环境:ISVGIM 10.0.2.3, ISVA 10.0.9
按照以下步骤,让已登录ISVA Webseal的管理员用户可以直接单点进入https://isvaip/itim/console
Managing the single sign-on configuration – IBM Documentation
1.配置Account Mapping(账户映射)
Single sign-on, account mapping occurs between IBM® Security Verify Access and Identity Manager during login authentication.
单点登录时,账户映射发生在 IBM® Security Verify Access 与 Identity Manager 之间的登录认证过程中。
When a user accesses Identity Manager with WebSEAL and single sign-on, the user must specify a IBM Security Verify Access user account and password.
当用户通过 WebSEAL 和单点登录访问 Identity Manager 时,必须提供 IBM Security Verify Access 的用户账户和密码。
IBM Security Verify Access checks if the user is authorized to access Identity Manager.
IBM Security Verify Access 会检查该用户是否有权访问 Identity Manager。
If the authentication and authorization are successful, the IBM Security Verify Access user account is passed in the iv-user HTTP request header to Identity Manager.
如果认证和授权成功,IBM Security Verify Access 用户账户将通过 iv-user HTTP 请求头传递给 Identity Manager。
Identity Manager passes the information in the HTTP request header to Identity Manager for further processing.
Identity Manager 会将该 HTTP 请求头中的信息传递给自身以进行进一步处理。
Identity Manager uses the IBM Security Verify Access user account to find a matching user account in the Identity Manager directory.
Identity Manager 使用 IBM Security Verify Access 用户账户,在 Identity Manager 目录中查找匹配的用户账户。
Typically, IBM Security Verify Access and Identity Manager user accounts are identical.
通常,IBM Security Verify Access 和 Identity Manager 的用户账户是相同的。
If they are identical, the Identity Manager user can log in to Identity Manager.
如果两者相同,Identity Manager 用户即可登录 Identity Manager。
If they are not identical, you can configure Identity Manager user account mapping.
如果两者不同,您可以配置 Identity Manager 用户账户映射。
There are two configuration options. They are controlled by the enrole.authentication.idsEqual attribute in the enRoleAuthentication.properties file.
有两种配置选项,由 enRoleAuthentication.properties 文件中的 enrole.authentication.idsEqual 属性控制。
Configuration Options / 配置选项
缺省选项: enrole.authentication.idsEqual=true
No mapping is attempted.
不尝试进行映射。
The IBM Security Verify Access user account passed in the iv-user HTTP request header must be identical to an Identity Manager user account defined in the Identity Manager directory for the user to log in to Identity Manager.iv-user HTTP 请求头中传递的 IBM Security Verify Access 用户账户,必须与 Identity Manager 目录中定义的用户账户完全一致,用户才能登录 Identity Manager。
If the policy in your installation is that all Identity Manager user accounts must have matching IBM Security Verify Access user accounts, specify enrole.authentication.idsEqual=true to avoid the unnecessary mapping processing and overhead.
如果所有 Identity Manager 用户账户与 IBM Security Verify Access 用户账户一致,请设置 enrole.authentication.idsEqual=true,以避免不必要的映射处理和资源开销。
可选项,进行账户映射: enrole.authentication.idsEqual=false
The IBM Security Verify Access user account passed in the iv-user HTTP request header searches the IBM Security Verify Access directory for a matching Identity Manager user account:
IBM Security Verify Access 将在HTTP 请求头中获取 iv-user,并在ISVD SIMLDAP中查找匹配的 Identity Manager 用户账户:
- If an identical Identity Manager account is found, the user can log in to Identity Manager.
如果找到完全一致的 Identity Manager 账户,用户即可登录 Identity Manager。 - If an identical Identity Manager account is not found, then Identity Manager attempts to locate a matching Identity Manager user account with the following mapping logic:
如果未找到完全一致的 Identity Manager 账户,Identity Manager 将尝试通过以下映射逻辑查找匹配的用户账户:- The IBM Security Verify Access user account in the iv-user HTTP request header searches the Identity Manager directory for a IBM Security Verify Access user account.
IBM Security Verify Access 将在HTTP 请求头中获取iv-user,并在ISVD SIMLDAP中查找匹配的 Identity Manager 用户账户。 - If an identical IBM Security Verify Access user account is found in the Identity Manager directory, it searches for the Identity Manager Person entity that owns the IBM Security Verify Access user account.
如果在 Identity Manager 目录中找到匹配的 IBM Security Verify Access 用户账户,系统将进一步查找拥有该账户的 Identity Manager Person 实体。 - If an owning Identity Manager Person entity cannot be located, the user cannot log in.
如果无法找到拥有该账户的 Identity Manager Person 实体,用户将无法登录。 - If the Identity Manager Person entity that owns the matching IBM Security Verify Access user account is found, then a search is performed for an Identity Manager user account owned by that entity.
如果找到了拥有该 IBM Security Verify Access 用户账户的 Identity Manager Person 实体,系统将继续查找该实体所拥有的 Identity Manager 用户账户。 - If an Identity Manager user account owned by the Identity Manager Person is found, then the user can log in to Identity Manager with that Identity Manager user account. Otherwise, the user cannot log in.
如果找到了该 Identity Manager Person 所拥有的 Identity Manager 用户账户,用户即可使用该账户登录 Identity Manager。否则,用户将无法登录。
- The IBM Security Verify Access user account in the iv-user HTTP request header searches the Identity Manager directory for a IBM Security Verify Access user account.
