Single sign-on (SSO) and WebSphere Commerce Portal

When integrating with a WebSphere Portal, there are multiple types of authentication available to you to use.

Single sign-on provides a secure method of authenticating a user within an environment then using that authentication (for the duration of the session) as a basis to access other applications, systems, and networks.

WebSphere Portal server authenticates the user, and the credentials are passed into WebSphere Commerce. These credentials map the WebSphere Portal user to an appropriate WebSphere Commerce user in the member subsystem. This mapping of credentials achieves the single sign-on experience.

WebSphere Portal server performs some static content authorization, such as page and portlet access permissions. However, all WebSphere Commerce specific authorization, such as fine grain (content level) access control will still be performed by the WebSphere Commerce Server and not on the WebSphere Portal server side.

Runtime and development environment configurations

Note: Basic Authentication is only supported when Application Security is disabled. Basic Authentication has been deprecated in WebSphere Commerce integration with WebSphere Portal. It is strongly recommended to migrate to the suggested LTPA configuration.

See Configuring WebSphere Portal with WebSphere Commerce for more information.

Runtime configurations
Runtime Authentication Options WebSphere Portal VMM WebSphere Commerce
LTPA (default) Administrative security and Application security enabled Federated user repository with LDAP Administrative security enabled
Basic Authentication Administrative security and Application security enabled Federated user repository with LDAP Administrative security enabled
Development environment configurations
Development Environment Authentication Options WebSphere Portal VMM WebSphere Commerce
Simulated SSO (default) Administrative security and Application security enabled Not required Security disabled
Basic Authentication Administrative security and Application security enabled Federated user repository with LDAP Administrative security enabled
LTPA Administrative security and Application security enabled Federated user repository with LDAP Administrative security enabled
Note: WebSphere Portal always has security enabled by default. This configuration setting, however, should not affect which level of security that WebSphere Commerce has enabled, that is administrative, application, or both.

Single sign-on authentication types

WebSphere Commerce and WebSphere Portal integration requires that you choose an authentication type. For a development environment, sharing user repository between WebSphere Commerce and WebSphere Portal is typically not a main concern during code development. To avoid configuring a common user repository while developing code, the simulated single sign-on authentication option can be used.

The WebSphere Commerce Server production environment must use the LTPA authentication/single sign-on method.

Lightweight third party authentication (LTPA)

Using LTPA is the recommended approach for the production environment. This option requires WAS administrative security to be enabled on both the WebSphere Commerce server and the WebSphere Portal server. There will be a percentage of performance penalties on the WebSphere Commerce server when application security is enabled, and therefore it is recommended that WebSphere Commerce server should not run with application-level security enabled. LTPA is the most secure way for deploying the portlet in the production environment. As the LTPA token is used here, single sign-on is automatically handled by WAS.

Simulated Single Sign-On (Simulated SSO)

Simulated Single Sign-On (Simulated SSO) is used for ease of setup in the development environment in RAD, where the portlet developer can be setup and running without enabling security and without using LDAP. Since security in a development environment is not a major concern, the developer can be setup and running as quickly as possible. This option allows the use of a predetermined WebSphere Commerce user ID, and the system will automatically use that credential to perform authentication through a WebSphere Commerce web service, without having the WebSphere Portal user being aware of this operation. Doing so can achieve the single sign-on experience while inside the development environment, without the complexities of enabling security and configuring VMM and LDAP.

Basic Authentication (BA)

Note: Basic Authentication is only supported when Application Security is disabled. Basic Authentication has been deprecated in WebSphere Commerce integration with WebSphere Portal. It is strongly recommended to migrate to the suggested LTPA configuration.

See Configuring WebSphere Portal with WebSphere Commerce for more information.

Basic Authentication is the alternative single sign-on configuration for not enabling security on the WebSphere Commerce server and can therefore avoid the performance degradation. This option is intended only for backward compatibility purposes. The recommended SSO configuration is LTPA for the runtime environment. Note that a logon module is required to be installed on the WebSphere Portal server, for capturing the user credentials at the time when signing on to the WebSphere Portal server.