IBM i Global

IBM i Global

Connect, learn, share, and engage with IBM Power.

 View Only

  • 1.  Question about SSO set up

    Posted Thu August 22, 2024 09:26 AM

    We are planning to set up SSO for this customer and I have a doubt regarding one the steps detailed here. Especifically, the 'Create Identifiers and Associations in EIM'.

    I don't quite understand if that step is needed for every single user profile that requires SSO (and if it is has to be done one by one? If there are, say, 300 users, does that step need to be repeated 300 times?)... OR... is that step only needed if a person has different user profiles across different IBM i systems?



    ------------------------------
    Alejandro Insfran Beloqui
    ------------------------------


  • 2.  RE: Question about SSO set up

    Posted Fri August 23, 2024 02:23 AM

    Hello Alejandro ..

    Yes, one by one ... I don't know other way except IBM Lab Services tool ..

    https://semiug.org/2021/docs/Single%20Sign%20On%20Overview%20for%20IBM%20i.pdf



    ------------------------------
    Fernando Plaza
    IBM i System Administrator
    CD INVEST
    MADRID
    ------------------------------

    Original Message


  • 3.  RE: Question about SSO set up

    Posted Fri August 23, 2024 04:01 AM
    Hi 
    Like Fernando says you can do one by one.
    Or you can do it by a tool like IBM lab services.
    I have done it by that tool. 
    By that tool you can import a user list (textfile) in the EIM Management tool or do it by AD.
    In AD you can have a group like "SSO group" and then all members of that group you can use in the configuration file in the tool.
    Then a job will be running on the IBMi looking into that AD group and waiting for "a new customer".

    I know Fortra has another tool but it is more expensive.



    Original Message


  • 4.  RE: Question about SSO set up

    Posted Fri August 23, 2024 08:40 AM

    As others have mentioned, IBM Lab Services has a tool which can effectively "script" this initial setup/mapping.  Doing it one-by-one is very time consuming.  In addition, the tool allows you to automate the mapping of new user profiles as they get created.  If your users' IBM i user profiles match with their AD accounts, you won't have to do anything extra when setting up new users.  We used it when setting up SSO/Kerberos here, and continue to use it as users are created.  It's seamless as long as the user profiles match with AD.



    ------------------------------
    Steven Riedmueller
    Certified IBM i Admin
    Speaker, Mentor, and Advocate
    ------------------------------

    Original Message


  • 5.  RE: Question about SSO set up

    Posted Fri August 23, 2024 09:42 AM

    Alejandro;

    We have this SSO Service.  https://www.fortra.com/resources/datasheets/powertech-services

    And/Or we also sell RPA product that has a BOT for synching AD with IBM i profiles.  https://connectors.fortra.com/bots/ibm-i/solution-template-active-directory-ibm-i-extend-sso

    Good luck 

    Tom



    ------------------------------
    Tom Huntington
    EVP of Technical Solutions
    Fortra
    Eden Prairie
    9523349940
    ------------------------------

    Original Message


  • 6.  RE: Question about SSO set up

    Posted Mon August 26, 2024 03:40 AM

    Hello Alejandro,

    I've been deploying SSOs since the early 2000s. It very quickly became apparent that we needed software that would fill the gaps in the solution proposed by IBM, which is very effective but, in my opinion, unusable in production as it is.
    the critical points are in particular the initial import of the associations, the impossibility of replicating these associations on the backup via replication software (MIMIX, QUICK EDD...), the backup of the associations...
    I designed a software, called AD-iCT) that fills all these gaps. Do not hesitate to contact me if you want more information (https://i.gayte.it/ad-ict-sso-ibm-i/ the English language page is coming soon, the software is in multilingual). 
    Dominique


    ------------------------------
    Dominique Gayte
    Président (CEO)
    i.gayte.it
    ------------------------------

    Original Message


  • 7.  RE: Question about SSO set up

    Posted Mon August 26, 2024 04:37 AM
    Edited by Marius le Roux Mon August 26, 2024 04:37 AM

    Hi Alejandro, 

    If you have access to a Java developer then you might be able to "roll your own" based on this example program (EIMTool.zip) in the Redbook.

    Under the Additional Materials, you will find some ancient Java that isn't too difficult to understand with the guidance of the Redbook.

    Windows-based Single Signon and the EIM Framework on the IBM eServer iSeries Server

    Ibm remove preview
    Windows-based Single Signon and the EIM Framework on the IBM eServer iSeries Server
    Support for a Kerberos based Network Authentication Service and the introduction of Enterprise Identity Mapping (EIM) were exciting OS/400® V5R2 announcements during 2002. A Kerberos based Network Authentication Service enables the iSeries (and any ...
    View this on Ibm >

    & here : 
    Using Enterprise Identity Mapping Java classes

    Ibm remove preview
    Using Enterprise Identity Mapping Java classes
    You can use Enterprise Identity Mapping (EIM) Java classes to manage cross-platform user identities. You can use these Java classes to perform identity mapping lookup operations, and EIM management and configuration functions.
    View this on Ibm >

     

    Your other option is to go the RPA Route yourself, record it with software that you are comfortable with (such as Power Automate), then let the RPA do the dirty work ?



    If you do want to execute though on an enterprise level with reports and comfort for all the C-Levels and auditors, then best to get experts such as Fortra/i.gayte.it/ LAB Services involved.



    ------------------------------
    Marius le Roux
    Owner
    MLR Consulting
    ------------------------------

    Original Message


  • 8.  RE: Question about SSO set up

    Posted Tue August 27, 2024 10:26 AM

    A little off-topic, but to complete the thinking around SSO on IBM i - IBM PowerSC supports MFA and SSO on i, and comes with scriptable CLI utilities that can be used for bulk user provisioning and set up. Probably not applicable in this case Alejandro because PowerSC supports OIDC and not Kerberos.



    ------------------------------
    Hrithik Govardhan
    ------------------------------

    Original Message


  • 9.  RE: Question about SSO set up

    Posted Wed August 28, 2024 02:10 PM

    Thanks everyone, every single reply helped. 

    I think for a moment we overlooked the fact that we needed a solution to address future maintenance of the associations of IBM i user profiles and AD accounts, and we have already presented to the customer all your proposed solutions. Thanks a lot again!



    ------------------------------
    Alejandro Insfran Beloqui
    ------------------------------

    Original Message


Related Content