Thanks to everyone for the responses. This is a good starting point.
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of John Earl
Sent: Tuesday, May 13, 2008 8:28 PM
To: Midrange Systems Technical Discussion
Subject: RE: Single Sign On
Glen,
We are looking at making AD the primary security source.
For most organizations, this is the right choice. When users log onto
their PC first thing in the morning they are usually authenticated to AD
and given a Kerberos ticket that is (typically) good for the day.
Deploying SSO in this environment means just teaching your System i to
honor that ticket issued by AD.
My first question is when doing single sign on is this an all
or nothing proposition?
No. Most of the shops we have helped with SSO have chosen to roll out
just a hand ful of users at a time at first, and then increase the
rollout speed as they get more familiar with it. The beauty of EIM and
SSO on i is that you can enroll just one user at a time if you wish.
There is no "say a prayer and flip the switch" moment because you enable
5 users, make sure it works the way you want it to, and then go do 10
more, and then 30 more, etc etc.
Is a third-party product necessary or preferable?
We have a tool that simplifies the loading of the EIM database - without
it there is a lot of typing to enter all of the userid's as they appear
on all of your systems. The tool also acts as a backup for EIM so that
you can easily reload it if you have a system failure, but for the most
part the software you need is already in the OS. For some shops it is
better to hire someone to implement SSO, because the Kerberos and EIM
configurations are tough, and it is a one time task, so you typically
don't have to retain the knowledge, but I know of a couple of shops that
took the time to do it themselves.
HTH,
jte
--
John Earl, VP and Chief Technology Officer
PowerTech: 253-872-7788
Direct: 253-479-1408
Mobile: 206-669-3336
John.Earl@xxxxxxxxxxxxx
Email is an excellent way to communicate material that is not time
sensitive. If your communication is of a more urgent nature, please
call.
===========================
This email message and any attachments are intended only for the use of
the intended recipient named above and may contain information that is
privileged and confidential. If you are not the intended recipient, any
dissemination, distribution, or copying is strictly prohibited. If you
received this email message in error, please immediately notify the
sender by replying to this email message or by telephone and delete the
message from your email system. Thank you.
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Thompson, Glenn
Sent: Tuesday, May 13, 2008 2:50 PM
To: Midrange Systems Technical Discussion
Subject: Single Sign On
I have been requested to do some research on single sign on.
We are looking at making AD the primary security source.
My first question is when doing single sign on is this an all
or nothing proposition?
Is a third-party product necessary or preferable?
Glenn Thompson
Health Management Associates, Inc.
Corporate MIS - Senior Programmer/Analyst
(239) 552-3500
e-mail: glenn.thompson@xxxxxxx <mailto:randy.beasley@xxxxxxx>
"Our Company's Mission is
The Delivery of Compassionate and High Quality
Health Care Services That Improve the Quality of Life
for Our Patients, Physicians, and the Communities We Serve."
--
This is the Midrange Systems Technical Discussion
(MIDRANGE-L) mailing list To post a message email:
MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change
list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting,
please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.