Enabling single sign-on without LDAP

Enabling single sign-on (SSO) preserves user authentication on different web applications in WebSphere Commerce. By using HTTP single sign-on, the user is not prompted multiple times for security credentials within a trust domain.

WebSphere Commerce Version 8.0.0.9 or laterWebSphere Commerce Version 8.0.1.1 or laterNote: If you want to enable single sign-on for WebSphere Commerce Developer, you need to install one of the following maintenance packages:
  • Fix Pack 9 (8.0.0.9) or later
  • Mod Pack 1 Fix Pack 1 (8.0.1.1) or later

Before you begin

Synchronize the system clocks of all the systems that are included in the single sign-on configuration.

Procedure

  1. Enable single sign-on in the WebSphere Commerce instance configuration file.
    1. Navigate to the WC_installdir/instances/instance_name/properties/ directory.
    2. Open the createInstance.properties file for editing.
    3. Set the SingleSignOn parameter to 1. 
      SingleSignOn="1"
    4. Save and close the file.
  2. Optional: If you are using the WebSphere Application Server LTPA token for single sign-on, enable LTPA in WebSphere Application Server.
    1. Open the WebSphere Application Server Administrative Console.
    2. Expand the Security node.
    3. Click Global Security.
    4. In the Authentication section, expand Web and SIP security.
    5. Click Single sign-on (SSO).
    6. Check the Requires SSL option.
    7. Click Apply > Save directly to the master configuration..
  3. Configure the roles that are assigned to users that access the system from single sign-on (SSO).
    Every time a user connects to the system by SSO, WebSphere Commerce tries to assign the roles from the MemberRegistrationAttributes.xml file with registration type = "SSO".

    For more information, see MemberRegistrationAttributes XML and DTD files.

    In WebSphere Commerce, security roles are assigned as part of the registration process. With single sign-on, the customer can bypass the registration step for your site if they have successfully authenticated to a collaborating system. The ability to be implicitly authenticated to a WebSphere Commerce site has little value when a user is denied access to the facilities that they want to use, such as shopping in a store. Therefore, the same functionality of automated role assignment that happens with user registration also happens in the session management code. In this case, configure the roles for SSO shoppers by using the 'SSO' registration type. This way, when a customer authenticates onto the system, WebSphere Commerce automatically provides all of the roles that they need for the site. Keep in mind that the SSO role assignment happens on a site level and not on a store level (as with the typical user registration). Therefore, ensure that the storeAncestor attribute specified is actually an ancestor of the site (store 0).

    Example:
    
<User registrationType="SSO" memberAncestor="o=Default Organization,o=Root Organization" storeAncestor="o=Root Organization"><BR>
    <Role name="Registered Customer" roleContext="explicit" DN="o=Reseller Organization,o=Root Organization"/><BR>
    <Role name="Registered Customer" roleContext="explicit" DN="o=Seller Organization,o=Root Organization"/><BR>
    <Role name="Registered Customer" roleContext="explicit" DN="o=Supplier Organization,o=Root Organization"/><BR>
    <Role name="Registered Customer" roleContext="explicit" DN="ou=Supplier Hub Organization,o=Business Indirect Supplier Organization,
           o=Root Organization"/><BR>
  </User>

    This example gives four roles to any customer who comes in to the system from SSO. This example gives a role to customers that exists on the LDAP server somewhere below the 'default organization' (because of the memberAncestor specified).

  4. Enable single sign-on for Management Center.
    1. Go to the following directory in your file system:
      • LinuxAIXWindowsWC_installdir/LOBTools.war/WEB-INF
      • WebSphere Commerce Developerworkspace_dir\LOBTools\WebContent\WEB-INF
    2. Replace or edit the spring-extension.xml file that is in this directory. To enable single sign-on, you must replace the default controller configurations in this file, which are commented out and can be out-of-date, with the most current version of these configurations. Do not use the commented out controller configurations that are in the file by default.
      • If you did not add any custom configurations to the file, replace the default provided spring-extension.xml file with the following version of the file. This version includes the required controller configurations, which are no longer commented out.

        spring-extension.xml

      • If you did add custom configurations to the default provided extensions file, either replace the file and then add your custom configurations or edit the spring-extension.xml file to include the required controller configurations. Replace the controller configurations for enabling single sign-on that are in commented out in the file by default and might be out-of-date with the following configurations: 
        
<bean id="/Logon" class="com.ibm.commerce.foundation.client.lobtools.controllers.AuthenticationClientLibraryController">
  <property name="urlObject" value="Person"/>
  <property name="contextParameters">
    <props>
      <prop key="channelId">channelId</prop>
    </props>
  </property>
  <property name="clientLibrary" value="com.ibm.commerce.member.facade.client.MemberFacadeClient"/>
  <property name="clientLibraryMethod" value="authenticatePassword"/>
  <property name="aliasParameters">
    <props>
      <prop key="password">logonPassword</prop>
    </props>
  </property>
  <property name="generateLTPAToken" value="true"/>
  <property name="successView" value="/jsp/commerce/shell/restricted/AuthenticationSuccess.jsp"/>
  <property name="failureView" value="/jsp/commerce/shell/restricted/AuthenticationFailed.jsp"/>
</bean>
<bean id="/Logout" class="com.ibm.commerce.foundation.client.lobtools.controllers.AuthenticationClientLibraryController">
  <property name="urlObject" value="Person"/>
  <property name="clientLibrary" value="com.ibm.commerce.member.facade.client.MemberFacadeClient"/>
  <property name="clientLibraryMethod" value="logout"/>
  <property name="removeLTPAToken" value="true"/>
  <property name="logout" value="true"/>
  <property name="successView" value="/jsp/commerce/foundation/restricted/Values.jsp"/>
  <property name="failureView" value="/jsp/commerce/shell/restricted/AuthenticationFailed.jsp"/>
</bean>
<bean id="/ResolveIdentity" class="com.ibm.commerce.foundation.client.lobtools.controllers.AuthenticationClientLibraryController">
  <property name="urlObject" value="Person"/>
  <property name="contextParameters">
    <props>
      <prop key="channelId">channelId</prop>
    </props>
  </property>
  <property name="resolveIdentity" value="true"/>
  <property name="clientLibrary" value="com.ibm.commerce.member.facade.client.MemberFacadeClient"/>
  <property name="clientLibraryMethod" value="authenticateLTPA"/>
  <property name="successView" value="/jsp/commerce/shell/restricted/ResolveIdentitySuccess.jsp"/>
  <property name="failureView" value="/jsp/commerce/shell/restricted/ResolveIdentityFailed.jsp"/>
</bean>

        After you complete your edits, save your changes and close the file.

      The controller configurations include the following actions:
      • A Logon action, which generates an LTPA token when a user logs on to Management Center.
      • A Logout action, which removes the generated LTPA token when a user logs out of Management Center.
      • A ResolveIdentify action that is used with the authenticateLTPA service for resolving the identity of users.
  5. Optional: If you configured WebSphere Commerce to generate the LTPA token (previously selected Configure JAAS Login Module), you must update the properties for the LogonCmd, UserRegistrationAddCmd, PersonProcessServicePersonRegister, and LogOffCmd.
    1. Navigate to the following directory:
      • LinuxAIXWindowsWC_eardir/Stores.war/WEB-INF
      • WebSphere Commerce Developerworkspace_dir/Stores/WebContent/WEB-INF
    2. Open the struts-config-ext.xml file for editing.
    3. Locate the following code snippet for the logon command: 
      <action parameter="com.ibm.commerce.security.commands.LogonCmd" path="/Logon" type="com.ibm.commerce.struts.LTPATokenGenerationEnabledBaseAction">
      Add the following generateLTPAToken property to the action parameter:
      <!-- The store will create LTPA the token on logon -->
<set-property property="generateLTPAToken" value="10101:1"/>
      Where 10101 represents your store ID.
    4. Locate the following code snippet for the UserRegistrationAddCmd command: 
      <action parameter="com.ibm.commerce.usermanagement.commands.UserRegistrationAddCmd" path="/UserRegistrationAdd" type="com.ibm.commerce.struts.LTPATokenGenerationEnabledBaseAction">
      Add the following generateLTPAToken property to the action parameter:
      <!-- The store will create LTPA the token on registration -->
<set-property property="generateLTPAToken" value="10101:1"/>
      Where 10101 represents your store ID.
    5. Locate the following code snippet for the PersonProcessServicePersonRegister command: 
      <action parameter="member.registerPerson" path="/PersonProcessServicePersonRegister" type="com.ibm.commerce.struts.LTPATokenGenerationEnabledComponentServiceAction">
      Add the following generateLTPAToken property to the action parameter:
      <!-- The store will create LTPA the token on registration -->
<set-property property="generateLTPAToken" value="10101:1"/>
      Where 10101 represents your store ID.
    6. Locate the following code snippet for the logoff command: 
      <action parameter="com.ibm.commerce.security.commands.LogoffCmd" path="/Logoff" type="com.ibm.commerce.struts.LTPATokenGenerationEnabledBaseAction">
      Add the following removeLTPAToken property to the action parameter:
      <!-- The store will destroy/remove the LTPA token on logoff -->
<set-property property="removeLTPAToken" value="10101:1"/>
      Where 10101 represents your store ID.
  6. Optional: If LTPA tokens are being used, it is possible to allow them to keep a session alive beyond the standard WebSphere Commerce cookie-based session timeout.
    The LTPA token is only checked when the session is expired. If valid it refreshes the session.
    1. Navigate to the following directory.
      • WC_eardir/xml/config/
      • WebSphere Commerce Developerworkspace_dir\WC\xml\config\
    2. Open the wc-server.xml configuration file for editing.
    3. Change the value of keepAliveSession to true. 
      <MemberSubSystem AuthenticationMode="LDAP" ProfileDataStorage="LDAP">
  <Directory EntryFileName="ldap/ldapentry.xml" MigrateUsersFromWCSdb="ON" SingleSignOn="1"display="false" keepAliveSession="true"/>
  <SyncOrganizationWxclusionList display="false"/>
  <ResetPassword resetNullPasswordEnabled="true"/>
</MemberSubSystem>
    4. Save and close the file.
  7. Deploy your changes to the WebSphere Commerce enterprise archive (EAR).
  8. Restart the WebSphere Application Server.

What to do next

For security purposes, when single sign-on is enabled, users should close all web browsers after they logout of Management Center.