What is SSO?
SSO refers to a mechanism where a single authentication provides access to multiple applications. An authentication token that is generated once is stored and seamlessly passed to configured applications.
This reduces time spent in entering passwords for the same identity, and increases security since the credentials are passed to an SSO server and not to the actual service.
The below diagram explains a typical SSO implementation
There are different ways/mechanisms in which this can be achieved. The challenge with doing this with IBM Host On-Demand or any other emulator solution is that this needs to be done during communication with the host. This means that automating the logon process requires being able to intercept the telnet data stream.
This blog briefly lists all the available options in IBM Host On-Demand using which single sign on can be achieved, and how to decide when to choose which option.
Different options in IBM Host On-Demand
IBM Host On-Demand provides multiple options to achieve an SSO solution for your enterprise.
1. Macro-based Web Express logon – This needs a macro to be recorded that populates the credential fields on the screen with the required user name and password and sends it to the host. This macro can be made to work with a credential mapper servlet (that is hosted on an application server) which has information about the host user ID and password. The servlet together with the macro work to automatically log the user in to the host.
2. Connection-based Web Express logon – This logon mechanism works without macros. Below are 2 different connect based logon mechanisms.
a. Kerberos pass ticket – If your host supports Kerberos, you can configure your Windows workstation to use a Kerberos pass ticket to login to the host. The Windows workstation and the host need to be part of the same Active Directory forest in this case. The Enterprise Identity Mapper is used to map the Windows user ID to a host user ID. As soon as a domain user, logs into this Windows workstation, the user’s Windows credentials are used and is automatically logged in to the host. Note: This is supported only for 5250 host
b. Windows domain login – If the Windows workstation is part of an AD domain, a IBM Host On-Demand can automatically login to a configuration model page without entering any credentials. The Windows login credential should be mapped to a Host On-Demand user to be able to achieve this.
3.Certificate Express logon – This works with a 3270 host and requires that the connection is an SSL Connection with client authentication enabled. It is another Macro based logon option where the macro replaces the user ID and password fields. The tn3270 server picks these values and replaces them in the 3270 datastream and login is completed.
For more information about each of these options, refer to the following link
How do you decide which option to use? Following are the considerations to decide on which option to use
1. Host type – 5250 or 3270 host – this will determine the logon support that you will get and thus decide the model you should chose.
2. Client operating system – this will determine whether you will be able to use a Kerberos pass ticket or a Windows domain login or not.
3. Do you need multiple user identities to be mapped to a single host identity? This can be achieved with macro-based login only.
4. The host on demand client model – Config based or HTML based determines what type of Web express logon you need to use.
Where can you find more information?
QA Manager, HACP & HATS