By default, when unauthenticated users attempt to access the myportal page, they get redirected to the Portal login screen to provide a user name and password. When using an external security manager (ESM), such as WebSEAL or CA eTrust SiteMinder, for authentication, you no longer need to use the IBM® WebSphere® Portal login screen. Instead, the login links should take the users directly to the protected myportal home page. Certain changes must be made in order to accomplish this behavior:
- By default, the landing page on the anonymous portal URL of /wps/portal is a page containing the Login portlet. This page should be changed to remove the Login portlet, and add contents suitable for anonymous users to review. Alternatively, the ordering of the pages available to anonymous users can be modified so the Login page is not the first page displayed
- Theme modifications should be made to direct users to the protected /myportal URL in the case they click “Login”. This will allow the ESM to properly intercept and handle the request..
Another choice related to ESM behaviors is what should happen when the user clicks “Logout”. In certain scenarios, it may be desirable behavior for a logout from the portal UI to also trigger a logout from the ESM.
Changing Login links
In the default Portal theme, users can login from the Login link located on the topmost banner of the page. Perform the following steps to change the login links in all deployed themes to force the user directly to the protected portal home page:
1. Make backup copies of the following file in each theme:
2. Open the banner.jspf file located in each theme's directory and subdirectory and find the login button section.
Note: By default, WebSphere Portal ships the banner.jspf with the links to the Login screen commented out, and the links to the Login Portlet page remaining active.
3. Remove the surrounding <portal-navigation:urlGeneration> tags and replace the login button anchor tag that is active with the following anchor
<a href='<portal-navigation:url home="protected" screen="Home"/>' <%=bidiDirAttr% <portal-fmt:text key="link.login" bundle="nls.engine" /></a>
The following example shows what the banner.jspf will look like after modifying the anchor tag:
<%-- Login button --%>
<%-- comment this to enable screen login --%>
<a href='<portal-navigation:url home="protected" screen="Home"/>'
<%=bidiDirAttr% <portal-fmt:text key="link.login" bundle="nls.engine" /></a>
4. Touch the Default.jsp file after editing any JSP files and before any restart. This updates the timestamp on the file to the current time and will signal a recompile of Default.jsp to incorporate the edit changes from other JSP files. Type: touch Default.jsp. An alternative is to edit (open and save) Default.jsp, which has the same effect as the touch command.
5. After updating banner.jspf and touching Default.jsp, restart WebSphere Portal unless reloading is enabled.
Configuring logoff redirection
This is an optional step. When clicking the logout link, or in the case that your portal session expires, you may want to configure the portal logout command to redirect to an external security manager's logout URL. This will force the users to re-authenticate to the external security manager before being granted access to portal.
More information on invalidating the single sign on sessions is vendor specific and is available in the vendors documentation:
- Tivoli Access Manager WebSEAL provides http://webseal/pkmslogout as a special URL to terminate the WebSEAL single sign on session
- In eTrust SiteMinder, the Web Agent configuration object contains a property named LogoffUri where you can supply a URL to terminate the eTrust SiteMinder login session
1. Specify the following values in the WP ConfigService:
redirect.logout.ssl=false or true, depending on your environment
is the protocol of the ESM machine: http or https,
is the fully qualified host name of the ESM machine, and
is the ESM page that users will be directed to when they log out.
2. Review the Portal IC section “Setting Service Configuration Properties
” to activate the changes