Table of Contents
Advertisement
SSO is a function of the underlying WebSphere Application Server instance. As such,
there is no concept of a Reverse Authenticating Proxy Server, which could otherwise be
place in a DMZ for added security.
Pseudo-SSO is achieveable with the use of the Credential Vault. However, a user is
required to manually enter his or her user ID and password prior to accessing the
back-end system, as the user registries are typically not synchronized.
SSO functionality does not extend to any fancy password expiry or user session handling.
That is, concurrent logins using the same user account are not barred.
Enterprise SSO with an External Security Manager
The decision, therefore, to deploy an External Security Manager for a given implementation is
usually based on a number of factors. However, one main requirement that often dictates the
inclusion of such a product is the demand for an enterprise-wide SSO capability. As
mentioned previously, Tivoli Access Manager is just one such product that represents the IBM
strategic enterprise-wide security offering. TAM consists of two main components: the Policy
Server and the WebSEAL Reverse Authenticating Proxy server. That is, when a user logs into
a WebSphere Portal Server solution protected by TAM, it is actually the Tivoli WebSEAL
server that performs the authentication task.
As such, the key points for deciding to deploy TAM above the out-of-the-box SSO provided by
WebSphere Portal Server, are listed below:
TAM provides enterprise-wide SSO capabilities.
Basic Authentication SSO support.
Forms-based SSO (FSSO) support.
Lightweight Third-Party Authentication (LTPA) SSO support.
HTTP Header based SSO support.
Global SSO support.
SPNEGO (Desktop SSO) support.
And in addition, the following aspects are provided:
Centralized administration at an organizational level.
Expired password handling.
Password reset and password strength policy management.
Delegated security administration for portal.
Session duration or inactivity timeout.
Account lockout (possibly for a specified period of time) after a specific number of
successful authentication attempts.
Attention: It should be noted that the deployment of an External Security Manager, such
as Tivoli Access Manager, does not necessarily address every aspect of SSO. For
example, SSO is generally considered to be homogenous between all participants in a
solution. Should the participants in a solution utilize different user repositories, there may
well be the need to deploy an Identity Management Solution or a Federated Identity
Management Solution.
Chapter 2. Architecture and planning
39
Advertisement
Table of Contents
Troubleshooting
