Single sign-on allows you a secure method of authenticating a user one time within an environment to provide access to other applications, systems, and networks.
The goal of single sign-on is to provide a secure method of authenticating a user one time within an environment and using that single authentication (for the duration of the session) as a basis for access to other applications, systems, and networks. In the context of IBM® Lotus® Quickr™ for WebSphere Portal, there are two single sign-on realms; the realm from the client to portal and other web applications and the realm from the portal to the backend applications.
Single sign-on for the client realm is established either via the Lightweight Third Party Authentication (LTPA) token functionality of WebSphere® Application Server or via an Authentication Proxy. Backend single sign-on can be established with the LTPA token functionality if accepted by the backend application either via the Credential Vault Portlet Service or the Java Connector architecture. Please refer to the WebSphere Application Server documentation for more information about LTPA and the Java Connector Architecture.
Credential vault provides a mechanism that assists a portlet in retrieving one of several representations of a user's authenticated identity, which the portlet can then pass to a backend application. This is much like Lotus Quickr and the portlet acting as an authentication proxy to the backend application. Using single sign-on, a user can authenticate once when logging in to Lotus Quickr, and the user's identity is passed on to applications without requiring additional identity verification from the user.
The Credential vault features two levels of single sign-on:
- Active Credentials: Encapsulates the functionality of single sign-on for the portlet writer in an object provided by the Service.
- Passive Credentials: More flexible but requires portlet writers to manage their own connections and authentication to backend applications with the Credentials (i.e. userid and password) they retrieved from the Credential Vault. See Credential Vault for more information.
Lotus Quickr and JAAS
The single sign-on functions of Lotus Quickr use a subset of Java Authentication and Authorization Services (JAAS). The used subset is the authentication portion; Lotus Quickr does not support true JAAS authorization. Lotus Quickr builds a JAAS Subject for each logged on user. The Subject consists of Principals and Credentials. A Principal is a piece of data, such as the user ID or user's DN that gives the identity of the Subject. A Credential is a piece of data, such as a password or a CORBA Credential that can be used to authenticate a subject. The Subject carries around the Principals and Credentials that can be used by the portlet directly or through the credential service. See Portlet authentication for details on working with single sign-on.
Parent topic: Security considerations: qp85