Single sign-on is the ability for an end user to authenticate once (that is, log on with user ID and password) and have access to multiple applications. The Sun JavaTM System Access Manager is the official gateway used for SSO for Sun Java System servers. That is, users must log into Access Manager to get access to other SSO configured servers.
For example, when properly configured, a user can sign in at the Access Manager login screen and have access to Instant Messenger in another window without having to sign in again. Similarly, if the Sun Java System Calendar Server is properly configured, a user can sign in at the Access Manager login screen, then have access to Calendar in another window without having to sign in again.
Other Communications Suite servers, such as Messaging Server, provide two methods of deploying SSO. The first way is through the Access Manager, the second way is through trusted circle technology. Using a trusted circle is the legacy method of implementing SSO, and is not used by Instant Messaging. Though this method provides some features not available with Access Manager SSO, all future development will be with the Access Manager. This chapter describes using Access Manager to enable SSO for Instant Messaging in the following sections:
The Instant Messenger session is only valid for as long as the Access Manager session is valid. If the user logs out of Access Manager the Instant Messenger session is automatically closed (single sign-off) as soon as the user sends another request to the server.
SSO applications working together must be in the same DNS domain.
SSO applications must have access to the Access Manager verification URL (naming service).
Browsers must have cookies enabled.
Two iim.conf parameters support Instant Messaging SSO.Table 5–1 Instant Messaging Single Sign-On Parameters
Determines whether or not the Instant Messaging server should depend on the SSO provider during authentication. The Access Manager Session API provides the Instant Messaging server with the ability to validate session IDs sent by the client.
Possible values include:
0 – Do not use the SSO provider.
1 – Use the SSO provider first and default to LDAP if the SSO validation fails.
-1 – Use only the SSO provider without attempting LDAP authentication even when SSO authentication fails.
Default: 1 if you chose to leverage Access Manager for SSO when you ran the configure utility. Otherwise, the default value is 0.
Specifies the class implementing the com.sun.im.provider.SSOProvider interface. If iim_server.usesso is not equal to 0 and this option is not set, the server uses the default Access Manager-based SSO Provider that is internally defined in Instant Messaging. Typically, you will not modify this parameter.
Ensure that the Access Manager SDK is installed on the same host as the Instant Messaging server.
See Sun Java Communications Suite 5 Installation Guide for more information.
Ensure that Instant Messaging services are assigned to the organization in the Access Manager console (amconsole).
If you are using other Communications Suite server products in your deployment, such as Messaging Server, you may need to manually configure Access Manager–based services for Instant Messaging.
Run the configure utility.
See To Configure Instant Messaging After Installation for instructions.
When prompted whether you want to use Access Manager for SSO, select yes.
Set the iim.policy.module parameter to identity:
Restart the Instant Messaging server:
If there is a problem with SSO, the first thing to do is check the xmppd.log server log file and the client log files for errors. Increasing the logging level may be helpful. New logging levels will only take effect after server restart.
Ensure that Instant Messaging services have been assigned to the organization and its parent organization in the Access Manager console (amconsole). See Adding Instant Messaging and Presence Services to a Sub-organization in Access Manager for Single Sign-On and Policy Management Support for information.
If you are unable to log into Instant Messaging directly, look in xmppd.log for an error similar to either of the following:
DEBUG xmppd [com.sun.im.service.util.Worker3] Service \\ URL not found:session.com.iplanet.sso.SSOException: Service URL not found:
INFO xmppd [com.sun.im.service.util.Worker 3] [Identity] \\ Failed to create SSO token for USERNAME
INFO xmppd [org.netbeans.lib.collab.util.Worker 1] [LDAP] \\ pops does not have required objectclass for storing to ldap
If any of these errors exist, use the following steps to solve the problem:
Create a user through
add authentication, configuration, Instant Messaging, and presence services to
Attempt to log in with the user you created.
Check to ensure that the amldapuser's password
is correctly filled in through
Check whether the domain, for example, o=siroe.com, has the Authentication Configuration Service Instance.
Check if the Authentication Configuration Service Instance has the Authentication Module set to LDAP or Membership. The value should show a state of REQUIRED/SUFFICIENT.
Instant Messaging only supports login with username and password. If you are using Auth-Chain, you need to disable it to use Instant Messaging.
In the LDAP or Authentication Module, enter the amldapuser password for CORE.
Select the newly created ldapService Authentication Configuration Service Instance under the Organization Authentication Configuration drop-down menu and the Administrator Authentication Configuration drop-down menu in the Core Authentication Module Configuration.
Log in again.