application Server and the instance of WebSphere Application Server that is installed on the IBM Content Analytics with Enterprise Search server. When you configure SSO support, verify that the LDAP server name also matches in case. For example, the fully qualified host name example.server.com does not match EXAMPLE.server.com or Example.server.com.
Secure Search SSO
With secure search SSO, users can perform secure searches without having to map credentials in the My Profile dialog of the content analytics miner or enterprise search application. Secure search, which is also known as document-level security, means that users see only the documents that they are authorized to see. The My Profile dialog maps the user's login identity to the user's credentials on various data source servers, which typically use data source-specific credential formats.
Application SSO is a prerequisite for implementing secure search SSO. If you remove the requirement to map credentials in the My Profile dialog, users will still be prompted to log in when clicking results unless you also implement application SSO.
- Restriction: When the data sources to be searched are protected by third-party SSO products, such as CA SiteMinder or Tivoli Access Manager, secure search SSO is supported for limited types of data sources (such as IBM Connections) and limited protocols (that is, cookie-based authentication).
There are two configuration settings for configuring support for secure search SSO:
- When you configure the identity management component on the Security dashboard, select the check box for each crawler type that you want to enable for SSO support.
- When you configure security settings for an individual crawler, enable SSO support.
When both of these settings are configured to support SSO authentication, secure search SSO is in effect. The application stops requiring users to map their login credentials to data source credentials in the My Profile dialog.
An article in the ECM Application Center provides a detailed description of how to set up a single sign-on (SSO) environment to use the enterprise search portlet in WebSphere Portal to search Lotus Domino data sources. Although this article has not been updated for IBM Content Analytics with Enterprise Search Version 3.0, many of the concepts and procedures still apply.
SSO support for secure search of IBM FileNet P8 documents
IBM Content Analytics with Enterprise Search Version 3.0 Fix Pack 1 enables you to create a FileNet P8 crawler to support secure search through SSO authentication. See the attached PDF for setup procedures.
SSO support for secure search of Microsoft SharePoint documents
IBM Content Analytics with Enterprise Search Version 3.0 Fix Pack 1 also provides Kerberos-based SSO support for secure search of SharePoint sources. See the attached PDF for setup procedures.
17 June 2018