× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. September 2014

Re: Does IBM i handle Single Sign On?

It's called Kerberos - because M.I.T. doesn't let anyone call their own version "Kerberos", it is called NAS, or Network Authentication Service on the i.

Kerberos is used by Windows network authentication. When you sign in as part of such a network, you send credentials up to the AD server - it sends back a Kerberos ticket that opens all your doors for you. No passwords are spread around your enterprise, BTW.

iSeries Access has the option of using Kerberos for authentication. So does the Apache server. And 5250 emulation. And ODBC - IIRC, FTP was added to the mix recently - and Netserver can do it.

Kerberos is a trusted 3rd-party authentication protocol. I've likened it to "Joe sent me" in the Prohibition speakeasy days - both you and the drinking establishment know Joe, and the bar knows that if Joe says you're OK, you are.

In Windows networking, "Joe" is an Active Directory server.

On IBM i, there is an additional component - EIM, or Enterprise Identity Mapping - with other systems, the same profile is used everywhere. With EIM, you say that your Windows user name JamesHHL is the same person that has the IBM i profile JHHLAMB - and since the Windows user has been authenticated by trusted 3rd party, IBM i authenticates JHHLAMB and authorizes using that profile's settings.

There are APIs that will let you probe the EIM structure based on getting information like the Windows principle (user) and finding which system or app user that points to. I wrote SSO functionality in the RJS Software WebDocs product not too many years ago.

There is an SSO 101 kind of article at developerworks, written by the ISV support team at IBM - the guys I worked with for about a month-and-a-half until we all understood it. It's a great article, and if you are an ISV partner and have call-in ISV support, you can contact them and get tons of help.

You might also talk to Pat Botz, former IBMer who was involved in writing the EIM stuff - he is a security consultant who helps people get set up with SSO, gives sessions at COMMON on all this.

The whole thing did not make sense for quite a while - then all of a sudden the fog lifted and it seems it is easy. Trust me!

The idea of SSO is you log in once, then that authentication is trusted across the entire enterprise - to apps and systems that understand it, of course.

To get a feel for Kerberos - it really IS a very robust protocol - look up "kerberos dialogue" in google - a Greek play in 4 acts - something like that. Kind of fun!

HTH
Vern

On 9/11/2014 6:26 PM, James H. H. Lampert wrote:
I'll say right up front that even after looking it up in Wikipedia, I still only have a vague idea what Single Sign On is.

A customer asked about Single Sign On in relation to our CRM product. Could somebody please do something to relieve my complete and utter ignorance about the subject?

--
JHHL


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.