Configuring single sign-on

Enabling single sign-on (SSO) preserves user authentication when the user switches between HCL Commerce and HCL Digital Experience.

About this task

Before you can use single sign-on for the HCL Commerce and HCL Digital Experience integration, you must complete the following tasks:

Install and configure an LDAP server. To configure an LDAP server see Configuring directory services (LDAP) with HCL Commerce.
Enable WebSphere Application Server security with Federated Repositories.
Enable single sign-on.

Procedure

To enable single sign-on between the HCL Commerce Authoring server and HCL Digital Experience Authoring Server, complete the following steps:

Manually create a group under the HCL Commerce root organization to contain HCL Digital Experience groups. For example, cn=groups, o=root organization.
Log in to the HCL Digital Experience Configuration Wizard to setup LDAP (Federated Repositories) using the following link: https://<hostname>/hcl/wizard.
Follow the instructions provided in the HCL Digital Experience documentation: https://help.hcltechsw.com/digital-experience/8.5/config/cw_overview.html
1. Select Set Up a Cluster > Enable Federated Security.
2. For the Base DN, specify the Root Organization from HCL Commerce.
  For example:
  - Base DN: o=root organization
  - Default parent for group: cn=groups,o=root organization
  - Default parent for PersonAccount: o=root organization
Change the federated repository name for HCL Digital Experience Auth to the same realm name as HCL Commerce Auth.
1. Go to the HCL Digital Experience Auth WebSphere Application Server Administration console.
2. Go to Global security and click Federated repositories > Configure.
3. Change the Realm name to the HCL Commerce federated repositories realm name. For example: myrealm.
Enable single sign-on for HCL Digital Experience Auth server by following the instructions provided in the WebSphere Application Server documentation: https://www.ibm.com/support/knowledgecenter/SSEQTP_9.0.5/com.ibm.websphere.base.doc/ae/usec_sso.html
1. Log in to the Auth HCL Digital Experience IBM console: https://<hostname>/ibm/console.
2. Go to Security > Global Security > Web and SIP security > Single sign-on (SSO).
3. Select Require SSL.
4. Enter the domain name.
5. Click Apply and Save.
Export the LTPA token from the HCL Commerce Auth ts-app container.
1. From inside the ts-app container, run the following command to export the LTPA token:
```
export-ltpa-keys <ltpaKeyFile> <password>
```
```
For example: 
export-ltpa-keys /SETUP/ltpa.key passw0rd
```
2. Copy and save the ltpa.key file locally.
```
For example:
kubectl cp ivt10/ivtesdxauthts-app-7dc7cd88db-fsbbh:/SETUP/ltpa.keys ltpa.keys.ivt10 -n ivt10
```
Import the LTPA token to the HCL Digital Experience Auth container by following the instructions in the WebSphere Application Server documentation: https://www.ibm.com/support/knowledgecenter/SSEQTP_9.0.5/com.ibm.websphere.base.doc/ae/tsec_altpaimp.html
1. Copy the saved ltpa.key file to the HCL Digital Experience Auth container.
```
For example:
kubectl cp ltpa.keys.ivt10 dx-auth/dx-deployment-0:/opt/HCL -n dx-auth
```
2. Log in to the HCL Digital Experience Auth WAS Administration console. https://<hostname>/ibm/console
3. Go to Security > Global Security > LTPA.
4. Enter the same password you used to export the LTPA token.
5. Enter the fully qualified key file name.

Results

Single sign-on for the HCL Digital Experience Auth environment.

What to do next

Repeat the steps to configure single sign-on for the HCL Digital Experience Live environment.