You can use single sign-on with Web or desktop applications in a WebSphere® Application Server environment.
The following sequence is the authentication flow path to implement
single sign-on in your application:
- A user enters their User ID and password through a browser application. The request is sent to the WebSphere Application Server.
- WebSphere Application Server authenticates the user by verifying the user information with an LDAP server.
- If the user information is valid, WebSphere Application Server generates a cookie named LTPACookie. This cookie contains a Lightweight Third Party Authentication (LTPA) token.
- The application logs on to IBM® Content
Manager by calling connectWithCredential in DKDatastoreICM and using the LTPA cookie. For example:
DKAuthenticationData credential = new DKAuthenticationData(); credential.setCredential(sLTPAToken); //sLTPAToken can be a string representing the LTPA token generated DKDatastoreICM dsICM = new DKDatastoreICM(); if (credential !=null){ dsICM.connectWithCredential("ICMNLSDB", credential, ""); } else{ dsICM.connect("ICMNLSDB", UserId, PWD, "") // normal connection with ID and PWD } - The IBM Content Manager API calls the WebSphere Application Server to validate the LTPA token.
- WebSphere Application Server validates the LTPA token. If valid, a credential is created; otherwise, an exception is thrown.
- If a credential is created, it is wrapped into DKAuthenticationData and the WebSphere Application Server user ID is extracted for use when logging on to Content Manager EE.
Figure 1. Single sign-on authentication
flow in a WebSphere Application
Server environment
You can also use the CMBConnection bean to connect
by using single-sign. The following example shows how to use the CMBConnection bean:
public static void connect(CMBConnection connection, String dstype,
String server, String ltpaToken) throws Exception {
// If the server name is followed by a parenthesized string,
// use that string for the connect string.
if (server.indexOf("(") > 0) {
String connectString = server.substring(server.indexOf("(") + 1);
server = server.substring(0, server.indexOf("("));
if (connectString.endsWith(")")) {
connectString = connectString.substring(0, connectString.length() - 1);
}
connection.setConnectString(connectString);
}
// Set properties on connection bean
connection.setDsType(dstype);
// Use the connect method to connect. This will
// create the correct type of DKDatastore object (see Java API)
// and call its connect method.
System.out.println("Connecting to server");
connection.connectWithCredential(server, ltpaToken, "");
System.out.println("OK, Connected");
// Enable display names support. This will cause CMBSchemaManagement,
// CMBEntity, CMBAttribute, CMBItem to use display names when working
//with Content Manager (default is to use non-display names).
connection.setDisplayNamesEnabled(true);
}To use single sign-on in the manner described in the previous section,
configure your system to allow a trusted logon by completing the following
steps:
- Set the Allow trusted logon flag in the library server configuration. Using the system administration client, go to . Ensure that Allow trusted logon is selected.
- Ensure that the database connection ID has UserDB2TrustedConnect privilege set. To verify, using the system administration client, go to . Ensure that Password is required for all users is not selected.
- If you have not already done so, import your users into Content Manager EE from LDAP. This step is required because WebSphere Application Server authenticates the user with an LDAP server.
- Ensure that the privilege set for all Content Manager EE users contains the AllowTrustedLogon privilege. To verify, open the properties panel of the user in the system administration client. Ensure that the privilege set for the user contains the AllowTrustedLogon privilege. For more information about privileges, see the System Administration Guide.
