IBM BS029ML Self Help Guide - Page 53
Enterprise SSO with an External Security Manager
![]() |
View all IBM BS029ML manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 53 highlights
SSO is a function of the underlying WebSphere Application Server instance. As such, there is no concept of a Reverse Authenticating Proxy Server, which could otherwise be place in a DMZ for added security. Pseudo-SSO is achieveable with the use of the Credential Vault. However, a user is required to manually enter his or her user ID and password prior to accessing the back-end system, as the user registries are typically not synchronized. SSO functionality does not extend to any fancy password expiry or user session handling. That is, concurrent logins using the same user account are not barred. Enterprise SSO with an External Security Manager The decision, therefore, to deploy an External Security Manager for a given implementation is usually based on a number of factors. However, one main requirement that often dictates the inclusion of such a product is the demand for an enterprise-wide SSO capability. As mentioned previously, Tivoli Access Manager is just one such product that represents the IBM strategic enterprise-wide security offering. TAM consists of two main components: the Policy Server and the WebSEAL Reverse Authenticating Proxy server. That is, when a user logs into a WebSphere Portal Server solution protected by TAM, it is actually the Tivoli WebSEAL server that performs the authentication task. As such, the key points for deciding to deploy TAM above the out-of-the-box SSO provided by WebSphere Portal Server, are listed below: TAM provides enterprise-wide SSO capabilities. Basic Authentication SSO support. Forms-based SSO (FSSO) support. Lightweight Third-Party Authentication (LTPA) SSO support. HTTP Header based SSO support. Global SSO support. SPNEGO (Desktop SSO) support. And in addition, the following aspects are provided: Centralized administration at an organizational level. Expired password handling. Password reset and password strength policy management. Delegated security administration for portal. Session duration or inactivity timeout. Account lockout (possibly for a specified period of time) after a specific number of successful authentication attempts. Attention: It should be noted that the deployment of an External Security Manager, such as Tivoli Access Manager, does not necessarily address every aspect of SSO. For example, SSO is generally considered to be homogenous between all participants in a solution. Should the participants in a solution utilize different user repositories, there may well be the need to deploy an Identity Management Solution or a Federated Identity Management Solution. Chapter 2. Architecture and planning 39
![](/manual_guide/products/ibm-bs029ml-self-help-guide-6d3dd71/53.png)