Enabling single sign-on without LDAP
Enabling single sign-on (SSO) preserves user authentication on different web applications in WebSphere Commerce. By using HTTP single sign-on, the user is not prompted multiple times for security credentials within a trust domain.
![WebSphere Commerce Version 8.0.0.9 or later](../../base/images/8009plus.gif)
![WebSphere Commerce Version 8.0.1.1 or later](../../base/images/8011plus.gif)
- Fix Pack 9 (8.0.0.9) or later
- Mod Pack 1 Fix Pack 1 (8.0.1.1) or later
Before you begin
Procedure
-
Enable single sign-on in the WebSphere Commerce instance configuration file.
- Optional:
If you are using the WebSphere Application Server LTPA token for single sign-on, enable LTPA
in WebSphere Application Server.
- Open the WebSphere Application Server Administrative Console.
- Expand the Security node.
- Click Global Security.
- In the Authentication section, expand Web and SIP security.
- Click Single sign-on (SSO).
- Check the Requires SSL option.
- Click .
-
Configure the roles that are assigned to users that access the system from single
sign-on (SSO).
Every time a user connects to the system by SSO, WebSphere Commerce tries to assign the roles from the
MemberRegistrationAttributes.xml
file with registration type = "SSO".For more information, see MemberRegistrationAttributes XML and DTD files.
In WebSphere Commerce, security roles are assigned as part of the registration process. With single sign-on, the customer can bypass the registration step for your site if they have successfully authenticated to a collaborating system. The ability to be implicitly authenticated to a WebSphere Commerce site has little value when a user is denied access to the facilities that they want to use, such as shopping in a store. Therefore, the same functionality of automated role assignment that happens with user registration also happens in the session management code. In this case, configure the roles for SSO shoppers by using the 'SSO' registration type. This way, when a customer authenticates onto the system, WebSphere Commerce automatically provides all of the roles that they need for the site. Keep in mind that the SSO role assignment happens on a site level and not on a store level (as with the typical user registration). Therefore, ensure that the storeAncestor attribute specified is actually an ancestor of the site (store 0).
Example: <User registrationType="SSO" memberAncestor="o=Default Organization,o=Root Organization" storeAncestor="o=Root Organization"><BR> <Role name="Registered Customer" roleContext="explicit" DN="o=Reseller Organization,o=Root Organization"/><BR> <Role name="Registered Customer" roleContext="explicit" DN="o=Seller Organization,o=Root Organization"/><BR> <Role name="Registered Customer" roleContext="explicit" DN="o=Supplier Organization,o=Root Organization"/><BR> <Role name="Registered Customer" roleContext="explicit" DN="ou=Supplier Hub Organization,o=Business Indirect Supplier Organization, o=Root Organization"/><BR> </User>
This example gives four roles to any customer who comes in to the system from SSO. This example gives a role to customers that exists on the LDAP server somewhere below the 'default organization' (because of the memberAncestor specified).
-
Enable single sign-on for Management Center.
- Optional:
If you configured WebSphere Commerce to generate the LTPA
token (previously selected Configure JAAS Login Module), you must
update the properties for the LogonCmd,
UserRegistrationAddCmd,
PersonProcessServicePersonRegister, and
LogOffCmd.
- Optional:
If LTPA tokens are being used, it is possible to allow them to keep a session alive
beyond the standard WebSphere Commerce cookie-based session timeout.
The LTPA token is only checked when the session is expired. If valid it refreshes the session.
- Deploy your changes to the WebSphere Commerce enterprise archive (EAR).
- Restart the WebSphere Application Server.