Chapter 8
Configuring Single Sign-on
This chapter describes how to configure single sign-on (SSO).
Single sign-on (SSO) allows a user to authenticate once and then use multiple trusted applications without having to authenticate again. Sun Java System communications servers, including Calendar Server and Messaging Server, can implement SSO as follows:
Configuring SSO Through Identity Server
Sun Java Enterprise System servers, including Calendar Server and Messaging Server, can implement SSO using Sun Java System Identity Server (release 6.1 (release 6 2003Q4) or later)
Identity Server serves as the SSO gateway for Sun Java Enterprise System servers. That is, users log in to Identity Server and then can access other Sun Java Enterprise System servers, as long as the servers are configured properly for SSO.
To use SSO with Calendar Server, follow these steps:
- Make sure that Identity Server and Directory Server are installed and configured. For information about installing and configuring these products, refer to the Sun Java Enterprise System 2004Q2 Installation Guide.
- Configure SSO for Calendar Server by setting the parameters shown in Table 8-1 and then restarting Calendar Server for the values to take effect. If necessary, remove the comment character (!) when you set each parameter.
Note When you set the local.calendar.sso.amnamingurl parameter, you must use a fully qualified name for Identity Server.
- To configure SSO for Messaging Server, refer to the Sun Java System Messaging Server 6 2004Q2 Administration Guide.
- Users log into Identity Server using their Directory Server LDAP user name and password. (A user who logs in through another server such as Calendar Server or Messaging Server will not be able to use SSO to access the other Sun Java Enterprise System servers.)
- After logging in, users can access Calendar Server through Calendar Express using the appropriate URL. Users can also access other Sun Java Enterprise System servers such as Messaging Server, if the servers are configured properly for SSO.
Table 8-1 Calendar Server Configuration Parameters for Using SSO With Identity Server
Parameter
|
Description
|
local.calendar.sso.amnamingurl
|
Specifies the URL of the Identity Server SSO naming service.
Default is “http://IdentityServer:port/amserver/namingservice“
where IdentityServer is the fully qualified name of Identity Server, and port is the Identity Server port number.
|
local.calendar.sso.amcookiename
|
Specifies the name of the Identity Server SSO cookie.
Default is “iPlanetDirectoryPro”.
|
local.calendar.sso.amloglevel
|
Specifies the log level for Identity Server SSO. Range is from 1 (quiet) to 5 (verbose). Default is “3“.
|
local.calendar.sso.logname
|
Specifies the name of the Identity Server SSO API log file.
Default is “am_sso.log”.
|
local.calendar.sso.singlesignoff
|
Enables (“yes“) or disables (“no“) single sign-off from Calendar Server to Identity Server.
If enabled, a user who logs out of Calendar Server is also logged out of Identity Server, and any other sessions the user had initiated through Identity Server (such as a Messaging Server webmail session) are terminated.
Because Identity Server is the authentication gateway, single sign-off is always enabled from Identity Server to Calendar Server.
Default is “yes“.
|
Considerations for Using SSO With Identity Server
- A calendar session is valid only as long as the Identity Server session is valid. If a user logs out of Identity Server, the calendar session is automatically closed (single sign-off).
- SSO applications must be in the same domain.
- SSO applications must have access to the Identity Server verification URL (naming service).
- Browsers must support cookies.
- If you are using the Sun Java System Portal Server gateway, set the following Calendar Server parameters:
- service.http.ipsecurity="no"
- render.xslonclient.enable="no"
Configuring SSO Through Communications Servers Trusted Circle Technology
When configuring SSO through Communications Servers trusted circle technology (that is, not through Identity Server), consider these points:
- Each trusted application must be configured for SSO.
- SSO does not work correctly if the default.html page is in your browser’s cache. Before using SSO, be sure to reload the default.html page in your browser. For example, in Netscape Navigator, hold down the Shift key and then click Reload.
- SSO works only for bare URLs. For example, SSO works for http://servername but not for URLs such as http://servername/command.shtml?view.
Table 8-2 describes the Calendar Server configuration parameters for SSO through Communications Servers trusted circle technology.
Table 8-2 Calendar Server SSO Parameters Through Communications Servers Trusted Circle Technology
Parameter
|
Description
|
sso.enable = "1"
|
This parameter must be set to"1" (the default) to enable SSO. "0" disables SSO.
|
sso.appid = "ics50"
|
This parameter specifies the unique application ID for the specific Calendar Server installation. Each trusted application must also have a unique application ID. The default is "ics50".
|
sso.appprefix = "ssogrp1"
|
This parameter specifies the prefix value to be used for formatting SSO cookies. The same value must be used by all trusted applications, because only SSO cookies with this prefix will be recognized by Calendar Server. The default is "ssogrp1".
|
sso.cookiedomain = ".sesta.com"
|
This parameter causes the browser to send a cookie only to servers in the specified domain. The value must begin with a period (.)
|
sso.singlesignoff = "true"
|
A value of "true" (the default) clears all SSO cookies on the client with prefix values matching the value configured in sso.appprefix when the client logs out.
|
sso.userdomain = "sesta.com"
|
This parameter sets the domain used as part of the user's SSO authentication.
|
sso.appid.url = "verifyurl"
For example:
sso.ics50.url = "http://sesta.com:8883/VerifySSO?"
sso.msg50.url = "http://sesta.com:8882/VerifySSO?"
|
This parameter sets the verify URL values for peer SSO hosts for the Calendar Server configuration. One parameter is required for each trusted peer SSO host. The parameter includes the:
- Application ID (appid) identifies each peer SSO host whose SSO cookies are to be honored
- Verify URL ("verifyurl") includes the host URL, host port number, and VerifySSO? (including the ending ?).
In this example, the Calendar Server application ID is ics50, the host URL is sesta.com, and the port is 8883.
The Messenger Express application ID is msg50, the host URL is sesta.com, and the port is 8882.
|
Table 8-3 describes the Messaging Server configuration parameters for SSO through Communications Servers trusted circle technology.
Table 8-3 Messaging Server SSO Parameters Through Communications Servers Trusted Circle Technology
Parameter
|
Description
|
local.webmail.sso.enable = 1
|
This parameter must be set to a non-zero value to enable SSO.
|
local.webmail.sso.prefix = ssogrp1
|
This parameter specifies a prefix used when formatting SSO cookies set by the HTTP server.
|
local.webmail.sso.id = msg50
|
This parameter specifies the unique application ID (msg50) for the Messaging Server.
Each trusted application must also have a unique application ID.
|
local.webmail.sso.cookiedomain = sesta.com
|
This parameter specifies the cookie domain value of all SSO cookies set by the HTTP server.
|
local.webmail.sso.singlesignoff = 1
|
A non-zero value clears all SSO cookies on the client with prefix values matching the value configured in local.webmail.sso.prefix when the client logs out.
|
local.sso.appid.url = "verifyurl"
For example:
local.sso.ics50.verifyurl = http://sesta.com:8883/VerifySSO?
local.sso.msg50.verifyurl = http://sesta.com:8882/VerifySSO?
|
This parameter sets the verify URL values for peer SSO hosts for the Messaging Server configuration. One parameter is required for each trusted peer SSO host. The parameter includes these items:
- Application ID (appid) identifies each peer SSO host whose SSO cookies are to be honored
- Verify URL ("verifyurl") includes the host URL, host port number, and VerifySSO? (including the ending ?).
In this example, the Messaging Server application ID is msg50, the host URL is sesta.com, and the port is 8882.
The Calendar Server application ID is ics50, the host URL is sesta.com, and the port is 8883.
|
For more information about configuring Messaging Server for SSO, see the Sun Java System Messaging Server 6 2004Q2 Administration Guide.