4.5 Single Sign-On (SSO)

Prior to the introduction of a Single Sign-On (SSO), LANSA users had to supply a user name and password when connecting to each Windows and IBM i system. Single Sign-On gives users access to multiple computer systems within an organization after signing on only once.

Whether to use the Single Sign-On option is specified by selecting the Use Windows credentials option on the Visual LANSA Logon dialog, or the System Initialization dialog.

The concept of Single Sign-On is to allow a user who is logged onto Windows to have their Windows credentials silently authenticated when they wish to use IBM i machines.

The two key technologies that underpin the SSO mechanism are the Kerberos Network Authentication Protocol, and the IBM i Enterprise Identity Mapping (EIM) mechanism. These technologies must be understood and in use before using Single Sign-On with LANSA.

The necessary software and set up must be completed and fully tested before LANSA's SSO can be used. It is beyond the scope of the LANSA documentation to explain how to configure these two technologies.

Set up Single Sign-On

Following are the basic steps you will follow:

1.  Ask your system administrator to configure your IBM i for Single Sign On from your Windows domain (ensure that the HOST principal name is added to the keytab file), and also to configure EIM on your IBM i to map each required Windows domain user to a corresponding IBM i user profile. Note that these must be working and tested before continuing with the next step.

     The LANSA listener job user, its group profile or its Supplemental group profile must have the following authorities to the directories and files listed below:

     Note: The names used may be different in your system

     Configuration file requires data authority of *R and the path must have data authority of *X

     /QIBM/UserData/OS400/NetworkAuthentication/krb5.conf

     Credential cache file requires data authority of *RW and the path must have data authority of *X

     /QIBM/UserData/OS400/NetworkAuthentication/creds/krbcred_xxxxxx

     Keytab file requires data authority  of  *R and the path must have data authority of *X

     /QIBM/UserData/OS400/NetworkAuthentication/keytab/krb5.keytab

2.  On the IBM i, run the LANSA CONFIGURE command, and choose the COMMS_EXTENSIONS facility to set up COMMS_EIM_USER with the username and password of an LDAP user authorized to query EIM. This step needs to be done only once per LANSA system on the IBM i.

3.  Stop and restart the Listener job before continuing.

4.  Repeat these next steps for each user to be included in Single Sign-On.

a.  Assuming that one of the mappings set up in EIM maps from, say, Windows domain user user1@MYDOMAIN.COM to LANSA user DEVUSER, log onto Windows as user1@MYDOMAIN.COM.

b.  Start Visual LANSA, and from the Logon dialog, perform a System Initialization using the user name and password of the LANSA user DEVUSER (as per example). It is necessary to do this at least once for a LANSA user before the Use Windows credentials option may be used to perform a Single Sign-On as that user.

c.  When System Initialization is complete, check(select) the Use Windows credentials option and click OK to log on. Any values in the User ID and Password are ignored.

     If the logon fails and a message box appears with the message "User user1@MYDOMAIN.COM specified is not known to LANSA", then this indicates that one of the above steps may not have been completed successfully.

Also see

4.5.1 How LANSA SSO Works

3.3.3 Use Windows Credentials in 3.3 Logon Parameters

4.3.19 Use Windows credentials in 4.3 System Initialization