Configuring Identity Manager for Single Sign-On

When you configure Identity Manager for single sign-on, the user can log into both Identity Manager and OpenSSO Enterprise at one time, and without having to re-authenticate to OpenSSO Enterprise.

To Configure Identity Manager for single sign-on with OpenSSO Enterprise, complete the following steps:

The following figure illustrates the process flow of single sign-on from OpenSSO Enterprise to Identity Manager.

Figure 1–3 Single Sign-On Protocol Flow

Text-based, needs no further explanation.

Figure 1–4 Single Sign-On Process Flow (continued)

To Configure Identity Manager Login Module Groups

At this point, Identity Manager is not yet protected by the policy agent.

Log in to the Identity Manager administrator interface using the following credentials:

User Name:

configurator

Password:

configurator

Navigate to the Security > Login tab

Click “Manage Login Module Groups.”

In the Login Module Groups page, click New.

In the Create Login Module Group page, provide the following information:

Login Module Group Name:

Sun OpenSSO Realm

Assign Login Module:

Sun OpenSSO Realm Login Module

In the second dropdown list:

SunOpenSSORealm

The Modify Login Module screen is displayed.

In the Modify Login Module screen, choose the following values:

Login success requirement:

Sufficient

Login correlation rule:

Leave this field blank. Don't make a selection; leave it the entry at "Select..."

Click Save.

The Create Login Module Group page is displayed. A new row is added to the table and describes the selections you made. You should now see one login module listed in the table.

In the Assign Login Module dropdown list, choose “Identity System UserID/Password Login Module.”

You are redirected to the Modify Login Module page.

In the Modify Login Module page, enter the following values:

Login display name:

PassThrough

Login success requirement:

sufficient

Click Save.

You are taken back to the Create Login Module Group. A new row is added to the table and describes the selections you made. You should now see two login modules listed in the table.

Click Save.

You are redirected to the Login Module Groups screen. Here you will see the custom group you added Sun OpenSSO Realm.

Click “Return To Login Applications.”

To Configure the Identity Manager User Login Interface

You are logged into the Identity Manager administrator interface, and are on the Security > Login tab.

Click on the User Interface hyperlink.

Remove the “Default Identity System ID/Password Login Module Group. ”

Mark the checkbox beside the entry and click Delete.

In the “Assign Login Module Groups” dropdown list, choose the Sun OpenSSO Realm login module.

The Modify Login Module page is displayed. You should see just one login module group listed in the table, Sun OpenSSO Realm.

Click Save.

The Login Applications page is displayed. For the User Interface application, the Sun OpenSSO Realm login module group has been assigned to it.

Log out of the Identity Manager administrator interface.

To Configure the Identity Manager Administrator Login Interface

At this point, Identity Manager is not yet protected by the policy agent.

Log in to the Identity Manager administrator interface using these credentials:

User Name:

configurator

Password:

configurator

Navigate to the Security > Login tab.

Click the Administrator Interface hyperlink.

Remove the “Default Identity System ID/Password Login Module Group.”

Mark the checkbox beside the entry and click Delete.

In the Assign Login Module Groups dropdown list, choose the Sun OpenSSO Realm login module.

The Modify Login Module page is displayed. You should now see just one login module group listed in the table, Sun OpenSSO Realm.

Click Save.

Log out of Identity Manager administrator interface.

Testing Single Sign-On from OpenSSO Enterprise to Identity Manager

To test single sign-on from OpenSSO Enterprise to Identity Manager, follow these steps:

To Re-Enable Identity Manager Protection by the OpenSSO Enterprise Policy Agent

Navigate to Access Control > Top-Level Realm >Agents > J2EE > idmagent > Application.

For the property Not Enforced URI (com.sun.identity.agents.config.notenforced.uri), remove the entry you previously added:
/idm/* /idm/*?*

Make sure these lines are present:

/idm/styles/*

/idm/includes/*

/idm/images/*

Click Save.

Log out of the OpenSSO Enterprise console.

To Test End-User Single Sign-On Between OpenSSO Enterprise and Identity Manager

Go to the OpenSSO Enterprise login page.

In this example, go to http://ApplicationServerHost:Port/idm/user.

Log in using the following credentials:

User Name:

idmuser

Password:

password

The Identity Manager user page is displayed. You should be single signed-on to Identity Manager, and should not be prompted for login by Identity Manager.

Log out of the Identity Manager user page.

To Test Admin-User Single Sign-On Between OpenSSO Enterprise and Identity Manager

Go to following Identity Manager URL:

http://host1.example.com:2080/idm

The OpenSSO Enterprise login page is displayed.

Log in using the following credentials:

User Name:

idmadin

Password:

password

The Identity Manager administrator interface is displayed. You should be single-signed onto Identity Manager, and should not be prompted for login by Identity Manager

Log out of Identity Manager.