We license an ILE-based web portal that offers SAML-based authentication as
an option. What that means is that users can bypass the portal's login
prompt by presenting a "ticket" from a SAML-based authentication server
that they have already authenticated against. Once authenticated, users
gain access to the portal's menu-navigation system that provides access to
CGI programs and other types of resources that are hosted on IBM i, or
other types of web sites. Feel free to contact me privately, if you'd like
to set up a meeting to discuss this.


I may also be able to contribute to a general discussion about SAML-based
authentication on Web400, if you prefer that.

On Tue, Oct 17, 2017 at 11:14 AM, Mike Cunningham <mike.cunningham@xxxxxxx>

We run two different web sites from our IBM i. One for students and one
for employees. We do not use Apache authentication to access these sites
because we found that persistent session would kill the system. (this was
years ago and may be different today but we have not attempted to change

In regard to persistent sessions, that sounds like you may be referring to
the use of Apache mod_session in conjunction with mod_auth_form as
discussed at the Apache web site, which does warn of performance and
resource implications:


But it appears to me that the authentication that is built into the IBM i
HTTP server is somewhat different. I haven't heard of any performance
implication in that regard.

Both of these sites use LDAP to check the username/password against our
active directory users and allows access if the authentication to AD does
not fail.

Are you saying that you're using a Windows-based reverse-proxy that
authenticates against AD, then forwards requests to IBM i for completion?

Many other 3rd party web sites that we use have single signon setup with
either Shib or ADFS that will pass a ticket to those systems to bypass

We were asked by our biggest customer if we would add SAML-based
authentication to our web portal, which gave us some experience.

We have been asked if the two web sites hosted on IBM I could also do
this. That does not sound like anything we would want to try and code
inhouse. Does anyone know of any tool that would do this for us?

What sort of "tool" do you have in mind? In addition to something like our
web portal, I could envision something like a reverse-proxy that included
one or more SAML-based authentication options.

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2021 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.