Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java System Calendar Server Administration Guide 

Chapter 8
Configuring Single Sign-on

This chapter describes how to configure single sign-on (SSO).

Single sign-on (SSO) allows a user to authenticate once and then use multiple trusted applications without having to authenticate again. Sun Java System communications servers, including Calendar Server and Messaging Server, can implement SSO as follows:

Configuring SSO Through Identity Server

Sun Java Enterprise System servers, including Calendar Server and Messaging Server, can implement SSO using Sun Java System Identity Server (release 6.1 (release 6 2003Q4) or later)

Identity Server serves as the SSO gateway for Sun Java Enterprise System servers. That is, users log in to Identity Server and then can access other Sun Java Enterprise System servers, as long as the servers are configured properly for SSO.

To use SSO with Calendar Server, follow these steps:

  1. Make sure that Identity Server and Directory Server are installed and configured. For information about installing and configuring these products, refer to the Sun Java Enterprise System 2004Q2 Installation Guide.
  2. Configure SSO for Calendar Server by setting the parameters shown in Table 8-1 and then restarting Calendar Server for the values to take effect. If necessary, remove the comment character (!) when you set each parameter.

    3. Note When you set the local.calendar.sso.amnamingurl parameter, you must use a fully qualified name for Identity Server.

  3. To configure SSO for Messaging Server, refer to the Sun Java System Messaging Server 6 2004Q2 Administration Guide.
  4. Users log into Identity Server using their Directory Server LDAP user name and password. (A user who logs in through another server such as Calendar Server or Messaging Server will not be able to use SSO to access the other Sun Java Enterprise System servers.)
  5. After logging in, users can access Calendar Server through Calendar Express using the appropriate URL. Users can also access other Sun Java Enterprise System servers such as Messaging Server, if the servers are configured properly for SSO.

    6. Table 8-1  Calendar Server Configuration Parameters for Using SSO With Identity Server 

    Parameter

    Description

    local.calendar.sso.amnamingurl

    Specifies the URL of the Identity Server SSO naming service.

    Default is “http://IdentityServer:port/amserver/namingservice“

    where IdentityServer is the fully qualified name of Identity Server, and port is the Identity Server port number.

    local.calendar.sso.amcookiename

    Specifies the name of the Identity Server SSO cookie.

    Default is “iPlanetDirectoryPro”.

    local.calendar.sso.amloglevel

    Specifies the log level for Identity Server SSO. Range is from 1 (quiet) to 5 (verbose). Default is “3“.

    local.calendar.sso.logname

    Specifies the name of the Identity Server SSO API log file.

    Default is “am_sso.log”.

    local.calendar.sso.singlesignoff

    Enables (“yes“) or disables (“no“) single sign-off from Calendar Server to Identity Server.

    If enabled, a user who logs out of Calendar Server is also logged out of Identity Server, and any other sessions the user had initiated through Identity Server (such as a Messaging Server webmail session) are terminated.

    Because Identity Server is the authentication gateway, single sign-off is always enabled from Identity Server to Calendar Server.

    Default is “yes“.

Considerations for Using SSO With Identity Server

Configuring SSO Through Communications Servers Trusted Circle Technology

When configuring SSO through Communications Servers trusted circle technology (that is, not through Identity Server), consider these points:

Table 8-2 describes the Calendar Server configuration parameters for SSO through Communications Servers trusted circle technology.

Table 8-2  Calendar Server SSO Parameters Through Communications Servers Trusted Circle Technology 

Parameter

Description

sso.enable = "1"

This parameter must be set to"1" (the default) to enable SSO. "0" disables SSO.

sso.appid = "ics50"

This parameter specifies the unique application ID for the specific Calendar Server installation. Each trusted application must also have a unique application ID. The default is "ics50".

sso.appprefix = "ssogrp1"

This parameter specifies the prefix value to be used for formatting SSO cookies. The same value must be used by all trusted applications, because only SSO cookies with this prefix will be recognized by Calendar Server. The default is "ssogrp1".

sso.cookiedomain = ".sesta.com"

This parameter causes the browser to send a cookie only to servers in the specified domain. The value must begin with a period (.)

sso.singlesignoff = "true"

A value of "true" (the default) clears all SSO cookies on the client with prefix values matching the value configured in sso.appprefix when the client logs out.

sso.userdomain = "sesta.com"

This parameter sets the domain used as part of the user's SSO authentication.

sso.appid.url = "verifyurl"

For example:

sso.ics50.url = "http://sesta.com:8883/VerifySSO?"

sso.msg50.url = "http://sesta.com:8882/VerifySSO?" 

This parameter sets the verify URL values for peer SSO hosts for the Calendar Server configuration. One parameter is required for each trusted peer SSO host. The parameter includes the:

  • Application ID (appid) identifies each peer SSO host whose SSO cookies are to be honored
  • Verify URL ("verifyurl") includes the host URL, host port number, and VerifySSO? (including the ending ?).

In this example, the Calendar Server application ID is ics50, the host URL is sesta.com, and the port is 8883.

The Messenger Express application ID is msg50, the host URL is sesta.com, and the port is 8882.

Table 8-3 describes the Messaging Server configuration parameters for SSO through Communications Servers trusted circle technology.

Table 8-3  Messaging Server SSO Parameters Through Communications Servers Trusted Circle Technology 

Parameter

Description

local.webmail.sso.enable = 1

This parameter must be set to a non-zero value to enable SSO.

local.webmail.sso.prefix = ssogrp1

This parameter specifies a prefix used when formatting SSO cookies set by the HTTP server.

local.webmail.sso.id = msg50

This parameter specifies the unique application ID (msg50) for the Messaging Server.

Each trusted application must also have a unique application ID.

local.webmail.sso.cookiedomain = sesta.com

This parameter specifies the cookie domain value of all SSO cookies set by the HTTP server.

local.webmail.sso.singlesignoff = 1

A non-zero value clears all SSO cookies on the client with prefix values matching the value configured in local.webmail.sso.prefix when the client logs out.

local.sso.appid.url = "verifyurl"

For example:

local.sso.ics50.verifyurl = http://sesta.com:8883/VerifySSO?

local.sso.msg50.verifyurl = http://sesta.com:8882/VerifySSO? 

This parameter sets the verify URL values for peer SSO hosts for the Messaging Server configuration. One parameter is required for each trusted peer SSO host. The parameter includes these items:

  • Application ID (appid) identifies each peer SSO host whose SSO cookies are to be honored
  • Verify URL ("verifyurl") includes the host URL, host port number, and VerifySSO? (including the ending ?).

In this example, the Messaging Server application ID is msg50, the host URL is sesta.com, and the port is 8882.

The Calendar Server application ID is ics50, the host URL is sesta.com, and the port is 8883.

 

For more information about configuring Messaging Server for SSO, see the Sun Java System Messaging Server 6 2004Q2 Administration Guide.



Previous      Contents      Index      Next     

Copyright 2004 Sun Microsystems, Inc. All rights reserved.