Call us at 507.319.5206 or This email address is being protected from spambots. You need JavaScript enabled to view it.
Follow us on LinkedIn and Twitter

FAQ: Single Sign On & SSO stat!

SSO FAQSingle sign-on is not always easy to understand. It often uses technologies that are not within the typical IBM i, AIX or LINUX professional's skillset, such as Kerberos and Enterprise Identity Mapping. And you have to know if your applications can or already do support single sign on.

We often get questions about single sign-on. Here are some of the most common.

Q:  Do single sign on and SSO stat! only work between Microsoft Windows and IBM i?

A:  Absolutely not! You can implement SSO for applications across nearly any combination of platforms.

Q:  How does Kerberos work?

A:  The Kerberos protocol is often a key component in single sign-on. It is used to simplify password management by authenticating a user to an interface running on a remote system. However, it's not exactly easy to understand how it works. Refer to my blog post (Only) What you need to Know About Kerberos for the details.  

Q: How does single sign on save my company money?

A:  SSO can significantly reduce the high cost of managing passwords across your organization. The overwhelming majority of the cost of managing employee access to computing resources is tied up in the cost of managing passwords. Most people are shocked by the magnitude of these costs. When you add up the time spent managing passwords by all end users, administrators, and help desk personnel in an organization, plus the time waiting on the phone for a solution, and the time it takes every employee to change all of their passwords four or more times a year, these costs are surprisingly high. When you understand the actual cost of managing passwords, evaluating SSO solutions becomes so much easier. We provide this solution-independent SSO ROI Calculator to help you calculate the cost of managing passwords in your organization.  

Q:  Do the userIDs need to be the same on all systems for SSO to work?

A:  NO!  That’s sort of the beauty of this approach. EIM ensures that sessions get created under the appropriate userID on non-Windows platforms even if the userIDs for a person are different in the Windows domain and in the non-Windows platform.  

Q:  Will single sign on work with Web server applications?

A:  If the Web server you are using supports Kerberos and the application is written (or can be changed) to use Web server authentication, then the answer is yes.  

Q: How does SSO work with IFS objects?

A: You have to access IFS through some sort of interface. FTP, NetServer, Telnet, ODBC, etc. all support SSO.  Once the application/interface is connected and the job associated with it is running under the proper userID, SSO has nothing to do with accessing any resources be they IFS, QSYS.LIB, DB2, etc…  

Q:  Does SSO stat! require purchasing software licenses?

A:  No.  SSO stat! relies entirely on function you already own.  You need one Key Distribution Center (KDC, aka Kerberos server) and you need client-side Kerberos support for each client to which you want to authenticate.  Windows Domain controllers are KDCs. If you log into a Windows domain from your PC then, by definition, you have KDC. Nearly all commercial operating systems provide Kerberos client support.  Of course, you don't have to have a Windows Domain to use SSO, it's just more work to create a KDC and the Kerberos users.  

Q:  Does the SSO stat! service really take less than a day?

A:  Yes. What we mean is that it normally takes less than a day to implement SSO assuming all components are in place. However, some clients prefer to do the work over the course of several days.  For example, small configuration changes are often required either on the KDC or on the client. Some customers prefer to investigate these changes before making them in the interest of due diligence. (For the record, I have never seen these changes break anything.)  In that instance, and a few others, the couple of hours may be spread over different days.  

Q:  Does SSO work with old PC5250 clients?

A:  It works with IBM PC5250 clients starting with V5R1.  

Q:  Can SSO be achieved between Java Web applications?

A:  Yes.  The Java applications need to be implemented to use Kerberos. Use the JGSS class methods to do this.  

Q:  Is HA role swap possible with SSO?

A:  I have helped several customers set up EIM and Kerberos for different HA environments (e.g. MIMIX, iTera, Save/Restore).  There are at least a couple of different options regardless of the HA strategy and methodology you employ. It would be best to discuss the specifics of your environment over the phone. I have one customer that has a total of 10 partitions on a single platform. The EIM repository is hosted in a separate partition. If a partition goes down, it fails over to a partition on a separate system.  We replicate the EIM repository to a partition on the HA system.  If the whole production machine fails, or if the EIM partition fails, the HA machine immediately takes over. Also, note that EIM being down will only affect those people attempting to create a new connection. Once a connection is established (i.e. once authentication and identity mapping is completed), EIM is not needed by that connection.  

Q:  What happens to logons if EIM is offline?

A:  Logons won’t work (for most systems) if EIM goes down. There are a couple of strategies for dealing with this. Each environment and set of requirements are different, so it’s hard to describe which solution works best without having the details.  Sometimes companies can rely on their HA plan. They typically will host the EIM repository on the production system.  If the production system ever goes down they know that the HA system becomes the production system.  In this scenario, they can either use LDAP replication to keep the production and HA EIM repositories in sync or they can use their HA products to do so. You also must make sure that the Kerberos configuration and keytab file are enabled for HA.  How this is done is highly dependent on whether the HA swap includes IP address and hostname takeover, only hostname takeover, or none.  

Q: ­Does SSO work with Lotus Domino web server?

A: Yes.  

Q:  Do I need any additional software?

A:  No additional software is needed to get SSO working. Some folks choose to automate loading and/or management of EIM. This can be done by writing your own tools or purchasing tools from Botz & Associates.  

MORE QUESTIONS? Request a 1-hour consultation and we’ll help you determine the type (not brand!) of SSO solution you need — and run a preliminary ROI analysis — no charge.

 

WHITE PAPER: PRACTICAL SSO


Patrick Botz teaches you how to cut through the technological complexity and take a sensible business approach to SSO in A Guide to Practical Single Sign-On.

Download now

Free SSO ROI Calculator


Download the Botz SSO ROI Calculator to get a more precise, independent estimate of SSO's payback period and long-term ROI for your organization.

Read More

On-Demand SSO Webinar


Watch SSO in a Day with Patrick Botz to learn how you can get SSO implemented quickly in your organization.

View it here

SSO stat! Base Package


1)  SSO implementation between Windows-based workstations and up to 4 instances of an IBM i server, or up to 2 instances of another server type (MAC OS, AIX, UNIX, Linux)

2)  Enablement of up to 500 users.

3)  Ongoing tech support to address issues introduced by application or OS updates.


Botz Security Bytes — Subscribe Here