Sun Java System Instant Messaging 7.2 Administration Guide

Chapter 5 Enabling Single Sign-On (SSO) for Instant Messaging

Single sign-on is the ability for an end user to authenticate once (that is, log on with user ID and password) and have access to multiple applications. The Sun JavaTM System Access Manager is the official gateway used for SSO for Sun Java System servers. That is, users must log into Access Manager to get access to other SSO configured servers.

For example, when properly configured, a user can sign in at the Access Manager login screen and have access to Instant Messenger in another window without having to sign in again. Similarly, if the Sun Java System Calendar Server is properly configured, a user can sign in at the Access Manager login screen, then have access to Calendar in another window without having to sign in again.

Other Communications Suite servers, such as Messaging Server, provide two methods of deploying SSO. The first way is through the Access Manager, the second way is through trusted circle technology. Using a trusted circle is the legacy method of implementing SSO, and is not used by Instant Messaging. Though this method provides some features not available with Access Manager SSO, all future development will be with the Access Manager. This chapter describes using Access Manager to enable SSO for Instant Messaging in the following sections:

SSO Limitations and Notices

Configuring Instant Messaging to Support Access Manager-Based SSO and Policies

Two iim.conf parameters support Instant Messaging SSO.

Table 5–1 Instant Messaging Single Sign-On Parameters




Determines whether or not the Instant Messaging server should depend on the SSO provider during authentication. The Access Manager Session API provides the Instant Messaging server with the ability to validate session IDs sent by the client.

Possible values include: 

0 – Do not use the SSO provider.

1 – Use the SSO provider first and default to LDAP if the SSO validation fails.

-1 – Use only the SSO provider without attempting LDAP authentication even when SSO authentication fails.

Default: 1 if you chose to leverage Access Manager for SSO when you ran the configure utility. Otherwise, the default value is 0.


Specifies the class implementing the interface. If iim_server.usesso is not equal to 0 and this option is not set, the server uses the default Access Manager-based SSO Provider that is internally defined in Instant Messaging. Typically, you will not modify this parameter.

Default: None 

ProcedureTo Enable SSO for Instant Messaging

  1. Ensure that the Access Manager SDK is installed on the same host as the Instant Messaging server.

    See Sun Java Communications Suite 5 Installation Guide for more information.

  2. Ensure that Instant Messaging services are assigned to the organization in the Access Manager console (amconsole).

    If you are using other Communications Suite server products in your deployment, such as Messaging Server, you may need to manually configure Access Manager–based services for Instant Messaging.

    See Adding Instant Messaging and Presence Services to a Sub-organization in Access Manager for Single Sign-On and Policy Management Support for instructions.

  3. Run the configure utility.

    See To Configure Instant Messaging After Installation for instructions.

  4. When prompted whether you want to use Access Manager for SSO, select yes.

  5. Set the iim.policy.module parameter to identity:

    1. Open iim.conf and find the iim.policy.module parameter.

    2. Set the parameter:

      iim.policy.module = "identity"
  6. Restart the Instant Messaging server:

    imadmin start

Troubleshooting SSO for Instant Messaging

If there is a problem with SSO, the first thing to do is check the xmppd.log server log file and the client log files for errors. Increasing the logging level may be helpful. New logging levels will only take effect after server restart.

Ensure that Instant Messaging services have been assigned to the organization and its parent organization in the Access Manager console (amconsole). See Adding Instant Messaging and Presence Services to a Sub-organization in Access Manager for Single Sign-On and Policy Management Support for information.

Ensure that the im_server.usesso parameter is not set to 0 in iim.conf. See Table 5–1 for information on this parameter. If it is set to 0, complete the steps in To Enable SSO for Instant Messaging.

If you are unable to log into Instant Messaging directly, look in xmppd.log for an error similar to either of the following:

DEBUG xmppd [] Service        \\
URL not Service URL not found:

INFO xmppd [ 3] [Identity]     \\
Failed to create SSO token for USERNAME

INFO xmppd [org.netbeans.lib.collab.util.Worker 1] [LDAP]     \\
pops does not have required objectclass for storing to ldap

If any of these errors exist, use the following steps to solve the problem:

  1. Create a user through amconsole and add authentication, configuration, Instant Messaging, and presence services to the user.

  2. Attempt to log in with the user you created.

  3. Check to ensure that the amldapuser's password is correctly filled in through amconsole.

  4. Check whether the domain, for example,, has the Authentication Configuration Service Instance.

  5. Check if the Authentication Configuration Service Instance has the Authentication Module set to LDAP or Membership. The value should show a state of REQUIRED/SUFFICIENT.

    Instant Messaging only supports login with username and password. If you are using Auth-Chain, you need to disable it to use Instant Messaging.

  6. In the LDAP or Authentication Module, enter the amldapuser password for CORE.

  7. Select the newly created ldapService Authentication Configuration Service Instance under the Organization Authentication Configuration drop-down menu and the Administrator Authentication Configuration drop-down menu in the Core Authentication Module Configuration.

  8. Log in again.