0

I'm trying to integrate IBM Connections and IBM Websphere Portal(WP) following this documentation . Can't get the SSO working between them. Here is the point about SSO at the documentation. Implementing all the steps having the message "You are not authorized" in WP connections portlets.

Knowing the SSO with LTPA mechanism I have a couple of questions:

  1. in this particular case should the WP server and IBM connections server be at the same domain in order for the LTPA to work?
  2. should WP websphere server's security be configured to use the same federated reposirory as a connections server? (connections server uses MAD LDAP)
  3. and can anybody explain what id to use to authenticate in WP (I mean should it be it LDAP and not be as a local system user?)
rilaby
  • 603
  • 5
  • 15

1 Answers1

0

1 - they can actually be the same top level domain, you just need to change your General Settings > Web SSO settings for instance, I could set the sso domain to .ibm.com intead of a more specific domain, where my servers are in test.org.conx.ibm.com and portalserver.portal.ibm.com

2 - It's much easier if they use the same repository, but it is not required, as long as the ltpa token is used to login to the secondary server such as connections.

3 - well, what ever group you have in your corporate ldap that is set to manage portal, and the ids which you have to access the portal. generally these should be either mail;cn;uid

Paul Bastide
  • 1,505
  • 4
  • 17
  • 22
  • 2 - just clarification that ltpa token contains only three pieces of information: realm name, expiration date and distinguished name, in that case it is used to log in to the secondary server just bypassing authentication. there is no password information in ltpa token. – rilaby Aug 08 '13 at 06:50
  • 3 - can you please explain how to set the manage and access group of the portal? as i understand sso - you may authenticate to portal with any user from LDAP and all the portlets will show the information from IBM connections (getting authentication information through sso). am i right? – rilaby Aug 08 '13 at 06:55
  • There is no password information in the token. what is passed over is also an encrypted packet. of information, when decrypted, that's what you get at that side, the successful decryption and identity is what logs them in. – Paul Bastide Aug 08 '13 at 12:13
  • you need to use portal access and controls. the ldap groups are then assigned to the portlet and the portal page in order to provide the users access. – Paul Bastide Aug 08 '13 at 12:14
  • did this answer your questions? – Paul Bastide Aug 09 '13 at 15:29
  • almost. can you please give me a link to documentation of how to assign the ldap group to the portlet? – rilaby Aug 12 '13 at 14:09
  • http://publib.boulder.ibm.com/infocenter/wpdoc/v6r0/index.jsp?topic=/com.ibm.wp.ent.doc/wpf/sec_ac_adm.html – Paul Bastide Aug 12 '13 at 14:18