IWA can be implemented in various protocols such as
SPNEGO, Kerberos and NTLMSSP. WebSphere supports SPNEGO protocol.
SPNEGO SSO requires the Kerberos Key Distribution Center (KDC) for users to authenticate with. For IWA, Windows KDC is used. Windows KDC is implemented as a domain service that use the Active Directory. Not only Windows KDC, WebSphere's SPNEGO SSO supports KDCs on Linux, AIX and zOS.
What is the typical SPNEGO SSO scenario like?
If a user's machine is logged on to a Windows Domain or authenticated with a KDC, the user's credential can be sent from the browser to WebSphere. This way, the user can securely login to the application without typing the userId and password.
In the following picture, the user first logon to Windows Domain to obtain the authentication information from KDC. The browser on the user's machine sends the authentication information from the KDC in SPNEGO token with the http request. WebSphere use the SPNEGO token to authenticate the user. The user can access the application on WebSphere without typing userid and password.
How do I configure SPNEGO SSO for my application?
To enable SPNEGO SSO for an application on WebSphere, the following configuration is needed. Please note that in addition to WebSphere configuration, KDC server and the browser on each client machine require configuration.
- KDC Server
- The KDC server is able to authenticates users who login to the application using SPNEGO SSO
- A keytab file needs to be created. It is to be configured with WebSphere.
- Browser - The browser on the user's machine is configured to send the authentication information from KDC
- WebSphere
- A keytab file from KDC server is configured with WebSphere.
- The Kerberos configuration file (krb5.ini or krb5.conf) on the WebSphere server contains KDC information, the encryption types, etc.
- The application needs to be configured with SPNEGO SSO via Adminconsole or Liberty's server.xml
Where do I find further information ?
Hope this blog provided a quick overview to get you started!
For more configuration information for Liberty, please refer to Configuring SPNEGO authentication in Liberty For Traditional WebSphere, "Creating a single sign-on for HTTP requests using SPNEGO Web authentication" (WAS855 page, WAS905 page)
The application developers may be interested in the SPNEGO-related APIs Liberty, WAS905, WAS855.
SPNEGO SSO configuration can be a little complicated. The following step-by-step instruction from WAS Support is one of the best resources: "How to Setup Single Sign-On (SSO) for HTTP requests using SPNEGO authentication in WebSphere Application Server"