Single sign-on enables multiple applications to share user sign-on information, rather than requiring each application to have separate user sign-on. Applications using single sign-on authenticate the user one time, and the authentication information is propagated to all other involved applications.
Single sign-on applies to Web applications configured for the same realm and virtual server.
Single sign-on uses an HTTP cookie to transmit a token that associates each request with the saved user identity, so it can be used only when the browser client supports cookies.
Single sign-on operates according to the following rules:
When a user accesses a protected resource in a Web application, the server requires the user to authenticate himself or herself, using the method defined for that Web application.
Once authenticated, the Application Server uses the roles associated with the user for authorization decisions across all Web applications on the virtual server, without challenging the user to authenticate to each application individually.
When the user logs out of one Web application (explicitly, or because of session expiration), the user’s sessions in all Web applications become invalid. Thereafter, the user is required to log in to access a protected resource in any application.
In the Admin Console tree component, expand the Configurations node.
Select the instance to configure:
Expand the HTTP Service node.
Expand the Virtual Servers node, and select the virtual server to be configured for single sign-on support.
Click Add Property.
A blank property entry is added to the bottom of the list.
Enter sso-enable in the Name field.
Enter false in the Value field to disable, enter true to enable SSO.
SSO is enabled by default.
Add or change any other single sign-on properties by clicking Add Property and configuring any applicable SSO properties.
Valid SSO properties for virtual servers are discussed in the following table.
Property Name |
Description |
Values |
---|---|---|
sso-max-inactive-seconds |
Number of seconds after which a user’s single sign-on record becomes eligible for purging, if no client activity is received. Access to any of the applications on the virtual server keeps the single sign-on record active. |
Default is 300 seconds (5 minutes). A higher value provides longer persistence for users, but consumes more memory on the server. |
sso-reap-interval-seconds |
Interval (in seconds) between purges of expired single sign-on records. |
Default is 60. |
Click Save.
Restart the Application Server if Restart Required displays in the console.