Single Sign-on (SSO)Added by IBM on May 5, 2011 | Version 1 (Original)
|Users of the IBM® Forms iWidget must be authenticated on both the IBM Mashup Center server and on the IBM Forms Turbo server. To allow seamless connection and authentication to the Turbo server, the iWidget relies on SSO.
Users of the IBM® Forms iWidget must be authenticated on both the IBM Mashup Center server and on the IBM Forms Turbo server. To allow seamless connection and authentication to the Turbo server, the iWidget relies on SSO.
Single sign-on is implemented using Lightweight Third Party Authentication (LTPA). In this system, user credentials are kept inside an encrypted LTPA token. The token is stored in a browser cookie that is created when you log on to Mashup Center. When the iWidget contacts the Turbo server, the Turbo server requests the cookie, decrypts the token, and then attempts to authenticate the user. If authentication succeeds, the iWidget can communicate with the Turbo server.
For SSO to work, the Mashup Center server and the IBM Forms Turbo server must meet the following conditions:
- They must have SSO enabled.
- They must be in the same domain. The domain name must be part of the URL that shows in the browser. For example, if the domain name is example.com, then the URL must contain example.com. You cannot use localhost or an IP address as the URL.
- They must have the same user name information. If you have an LDAP directory set up, then you should use it for authenticating users. If you do not already have an LDAP directory, then it might be easier to keep an identical set of user names on both servers. For example, if you have user1 on the Mashup Center server, create user1 on the IBM Forms Turbo server.
- They must use the same set of encryption keys. The keys that are used for encrypting and decrypting the cookie information must be shared between the two servers. To share the cookie information, you must export the keys from one server and then import them into the other server.
- They should be set to the same date and time. It is important that both servers have the same date and time. When you log in to Mashup Center, the server stores the expiration time in the cookie. The expiration time is based on the current time on the server plus the authentication timeout value. This information is transmitted to the IBM Forms Turbo server by the cookie. The IBM Forms Turbo server then compares the expiration time to its own current time. If the times are not synchronized or the servers are in different time zones, you might have unexpected authentication timeouts.
Parent topic: Configuring the IBM Forms iWidget
Setting up SSO
Exporting keys for SSO
Importing keys for SSO