4.5.1 How LANSA SSO Works

When a Windows user signs onto Windows as part of a domain, their domain user account in the Windows Active Directory includes a property called the Kerberos User Principal Name (UPN). The UPN of a user consists of the user name, followed by an '@' character, and then the full domain in uppercase letters. For example, the UPN for Windows user 1 (user1) might be user1@MYDOMAIN.COM.

When user1@MYCOMAIN.COM launches Visual LANSA, and if the Use Windows credentials option is selected in the Logon dialog, Visual LANSA Logon checks whether the repository contains a LANSA User which is associated with user1@MYCOMAIN.COM. If it finds such a LANSA User, for example "DEVUSER", then Visual LANSA Logon starts the Visual LANSA session using the LANSA User Id of DEVUSER. If there is no association, the log on step cannot proceed.

The association between a Windows domain user and a LANSA User is specified on an IBM i by an IBM i administrator using the IBM Enterprise Identity Mapping (EIM) facility. In order to automate the access to the IBM i EIM facility, a Distinguished name and password are needed. These are specified using the LANSA Communications Extensions Configuration Items (COMMS_EXTENSIONS) facility, described in the LANSA for i User Guide.

If you are using a Slave System with an IBM i Master Repository, you may need to perform a 4.3 System Initialization and select the 4.3.13 Enrolled PC Users option, to update the association details in the Visual LANSA System Definition. This option will retrieve the most current list of associations between Windows domain users and authorized LANSA User Ids.

The association between a Windows domain user and a LANSA User is specified on a Windows server using the LANSA User definition in the LANSA Editor.

Also see

Edit User Definitions in the Visual LANSA User Guide.

EIM Authorized User (COMMS_EIM_USER) in the LANSA for i User Guide.