Does Showcase support Single Sign-On Configuration (SSO)?
Single Sign-on is Supported with Showcase version 9.0 and Higher.
Note: Single Sign-On Configuration (SSO) can also be found in the Showcase 9 Administrator's Guide under Server Maintenance Section.
Single Sign-On Configuration (SSO):
Single sign-on (SSO) is a method of access control that enables a user to log in once and gain access to the resources of multiple software systems without being prompted to log in again. In order to use Showcase single sign-on, the following prerequisites must be met:
- The system of Showcase clients must belong to the company Intranet domain and a member of that domain must be logged into the client machine.
- IBM Enterprise Identity Mapping (EIM) must be configured and active on the IBM? i where the IBM Showcase Warehouse Manager Server is installed.
- The Warehouse Manager Server must be configured for the Intranet domain and the default EIM instance on the IBM i.
- The Showcase Warehouse Manager Server data source for the Warehouse Manager Server must be SSO Enabled.
Enterprise Identity Mapping (EIM) Configuration:
Enterprise Identity Mapping (EIM) for the IBM i platform is the i5/OS implementation of an IBM infrastructure that allows administrators and application developers to solve the problem of managing multiple user registries across their enterprise. Most network enterprises face the problem of multiple user registries, which require each person or entity within the enterprise to have a user identity in each registry. The need for multiple user registries quickly grows into a large administrative problem that affects users, administrators, and application developers.
EIM enables inexpensive solutions for easier management of multiple user registries and user identities in your enterprise. EIM allows you to create a system of identity mappings, called associations, between the various user identities in various user registries for a person in your enterprise. EIM also provides a common set of APIs that can be used across platforms to develop applications that can use the identitymappings that you create to look up the relationships between user identities. In addition, you can use EIM in conjunction with network authentication service, the i5/OS implementation of Kerberos, to provide a single sign-on environment.
You can configure and manage EIM through iSeries Navigator, the IBM i graphical user interface. The IBM i platform uses EIM to enable i5/OS interfaces to authenticate users by means of network authentication service. Applications, as well as i5/OS, can accept Kerberos tickets and use EIM to find the user profile that represents the same person as the Kerberos ticket represents. For more information about configuring Enterprise Identity Mapping for the IBM i platform, see the documentation at the IBM website.
ShowCase Warehouse Manager Server Configuration:
The ShowCase Warehouse Manager Server needs the information on the Kerberos domain and the EIM credentials. The Kerberos Realm, KDC Server (Domain Controller), and the EIM administrative user and password are required when enabling ShowCase SSO. The CFGSCSSO command in the ShowCase library must be used to configure these settings.
Enabling SSO with the CFGSCSSO command:
- Add the Warehouse Manager Server library to your library list (with ADDLIBLE).
- Type in the CFGSCSSO command and press F4 (instead of Enter)
- Press F9 to show all required parameters.
- Configure the settings, using the following information as a guide:
Enable ShowCase SSO: This prompt allows you to enable or disable single sign-on for the Warehouse Manager Server. The possible values are *YES (single sign-on is enabled) and *NO (single sign-on is disabled).
Kerberos Realm: Enter the name of your Kerberos Realm. This is typically the name of your domain, in capital letters. Contact your network administrator to obtain the correct value for this parameter.
Kerberos KDC Server: Enter the name of your Kerberos Key Distribution Center (KDC). The KDC is typically installed on your Domain Controller. Contact your network administrator to obtain the correct value for this parameter.
EIM System: Enter the TCP/IP name of the IBM? i where your Enterprise Identity Mapping (EIM) instance is configured and running. Contact your IBM i administrator to obtain the correct value for this parameter.
EIM Domain Name: Enter the name for your Enterprise Identity Mapping instance running on the IBM i machine. Contact your IBM i administrator to obtain the correct value for this parameter.
EIM LDAP Port: Enter the port for your Enterprise Identity Mapping LDAP Server (IBM Directory Server) running on the IBM i machine. Contact your IBM i administrator to obtain the correct value for this parameter.
EIM Administrative User: Enter the administrative user name for your local Enterprise Identity Mapping instance running on the IBM i machine. Contact your IBM i administrator to obtain the correct value for this parameter.