Deploying WebSphere Application Server by using single sign-on authentication

Learn how to deploy applications to use single-sign on (SSO) on IBM® WebSphere® Application Server.

Note: If Jazz Security Architecture SSO authentication is enabled, this content does not apply.

Deploying SSO on WebSphere Application Server

For a better user experience, set up SSO on WebSphere Application Server. With SSO, users can share authentication tokens on multiple IBM Engineering Lifecycle Management (ELM) applications that are installed on different servers within the same domain. By default, WebSphere Application Server uses SSO when all applications are on a single server. If you are installing the Jazz® Team Server or applications on separate servers, follow this procedure:

  1. Make sure that each instance of WebSphere Application Server is using the same user registry (ideally LDAP). The user registry settings must be identical on all servers.
  2. From the WebSphere Application Server Integration Solutions Console, complete these steps.
    1. Open the Global Security section from the Security menu in the left sidebar.
    2. In the Authentication section, expand Web and SIP Security.
    3. Click Single sign-on.
    4. Enter the domain name. This name is the domain that contains the participating servers. All the servers must be on the same domain. (For example, the domain name for the following four servers, system1.sample.domain, system2.sample.domain, system3.sample.domain, and system4.sample.domain is sample.domain.)
    5. Select Requires SSL.
    6. Click OK; then, click Save.
  3. For the WebSphere Application Server on the Jazz Team Server, on the Global Security page, click LTPA.
    1. Create a password and confirm it.
    2. Enter a name for the LTPA keys.
    3. Click Export Keys to export the keys to the file system.
    4. Click OK; then, click Save.
  4. Move these keys to the other servers that use SSO.
    1. Find the exported keys from this server in the /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/ directory.
    2. Upload the key file name to each of the other severs that you require in the SSO group. The file must be placed in this equivalent directory on each of the other servers.
  5. Set up each of the other servers to use SSO by completing the same steps, except that you must import the keys from the file that is discussed earlier instead of exporting the keys.
    Note: To import the keys, enter the key file name in the Fully qualified key file name field and click Import.
  6. Restart each WebSphere Application Server after you make all of the changes.
  7. To verify that the changes are correct, go to one of the servers by using the fully qualified host name, and authenticate. Then, go to the second server to see whether you are authenticated automatically without a login prompt.
    Note: Do not use localhost, a short host name, or the IP address in place of the host name. Single sign-on requires that the browser can pass LTPA cookies to WebSphere Application Server and that these cookies contain the fully qualified host name.