1.  Home
  2. MIDRANGE-L
  3. December 2024

RE: Single sign-on with Okta

Bill... Have you reached out to Okta for assistance? Seems like an obvious route.

Roger Harman
COMMON Certified Application Developer - ILE RPG on IBM i on Power



-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of VERNON HAMBERG Owner via MIDRANGE-L
Sent: Wednesday, December 18, 2024 1:12 PM
To: midrange-l@xxxxxxxxxxxxxxxxxx
Cc: VERNON HAMBERG Owner <vhamberg@xxxxxxxxxxxxxxx>; midrange-l@xxxxxxxxxxxxxxxxxx
Subject: Re: Single sign-on with Okta

If one goes to one of the links Joseph posted, there's a short one describing tooling that Lab Services has, which can help set things up, especially when you have a large user base - setting things up manually in Navigator for more than a few (that video suggests 50 is small, I think that's getting large, actually!)


But this does not speak directly to the original question about Okta - I have to wonder if connecting to AD as KDC works if it's also being used with Okta - that just feels weird, but it's been ages (at least 12 years) since I worked with this.

Season's best to all!
Vern


On Wed, 18 Dec, 2024 at 1:42 PM, Jim Oberholtzer <midrangel@xxxxxxxxxxxxxxxxx> wrote:


To: midrange-l@xxxxxxxxxxxxxxxxxx
Cc: midrange-l@xxxxxxxxxxxxxxxxxx
I think it’s in the new nav, that said there is a twist with the OP implementation. Straight MS is not a big deal presuming the AD side is set properly.


Jim Oberholtzer
Agile Technology Architects

On Dec 18, 2024, at 1:05 PM, Rob Berendt <robertowenberendt@xxxxxxxxx<mailto:robertowenberendt@xxxxxxxxx>> wrote:

We once had EIM going but dropped it (long story). There was something in
the Navigator we were using to do all this. But, heck, that might have been
the old fat client Navigator.

On Wed, Dec 18, 2024 at 12:09 PM VERNON HAMBERG Owner via MIDRANGE-L <
midrange-l@xxxxxxxxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxxxxxxxx>> wrote:

I looked up Okta and IBM i and Kerberos - I saw some things on the Okta
site that makes me think it can be done - but it might use 3rd party
something or other.


I also saw a diagram from there that showed how Okta goes to the Windows
Active Directory as the Key Distribution Center (that's a Kerberos thing).
What Joseph mentions is similar - NAS on IBM i can also connect that way to
Windows AD, and EIM maps a Windows principal (user name) to an IBM i user
profile - a question for me is, will the AD have the Kerberos key needed
for IBM i when someone has authenticated to Windows using Okta? Something
like that. There are vendors (I kept typing verndors!) like Fortra and
Kisco and IBM Lab Services (I'm guessing on those vendors, there are
others, I'm sure)


I worked several years ago on SSO-enabling an IBM i web application - it's
been far too long to know much more than what I said here.

Cheers
Vern


On Wed, 18 Dec, 2024 at 10:14 AM, Sizer, Joseph via MIDRANGE-L <
midrange-l@xxxxxxxxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxxxxxxxx>> wrote:


To: 'midrange systems technical discussion'
Cc: JSizer@xxxxxxxxxx<mailto:JSizer@xxxxxxxxxx>
Implementing Single Sign on for the IBM I within a Windows Active
Directory environment can be accomplished without any third-party add on
software. You can use IBM I EIM (Enterprise Identity Mapping) along with
NAS (Network Authentication Service).

You can find a two-part video supplied by IBM.


https://mediacenter.ibm.com/media/Configure+Single+Sign-on+using+Kerberos+on+IBM+i.+Part+1+Network+Authentication+Service/1_92i8tf5u


https://mediacenter.ibm.com/media/Configure+Single+Sign-on+using+Kerberos+on+IBM+i+Part+2+-+EIM/1_st0pc9sg


-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxxxxxxxx><mailto:
midrange-l-bounces@xxxxxxxxxxxxxxxxxx<mailto:midrange-l-bounces@xxxxxxxxxxxxxxxxxx>>> On Behalf Of Bill and Lisa Howie
Sent: Tuesday, December 17, 2024 3:51 PM
To: midrange-l@xxxxxxxxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxxxxxxxx><mailto:midrange-l@xxxxxxxxxxxxxxxxxx<mailto:midrange-l@xxxxxxxxxxxxxxxxxx>>
Subject: Single sign-on with Okta

________________________________
CAUTION: This email originated from outside of the PENCOR network. Do not
click on any links or open attachments unless the sender is known, and the
content is verified as safe.
________________________________

Hello all,

I've been tasked by my boss to research the possibility of implementing
single sign-on for our IBM I servers on our Windows network. Our single
sign-on provider is Okta, if that helps. I'm trying to understand if
simply having Okta as our provider is the only thing we need to get it set
up on our IBM i. In doing a basic Google search it seems like there's a
lot of places that want to sell you a third-party product to pull all this
together but I'm not sure that's necessary. I'd love to hear everyone's
thoughts. Thanks!

Bill

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx><mailto:
MIDRANGE-L@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx>> To subscribe, unsubscribe, or change list
options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx><mailto:
MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx>>
Before posting, please take a moment to review the archives at
https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx<mailto:support@xxxxxxxxxxxxxxxxxxxx><mailto:
support@xxxxxxxxxxxxxxxxxxxx<mailto:support@xxxxxxxxxxxxxxxxxxxx>> for any subscription related questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx><mailto:
MIDRANGE-L@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx>>
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx><mailto:
MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx>>
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx<mailto:support@xxxxxxxxxxxxxxxxxxxx><mailto:
support@xxxxxxxxxxxxxxxxxxxx<mailto:support@xxxxxxxxxxxxxxxxxxxx>> for any subscription related questions.

.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx>
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx>
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx<mailto:support@xxxxxxxxxxxxxxxxxxxx> for any subscription related
questions.


--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx>
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx>
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx<mailto:support@xxxxxxxxxxxxxxxxxxxx> for any subscription related questions.

--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L@xxxxxxxxxxxxxxxxxx>
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx<mailto:MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx>
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx<mailto:support@xxxxxxxxxxxxxxxxxxxx> for any subscription related questions.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.