IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Cross-domain<br />
single<br />
sign-on<br />
The<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
Cross-Domain<br />
Single<br />
Sign-on<br />
(CDSSO)<br />
provides<br />
a<br />
default<br />
mechanism<br />
<strong>for</strong><br />
transferring<br />
user<br />
credentials<br />
between<br />
unique<br />
servers<br />
and<br />
domains.<br />
CDSSO<br />
allows<br />
Web<br />
users<br />
to<br />
per<strong>for</strong>m<br />
a<br />
single<br />
sign-on<br />
and<br />
move<br />
seamlessly<br />
between<br />
two<br />
separate<br />
secure<br />
domains<br />
when<br />
requesting<br />
a<br />
resource.<br />
The<br />
CDSSO<br />
authentication<br />
mechanism<br />
does<br />
not<br />
rely<br />
on<br />
a<br />
Master<br />
Authentication<br />
Server<br />
or<br />
MAS<br />
(see<br />
“e-community<br />
single<br />
sign-on”<br />
on<br />
page<br />
256).<br />
CDSSO<br />
supports<br />
the<br />
goals<br />
of<br />
scalable<br />
network<br />
architecture<br />
by<br />
allowing<br />
the<br />
integration<br />
of<br />
multiple<br />
secure<br />
domains.<br />
For<br />
example,<br />
a<br />
large<br />
corporate<br />
extranet<br />
can<br />
be<br />
set<br />
up<br />
with<br />
two<br />
or<br />
more<br />
unique<br />
domains—each<br />
with<br />
its<br />
own<br />
users<br />
and<br />
object<br />
space.<br />
CDSSO<br />
allows<br />
movement<br />
of<br />
users<br />
between<br />
the<br />
domains<br />
with<br />
a<br />
single<br />
sign-on.<br />
When<br />
a<br />
user<br />
makes<br />
a<br />
request<br />
to<br />
a<br />
resource<br />
located<br />
in<br />
another<br />
domain,<br />
the<br />
CDSSO<br />
mechanism<br />
transfers<br />
an<br />
encrypted<br />
user<br />
identity<br />
token<br />
from<br />
the<br />
first<br />
domain<br />
to<br />
the<br />
second<br />
domain.<br />
The<br />
identity<br />
in<strong>for</strong>mation<br />
in<br />
this<br />
token<br />
indicates<br />
to<br />
the<br />
receiving<br />
domain<br />
that<br />
the<br />
user<br />
is<br />
successfully<br />
authenticated<br />
in<br />
the<br />
first<br />
domain.<br />
The<br />
identity<br />
does<br />
not<br />
contain<br />
password<br />
in<strong>for</strong>mation.<br />
The<br />
receiving<br />
server<br />
uses<br />
this<br />
token<br />
to<br />
build<br />
credentials<br />
in<br />
its<br />
own<br />
cache<br />
<strong>for</strong><br />
that<br />
user.<br />
The<br />
user<br />
is<br />
not<br />
<strong>for</strong>ced<br />
to<br />
per<strong>for</strong>m<br />
an<br />
additional<br />
login.<br />
Customizing<br />
single<br />
sign-on<br />
authentication<br />
Cross-domain<br />
single<br />
sign-on<br />
solutions<br />
employ<br />
authentication<br />
tokens<br />
that<br />
convey<br />
an<br />
encoded<br />
version<br />
of<br />
the<br />
user<br />
identity<br />
to<br />
the<br />
destination<br />
server.<br />
The<br />
construction<br />
of<br />
these<br />
tokens<br />
by<br />
the<br />
initial<br />
server<br />
is<br />
called<br />
″token<br />
creation.″<br />
The<br />
decoding<br />
and<br />
use<br />
of<br />
the<br />
token<br />
by<br />
the<br />
destination<br />
server<br />
is<br />
called<br />
″token<br />
consumption.″<br />
You<br />
can<br />
create<br />
custom<br />
token<br />
create<br />
and<br />
consume<br />
libraries<br />
to<br />
meet<br />
the<br />
specific<br />
requirements<br />
of<br />
your<br />
network<br />
and<br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
implementation.<br />
Complete<br />
in<strong>for</strong>mation<br />
and<br />
API<br />
reference<br />
material<br />
<strong>for</strong><br />
cross-domain<br />
external<br />
authentication<br />
can<br />
be<br />
found<br />
in<br />
the<br />
<strong>IBM</strong><br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
<strong>for</strong><br />
e-<strong>business</strong><br />
Web<br />
Security<br />
Developer<br />
Reference.<br />
In<br />
many<br />
CDSSO<br />
scenarios,<br />
the<br />
default<br />
one-to-one<br />
mapping<br />
between<br />
users<br />
in<br />
different<br />
domains<br />
might<br />
not<br />
suit<br />
all<br />
deployment<br />
requirements.<br />
The<br />
cross-domain<br />
mapping<br />
frameWork<br />
(CDMF)<br />
is<br />
a<br />
programming<br />
interface<br />
that<br />
allows<br />
you<br />
to<br />
build<br />
a<br />
custom<br />
shared<br />
library<br />
that<br />
can<br />
handle<br />
extended<br />
user<br />
attributes<br />
and<br />
provide<br />
mapping<br />
services<br />
<strong>for</strong><br />
the<br />
user<br />
identity.<br />
The<br />
CDMF<br />
programming<br />
interface<br />
allows<br />
flexibility<br />
in<br />
customizing<br />
the<br />
mapping<br />
of<br />
user<br />
identities<br />
and<br />
the<br />
handling<br />
of<br />
user<br />
attributes.<br />
Complete<br />
in<strong>for</strong>mation<br />
and<br />
API<br />
reference<br />
material<br />
<strong>for</strong><br />
CDMF<br />
can<br />
be<br />
found<br />
in<br />
the<br />
<strong>IBM</strong><br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
<strong>for</strong><br />
e-<strong>business</strong><br />
Web<br />
Security<br />
Developer<br />
Reference.<br />
Authentication<br />
process<br />
flow<br />
<strong>for</strong><br />
CDSSO<br />
with<br />
CDMF<br />
The<br />
following<br />
process<br />
flow<br />
description<br />
is<br />
illustrated<br />
in<br />
Figure<br />
8.<br />
1.<br />
Any<br />
user<br />
who<br />
wants<br />
to<br />
participate<br />
in<br />
multiple<br />
domains<br />
must<br />
have<br />
a<br />
valid<br />
user<br />
account<br />
in<br />
the<br />
initial<br />
domain<br />
and<br />
an<br />
identity<br />
that<br />
can<br />
be<br />
mapped<br />
into<br />
a<br />
valid<br />
account<br />
in<br />
each<br />
of<br />
the<br />
participating<br />
remote<br />
domains.<br />
A<br />
user<br />
cannot<br />
invoke<br />
the<br />
CDSSO<br />
functionality<br />
without<br />
initially<br />
authenticating<br />
to<br />
an<br />
initial<br />
secure<br />
domain<br />
(A)<br />
that<br />
contains<br />
the<br />
user’s<br />
account.<br />
2.<br />
The<br />
user<br />
makes<br />
a<br />
request<br />
to<br />
access<br />
a<br />
resource<br />
in<br />
domain<br />
B<br />
via<br />
a<br />
custom<br />
link<br />
on<br />
a<br />
Web<br />
page.<br />
Chapter<br />
9.<br />
Client<br />
single<br />
sign-on<br />
solutions<br />
245