Sun Java System Communications Express 6 2005Q1 Administration Guide |
Chapter 4
Implementing Single Sign-OnSingle Sign-On allows an end user to authenticate once and use multiple applications without re-authenticating. For example, you can login to Communications Express and use the calendar and mail applications without authenticating again, provided single sign-on is enabled in calendar and mail applications. In Communications Express you can perform the following types of Single Sign-On:
- Identity Server Single Sign-On. Single Sign-On is performed when Identity Server, also known as Access Manager, is enabled in Communications Express. Here, Messenger Express and Communications Express communicate with each other using Identity Server Single Sign-On.
- Messaging Single Sign-On. In the absence of Identity Server, Messenger Express and Communications Express communicate with each other using Messaging Single Sign-On.
This chapter contains the following sections:
Setting up Identity Server Single Sign-OnThis section provides information on how to set up Communications Express and Messenger Express to communicate with each other using Identity Server Single Sign-On.
If you have chosen to adopt Sun Java System LDAP Schema, v.2 as the schema model, you need to enable Identity Server in Communications Express to use Identity Server’s Single Sign-On mechanism to obtain valid user sessions.
To enable Communication Express users access the mail module rendered by the Messenger Express using the Identity Server Single sign-on, you need to modify the Messenger Express specific parameters using the configutil tool located at msg-svr_install_root/sbin /configutil. It is important to explicitly set the Messenger Express specific parameters after install, as the installer does not set these parameters. For more information on using the configutil tool, refer to Chapter 3, Configuring General Messaging Capabilities, of the Sun Java System Messaging Server Administration Guide at /docs/cd/E19263-01/817-6266-10.
When setting up Identity Server Single Sign-on, Communications Express and Identity Server can be deployed in both SSL and non-SSL modes in the same web container instance or in different web container instances. When Identity Server and Communications Express are deployed in different Web Container Instances you need to Configure Identity Server Remote SDK on the system where Communications Express is deployed. Listed below are the deployment scenarios for Identity Server and Communications Express deployed in different web container instances in both SSL and non SSL modes.
- Identity Server and Communications Express deployed in different web container instance in non-SSL mode.
- Identity Server and Communications Express deployed in different web container instance in SSL mode.
- Identity Server and Communications Express deployed in different web container instances with Identity Server deployed in SSL mode and Communications Express in non-SSL mode.
- Identity Server and Communications Express deployed in different web containers that are running on the same system, in non-SSL mode
- Identity Server and Communications Express deployed in different web containers on the same system in SSL mode.
To Enable Single Sign-On in Communications Express With Identity Server
- Open the uwc-deployed-path/WEB-INF/config/uwcauth.properties file.
- Modify the following Communications Express parameters in uwcauth.properties file to enable Identity Server SSO.
- Set the value of the parameter uwcauth.messagingsso.enable to false when setting up Communications Express for Identity Server Single Sign-On.
Communications Express will now use the Identity Server’s Single Sign-On mechanism for obtaining valid user sessions.
To Deploy Identity Server and Communications Express in the Same Web Container Instance
- Open the IS-SDK-BASEDIR/lib/AMConfig.properties file.
An example of IS-SDK-BASEDIR is /opt/SUNWam/lib.
- Make sure the following property is set in AMConfig.properties file:
com.iplanet.am.jssproxy.trustAllServerCerts=true
AMConfig.properties is present in IS-SDK-BASEDIR/lib
For example, /opt/SUNWam/lib
- Restart the web container for the changes to take effect.
Identity Server and Communications Express deployed in the same web container instance in SSL mode can now use the Identity Server’s Single Sign-On mechanism for obtaining valid user sessions.
To Deploy Identity Server and Communications Express in Different Web Container Instance
- Change to IS-INSTALL-DIR/bin
- Copy the Identity Server IS-INSTALL-DIR/bin/amsamplesilent file.
cp amsamplesilent amsamplesilent.uwc
- Edit the copy of amsamplesilent created in the previous step.
Set the parameters to correspond to the deployment details.
If you are deploying Identity Server SDK in a web container, such as Sun Java System Web Server or Sun Java System Application Server, set the DEPLOY_LEVEL to value 4, that is, select the option “SDK only with container config.”
- Set AM_ENC_PWD to the value of the password encryption key used during the installation of Identity Server.
The encryption key is stored in the parameter am.encryption.pwd under:
${IS_INSTALL_DIR}/lib/AMConfig.properties
- Set NEW_INSTANCE to true.
- If you are deploying Identity Server SDK in Sun Java System Web Server, set WEB_CONTAINER to WS6.
If you are deploying Identity Server SDK in Sun Java System Application Server, set the WEB_CONTAINER to AS7 or AS8.
- For a more detailed description on the other parameters in the amsamplesilent file and to help you configure the Identity Server Remote SDK parameters refer to the Sun Java System Identity Server Administration Guide at:
http://docs.sun.com/source/817-5709/ConfigScripts.html
- Configure Identity Server SDK in the web container.
Make sure directory server that is used by Identity Server is running.
- Start the web container instance in which the Identity Server SDK will be deployed.
- Change directory to IS-INSTALL-DIR/bin.
- Run the following command:
./amconfig -s amsamplesilent.uwc
- Restart the web container instance for configurations to take effect.
Identity Server and Communications Express deployed in the different web container instances in SSL and non-SSL mode will now use the Identity Server’s Single Sign-On mechanism for obtaining valid user sessions.
Note
Refer to Appendix A, for instructions on enabling or disabling Identity Server after deploying Communications Express.
To Enable Single Sign-On in Messenger Express With Identity Server
- Run the configutil tool.
msg-svr_install_root/sbin/configutil
- Set the following Messenger Express parameters to enable Communication Express users access Messenger Express using the Identity Server Single Sign-on.
Once the Messenger Express specific parameters are set, Communication Express users can access Messenger Express using the Identity Server Single sign-on.
Setting up Messaging Single Sign-OnThis section explains how to set up Communications Express with Messaging Single Sign-On. If you have chosen to adopt Sun Java System LDAP Schema, v.1 as the schema model, you need to enable Messaging SSO in Communications Express to use the Messaging Single Sign-On mechanism for authentication.
When configuring Communications Express, the configuration wizard does not set any of the mandatory SSO related parameters. You need to manually set the required parameters as explained below. Also, note that Messaging SSO does not support virtual domains and Messenger Express will not run in SSL mode when Messaging SSO is enabled.
If you have deployed Messenger Express as MEM, ensure that the value of the following parameters in Messaging Server are the same at the backend and frontend:
- local.webmail.sso.id
- local.webmail.sso.uwclogouturl
- local.webmail.sso.uwchome
- local.webmail.sso.ims.verifyurl
- local.webmail.sso.prefix
- local.sso.uwc.verifyurl
- local.webmail.sso.cookiedomain
- local.webmail.sso.enable
- local.webmail.sso.uwcenabled
- local.webmail.sso.uwcport
- local.webmail.sso.singlesignoff
- local.webmail.sso.uwccontexturi
To Enable Communications Express Using Messaging SSO
- Open the uwc-deployed-path/WEB-INF/config/uwcauth.properties file.
- Modify the following mail specific parameters in uwcauth.properties file to enable Communications Express access Messenger Express.
Once the parameters in are set in uwc-deployed-path/WEB-INF/config/uwcauth.properties file, Communication Express users will be able to access Messenger Express using the Messaging Single Sign-on mechanism for authentication .
To enable Messenger Express Using Messaging SSO
- Run the configutil tool.
msg-svr_install_root/sbin/configutil
- Set the following mail specific parameters using the configutil tool.
Communications Express users will now be able to access Messenger Express using Messaging Single Sign-on mechanism for authentication.