webspheresingle-sign-onibm-content-navigatorcontent-platform-engine

IBM ICN cross application authentication


We currently have an installation of IBM content navigator that we built a feature inside, this feature shows another web application installed on the same server inside an iFrame, this application connects to CPE using Java WS APIs to do some operations using the ICN logged in user credentials.

The main problem we are facing is that in our current solution the user logs in twice, once to log in to the ICN, and another to log in to the web application, which is undesirable and we need to eliminate this second login and implement some sort of SSO.

One option available is using Kerberos, however as it currently stands the FileNet Java api does not support Kerberos at the moment (only .Net).

Any ideas are much appreciated

References Using Kerberos on an API Client - https://www.ibm.com/support/knowledgecenter/SSGLW6_5.2.1/com.ibm.p8.ce.dev.ce.doc/sec_procedures.htm


Solution

  • If your web application is deployed on the same WebSphere Cell, you don't need to use Kerberos. Kerberos need to support SSO between WAS and client only, not between application and client.

    You don't need to use createSubject(), just get it from security context and provide it to CPE.