I looked up Okta and IBM i and Kerberos - I saw some things on the Okta site that makes me think it can be done - but it might use 3rd party something or other.
I also saw a diagram from there that showed how Okta goes to the Windows Active Directory as the Key Distribution Center (that's a Kerberos thing). What Joseph mentions is similar - NAS on IBM i can also connect that way to Windows AD, and EIM maps a Windows principal (user name) to an IBM i user profile - a question for me is, will the AD have the Kerberos key needed for IBM i when someone has authenticated to Windows using Okta? Something like that. There are vendors (I kept typing verndors!) like Fortra and Kisco and IBM Lab Services (I'm guessing on those vendors, there are others, I'm sure)
I worked several years ago on SSO-enabling an IBM i web application - it's been far too long to know much more than what I said here.
Cheers
Vern
On Wed, 18 Dec, 2024 at 10:14 AM, Sizer, Joseph via MIDRANGE-L <midrange-l@xxxxxxxxxxxxxxxxxx> wrote:
To: 'midrange systems technical discussion'
Cc: JSizer@xxxxxxxxxx
Implementing Single Sign on for the IBM I within a Windows Active Directory environment can be accomplished without any third-party add on software. You can use IBM I EIM (Enterprise Identity Mapping) along with NAS (Network Authentication Service).
You can find a two-part video supplied by IBM.
https://mediacenter.ibm.com/media/Configure+Single+Sign-on+using+Kerberos+on+IBM+i.+Part+1+Network+Authentication+Service/1_92i8tf5u
https://mediacenter.ibm.com/media/Configure+Single+Sign-on+using+Kerberos+on+IBM+i+Part+2+-+EIM/1_st0pc9sg
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxxxxxxxx>> On Behalf Of Bill and Lisa Howie
Sent: Tuesday, December 17, 2024 3:51 PM
To: midrange-l@xxxxxxxxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Single sign-on with Okta
________________________________
CAUTION: This email originated from outside of the PENCOR network. Do not click on any links or open attachments unless the sender is known, and the content is verified as safe.
________________________________
Hello all,
I've been tasked by my boss to research the possibility of implementing single sign-on for our IBM I servers on our Windows network. Our single sign-on provider is Okta, if that helps. I'm trying to understand if simply having Okta as our provider is the only thing we need to get it set up on our IBM i. In doing a basic Google search it seems like there's a lot of places that want to sell you a third-party product to pull all this together but I'm not sure that's necessary. I'd love to hear everyone's thoughts. Thanks!
Bill
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx> To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx>
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx<mailto:support@xxxxxxxxxxxxxxxxxxxx> for any subscription related questions.
midrange.com
