Monday, June 12, 2006

Single Sign-On: Windows and WebSphere

A common requirement when implementing single sign-on solutions within organizations is to be able to share the authentication information betweeen the user desktop and the web application. This requirement becomes more important for intranet applications. WebSphere Application Server provides the capability to acheive Single Sign-On with Windows and Web Applications by providing a trust association interceptor (TAI) that uses the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) to securely negotiate and authenticate HTTP requests for secured resources in WebSphere Application Server. When the SPNEGO TAI is initialized, authentication for all the Web Applications on that server goes through the TAI. HTTP users log in and authenticate only once at their desktop and are authenticated (internally) with WebSphere Application Server. The SPNEGO TAI is only visible to the WebSphere administrator who is responsible for ensuring a proper configuration, capacity, and maintenance of the Web environment.
Additional Requirements (Apart from WebSphere Application Server 6.1)
  • Microsoft’s Windows 2000 or Windows 2003 Servers with Active Directory domain and associated Kerberos Key Distribution Center (KDC).
  • Microsoft Internet Explorer Version 5.5 or later, Mozilla Firefox Version 1.0, or any other client application that supports SPNEGO mechanism.

Additional Considerations
  • The LDAP Server used by WebSphere and the Windows Active Directory must be the same for the default configuration, if different, then a custom login module (provided with WAS) must be configured to handle authentication.
  • The end user must configure the Web browser or .NET application to issue HTTP requests that are processed by the SPNEGO TAI.
  • The Web administrator is responsible for configuring the SPNEGO TAI of WebSphere Application Server to respond to HTTP requests of the client.
  • The WebSphere Application Server administrator is responsible for configuring WebSphere Application Server and the SPNEGO TAI for optimum installation performance.
  • Kerberos version 5 is required.
  • RC4-HMAC encryption is only supported when using a Windows 2003 Server as Kerberos key distribution center (KDC) and is not supported with a Windows 2000 Server.

4 comments:

  1. Hi Abhi: I am looking into a SSO solution for websphere and looks like you might have an answer. please reply to alti_user@yahoo.com

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Can SSO be implemented on WAS 5 version? Is there any problem in it?

    ReplyDelete
  4. An article explaining how you can do it is available on - http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/tsec_SPNEGO_tai.html

    ReplyDelete