This chapter describes how to configure single sign-on (SSO).
Single sign-on (SSO) allows a user to authenticate once and then use multiple trusted applications without having to authenticate again.
Sun Java System communications servers, including Calendar Server and Messaging Server, can implement SSO as follows:
Sun Java Enterprise System servers, including Calendar Server and Messaging Server, can implement SSO using Sun Java System Access Manager (release 6 2003Q4 or later)
Access Manager serves as the SSO gateway for Sun Java Enterprise System servers. That is, users log in to Access Manager and then can access other Sun Java Enterprise System servers, as long as the servers are configured properly for SSO.
Make sure that Access Manager and Directory Server are installed and configured. For information about installing and configuring these products, refer to the Sun Java Enterprise System 5 Installation Guide for UNIX.
After stopping Calendar Server services, configure SSO for Calendar Server by setting the parameters shown in 8.1 Configuring SSO Through Access Manager. For the values to take effect, you must restart Calendar Server services.
When you set the local.calendar.sso.amnamingurl parameter, you must use a fully qualified host name for where Access Manager software is installed.
To configure SSO for Messaging Server, refer to the Sun Java System Messaging Server 6.3 Administration Guide.
Users log into Access Manager using their Directory Server LDAP user name and password. (A user who logs in through another server such as Calendar Server or Messaging Server will not be able to use SSO to access the other Sun Java Enterprise System servers.)
After logging in, users can access Calendar Server through Communications Express using the appropriate URL. Users can also access other Communications Suite servers such as Messaging Server, if the servers are configured properly for SSO.
Parameter |
Description |
---|---|
local.calendar.sso.amnamingurl |
Specifies the URL of the Access Manager SSO naming service. Default is http://AccessManager:port/amserver/namingservice where AccessManager is the fully qualified name of Access Manager, and port is the Access Manager port number. |
local.calendar.sso.amcookiename |
Specifies the name of the Access Manager SSO cookie. Default is "iPlanetDirectoryPro". |
local.calendar.sso.amloglevel |
Specifies the log level for Access Manager SSO. Range is from 1 (quiet) to 5 (verbose). Default is “3“. |
local.calendar.sso.logname |
Specifies the name of the Access Manager SSO API log file. Default is: am_sso.log |
local.calendar.sso.singlesignoff |
Enables (“yes“) or disables (“no“) single sign-off from Calendar Server to Access Manager. If enabled, a user who logs out of Calendar Server is also logged out of Access Manager, and any other sessions the user had initiated through Access Manager (such as a Messaging Server Webmail session) are terminated. Because Access Manager is the authentication gateway, single sign-off is always enabled from Access Manager to Calendar Server. Default is “yes“. |
A best practice for changing the ics.conf file is to add the parameter and its new value to the end of the file. The system reads the entire file and uses the last value found for the parameter.
This section lists some considerations for using Single Sign-on (SSO) with Access Manager.
The following are some of the considerations:
A calendar session is valid only as long as the Access Manager session is valid. If a user logs out of Access Manager, the calendar session is automatically closed (single sign-off).
SSO applications must be in the same domain.
SSO applications must have access to the Access Manager verification URL (naming service).
Browsers must support cookies.
If you are using the Sun Java System Portal Server gateway, set the following Calendar Server parameters:
service.http.ipsecurity="no"
render.xslonclient.enable="no"
When configuring SSO through Communications Servers trusted circle technology (that is, not through Access Manager), consider these points:
Each trusted application must be configured for SSO.
SSO does not work correctly if the default.html page is in your browser’s cache. Before using SSO, be sure to reload the default.html page in your browser. For example, in Netscape Navigator, hold down the Shift key and then click Reload.
SSO works only for bare URL's. For example, SSO works for:http://servername.
The following table describes the Calendar Server configuration parameters for SSO through Communications Servers trusted circle technology.
Table 8–1 Calendar Server SSO Parameters Through Communications Servers Trusted Circle Technology
The following table describes the Messaging Server configuration parameters for SSO through Communications Servers trusted circle technology.
Table 8–2 Messaging Server SSO Parameters Through Communications Servers Trusted Circle Technology
For more information about configuring Messaging Server for SSO, see the Sun Java System Messaging Server 6.3 Administration Guide.