IBM i Global

 View Only
  • 1.  EIM SSO with two or more target IBMi associations

    Posted Wed March 15, 2023 10:37 AM

    We have implemented EIM SSO years ago, but never found a solution for a scenario where one A.D. (kerberos source) have two or more IBMi target profiles. I was told through IBM Case that this could be configured, but no further support was available through Case support.

    Does anyone know something about that?



    ------------------------------
    Krzysztof Jarzynski
    ------------------------------


  • 2.  RE: EIM SSO with two or more target IBMi associations

    Posted Wed March 15, 2023 11:07 AM

    I would think it should be like there where 2 different server/systems.
    But I would think you've tried that?
    Different name, different ip but the same settings apart from that:



    ------------------------------
    Erik Aasland
    IBMi administrator
    Fremtind Insurance
    ------------------------------



  • 3.  RE: EIM SSO with two or more target IBMi associations

    IBM Champion
    Posted Wed March 15, 2023 08:29 PM
    Edited by Satid Singkorapoom Wed March 15, 2023 08:34 PM

    Dear Krzysztof 

    I cannot find a case for using a single kerberos source for multiple IBM i user profiles WITHIN THE SAME LPAR/SYSTEM.  Just like what Erik said, I find that you can do this for the same user profile in multiple IBM i LPARs/systems. When I did a Google search with "ibm i sso multiple realm", I found these information :

    Scenario: Enabling single sign-on for IBM i at  https://www.ibm.com/docs/en/i/7.2?topic=s-scenario-enabling-single-sign-i

    Scenario: Propagating network authentication service and EIM across multiple systems at  https://www.ibm.com/docs/en/i/7.2?topic=scenarios-scenario-propagating-network-authentication-service-eim-across-multiple-systems 

    These 2 URLs belong to the same manual. On the left panel of the web page, if you move upward, you will see a link to download the PDF file for the Single sign-on manual.  Be sure to specify your IBM i release at the top of left panel. 



    ------------------------------
    Education is not the learning of facts but the training of the mind to think. -- Albert Einstein.
    ------------------------------
    Satid S.
    ------------------------------



  • 4.  RE: EIM SSO with two or more target IBMi associations

    Posted Thu March 16, 2023 10:01 AM

    Currently, I'm having difficulties with accessing my old cases. 

    I'll share the case number asap.



    ------------------------------
    Krzysztof Jarzynski
    ------------------------------



  • 5.  RE: EIM SSO with two or more target IBMi associations

    Posted Fri March 17, 2023 09:20 AM

    In fact I'm going do add another LPAR.
    We have 3 LPAR'S. Test, Production and HA.
    The Test lpar is now using Kerberos.
    Then the production LPAR is next.
    I'm pretty sure the settings will be the same apart from name and ip on LPAR.
    Ad/password server is still the same.



    ------------------------------
    Erik Aasland
    IBMi administrator
    Fremtind Insurance
    ------------------------------



  • 6.  RE: EIM SSO with two or more target IBMi associations

    IBM Champion
    Posted Mon March 20, 2023 08:55 AM

    I all,

    I take advantage of Erik's post to specify the possible configurations when you want to use several targets (IBM i).

    To enable SSO on additional partitions, you need to do it in two steps, as with any EIM-based SSO:

    1.       Configure Kerberos for each partition, i.e. use the Navigator for i wizard and create the corresponding service accounts in the AD

    2.       Then configure EIM. And here you have two possibilities: either centralize the configuration on a partition (a global EIM domain), or have an independent EIM domain for each partition. I recommend this second solution, even if it is a little heavier to manage, because otherwise stopping the partition that hosts the EIM domain blocks the SSO of all partitions which can be dramatic. .You have the choice of this configuration in the first choice screen of the EIM wizard. Either "Join an existing domain" or "Create and join a new domain". So I recommend the latter, and you specify on the next window that you want to have the EIM controller (in the IBM i LDAP directory) on the partition itself ("On the local directory server").

    If you want to have only one EIM domain, once the installation is complete, you can, for a single source (the AD account), have targets on each of the configured partitions.

    I hope I have been clear.

    ------------------------------------------------------------

    Dominique GAYTE

    IBM Champion 2023

    IMI Security Expert

    ------------------------------------------------------------



    ------------------------------
    Dominique Gayte
    ------------------------------



  • 7.  RE: EIM SSO with two or more target IBMi associations

    Posted Mon March 20, 2023 08:59 AM

    Krzysztof,
    That can be done with the multiple target support in EIM. Important for SSO is that an EIM lookup operation returns always just one target mapping. If more than one match is returned, authentication will fail. When you want to support multiple target mappings for one source user, you need to first figure out what the maximum number of different target IBM i user profiles is that a single person would use to connect to the same IBM i LPAR. Let's assume that at a maximum one employee would like to use SSO to log in with 4 different IBM i user profiles. In this case, the maximum number is 4 and you would need 4 IP interfaces on this LPAR. Say we have 10.10.10.20, 10.10.10.21, 10.10.10.22, and 10.10.10.23. In EIM you can add additional information to a target mapping (note that this can be done with the old/legacy Navigator for Web but the new one does not have that option yet. You could also use APIs to do it.). Let's further assume that user Mike has an IBM i user profile MIKE1, MIKECRM, MIKESM, and MIKESEC. You would then add as an additional lookup information 10.10.10.20 to target association MIKE1, 10.10.10.21 to target user MIKECRM, 10.10.10.22 to MIKESM, etc. On the desktop you would then create, i.e. a 5250 session profile to connect to 10.10.10.20, another 5250 profile to  point to 10.10.10.21, etc. When the SSO request arrives now on 10.10.10.21, the EIM lookup will return MIKECRM (unique answer) and SSO works.
    In terms of Kerberos you could have 4 different DNS A records (i.e. PROD, PROD2, PROD3, PROD4). In the past you might have used the SPN krbsvr400/prod.mydomain.com@WINDOWS.DOMAIN. Depending on the client applications (whether they do a reverse lookup on the IP address or not), you could have 4 different A records and 4 reverse pointer (PTR) records that all point to prod.mydomain.com. That way you only need one service account and one keytab entry for each Kerberos service. Of coure, you could also just create 4 different service accounts that match the hostnames of the 4 IP interfaces.
    See also https://www.ibm.com/docs/en/i/7.4?topic=associations-adding-lookup-information-target-user-identity

    So the bottomline is that multiple targets work but it does requires some additional setup.

    --------



    ------------------------------
    Thomas Barlen
    ------------------------------



  • 8.  RE: EIM SSO with two or more target IBMi associations

    Posted Tue March 21, 2023 12:13 PM

    Hi Thomas,

    Thank you very much.

    This is exactly a solution that I was looking for.

    Best regard from Dublin :)



    ------------------------------
    Krzysztof Jarzynski
    ------------------------------



  • 9.  RE: EIM SSO with two or more target IBMi associations

    IBM Champion
    Posted Mon March 20, 2023 09:32 AM

    I really don't know a lot about EIM SSO as it's been years since we dabbled in it.  However there's a difference between synchronizing your passwords and EIM/SSO.  If a single user has multiple signon's then it's typically so they have different job attributes, security authorizations, etc.  So, in a SSO environment if I log into MIKE on my laptop which user should it use on my IBM i:  MIKESECOFR, MIKEERP, MIKEACCTG, MIKEOPR?

    Later in the thread I see a suggestion to have multiple IP addresses showing in CFGTCP, 1. Work with TCP/IP interfaces.  Which you would probably want in your DNS, etc.  If you're not already using multiple IP addressing (different domino servers, websites, etc) then it seems clunky.

    If you just want password synchronizing to multiple user accounts that's easy to set up using IBM Security Identity Manager.  https://www.ibm.com/docs/en/sim/7.0.2?topic=product-overview

    We use this to sync passwords between Windows, IBM i, Domino, etc.



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------