IBM Support

Implementing Single Sign On Scenario in B2Bi Sterling Integrator

Technical Blog Post


Implementing Single Sign On Scenario in B2Bi Sterling Integrator


What is Single Sign?


Single Sign On means, that a user only has to authenticate once in order to gain access to all Applications on a single network / group or domain.


One thing worth noting is that these users may have restricted permissions to access other applications, but they will not have to authenticate more than once in order to use them on any network controlled by some kind of AMS (Access Management System). These permissions are controlled by the Network administrator.


When using and enabling Single Sign On for B2Bi Sterling Integrator, there are a number of implementation scenarios available, for a complete list of implementation scenarios available for Single Sign On , please visit the following webpage:


In order to implement any of the above mentioned Single Sign On scenario's you must first implement Sterling Secure Proxy, Sterling External Authentication with Sterling Integrator.


What is SSP - Sterling Secure Proxy

Sterling Secure Proxy is used as a proxy server with Sterling File Gateway and other applications that support a single sign-on connection. SSP allows any incoming user to authenticate and access Sterling File gateway using specific protocols that support Single sign-on (SSO) requests.

To enable Single Sign-on, you must first configure a Sterling Secure Proxy Login page and Sterling External Authentication Server to generate SSO tokens.

By default, Sterling External Authentication Server uses OpenSAML to create and manage SSO tokens. However, it is possible to customize your environment to use a third-party application to generate tokens.





The following are the steps that occur during a single sign-on session between any trading partner, Sterling Secure Proxy, and Sterling File Gateway when Sterling External Authentication Server is used to generate and manage tokens:


1. The trading partner requests a connection to B2Bi Sterling Integrator

2. Sterling Secure Proxy receives the request, and the SSL handshake between Sterling Secure Proxy and the trading partner begins.

(If SSL authentication is configured, the proxy submits its certificate to the trading partner. If client authentication is configured, the trading partner then submits its certificate to Sterling Secure Proxy for authentication. You can optionally configure Sterling Secure Proxy to enforce client authentication and send the certificate to Sterling External Authentication Server for validation.)

3. Sterling Secure Proxy presents a Login page to the trading partner, who provides his user ID and password. If the HTTP policy is configured to use basic authentication, Sterling Secure Proxy sends an unauthorized response and the browser displays the browser user ID/password prompt.

4. Sterling Secure Proxy sends either the user ID and password to Sterling External Authentication Server, and then validates this against information stored in LDAP. If the credentials are valid, Sterling External Authentication Server creates an OpenSAML v2 token and Sterling Secure Proxy returns the a cookie associated with the token to the trading partner.

5. The trading partner sends an HTTP request to Sterling Secure Proxy and includes the cookie.

6. Sterling Secure Proxy checks for the cookie and validates the token using Sterling External Authentication Server.

7. Sterling Secure Proxy then connects to Sterling File Gateway and performs an SSL handshake. It then sends the HTTP request with the cookie from the trading partner to Sterling File Gateway.

8. Sterling File Gateway then validates the token against Sterling External Authentication Server and begins normal operation.


Before you complete the single sign-on configuration, be aware of the following considerations:


1. Only the HTTP, Sterling Connect:Direct, FTP, and SFTP protocols support single sign-on connection in B2Bi Sterling Integrator.

2. When Sterling Secure Proxy is configured to use SSO and the Sterling External Authentication Server user authentication profile is configured to return a mapped user ID, the mapped user ID, not the original user ID, and the SSO token are sent to the back-end system for user authentication.

3. Each single sign-on user you create in B2Bi Sterling Integrator must be modified in the Sterling B2B Integrator User Accounts as an External user with the correct Authentication Host. Sterling Secure Proxy uses the specified Authentication Host to authenticate the user.

4. The myFileGateway, FileGateway, and Sterling B2B Integrator dashboard users use application authentication in the HTTP policy.

Please visit IBM Knowledge Center for a list of implementation Scenario's supported by B2Bi Sterling Integrator:



[{"Business Unit":{"code":"BU012","label":"WCE"}, "Product":{"code":"SSMHNK","label":"IBM Sterling B2B Integrator"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]