Tip:
Highlight text to annotate it
X
Welcome to the IBM Security Access Manager Demo for the Microsoft applications integration.
This is the fourth episode of the five sessions of the IBM Security Role
and Membership Providers for SharePoint 2010 Series.
Previously, in Episode 3, we demonstrated how to create a new claims-based web application
and activate the single sign-on feature.
In this episode, we will demonstrate how
to test the single sign-on feature using virtual host junction from WebSEAL.
First step, open Microsoft SharePoint 2010 Central Administration Console
and create a new site collection for the web application created in the previous video.
Under application management, click create search collections.
Ensure under the web application section, the URL of the new claims-based site is selected.
Ensure to fill in an appropriate title and description for this new site collection.
Select a template type of your choice.
We will select the document workspace template for this demo.
Next, the integration requires you to enter a valid IBM Security Access Manager user account
as the primary or secondary site collection administrator or both.
For this demonstration, we will configure the primary site collection administrator
as sec_master.
To achieve this, click on the address book icon.
In the search people dialog, search for sec-master.
Search results will appear.
Ensure to select the return forms of user.
To validate the correct forms of user has been chosen,
you may hover over the user name entry field and see that the tag will pop up saying,
[Access Manager membership provider colon sec_master].
This means sec_master is a user of the specified access manager of membership provider
which we configured when creating the new application in the previous episode.
Click okay to create the new site collection for the claims-based web application.
Next we will move to the IBM Security Access Manager environment
and create a virtual host junction in WebSEAL used to achieve single sign-on
to the SharePoint web application.
When configuring WebSEAL you may consider two options: one, configure WebSEAL
and SharePoint web application to use the same ports; or two,
configure WebSEAL within an interface that listens on the same port
as the SharePoint web application.
In this demo the WebSEAL instance we have preconfigured we will use the same number
as the created SharePoint application, that is on port 8080.
If you are interested in the other option,
detailed information is provided in the integration guide.
Let us quickly show you that this instance is preconfigured in WebSEAL on the port 8080.
Now, in the pdadmin command line prompt we will proceed to create the virtual host junction
for WebSEAL instance on port 8080.
The integration requires the WebSEAL virtual host junction to be created
with options including the following.
Hyphen t -- in this case we have used TCP,
which defines the network transport chosen for this virtual host junction.
Hyphen h -- which is the full qualified domain name that is used in the URL
for the SharePoint web application we created.
Note, for virtual host junctions, we have configured the DNS host mapping
on the access manager machine to be able to resolve
to the SharePoint Server fully-qualified domain name.
Similarly, for end user or client machines
when accessing the SharePoint web applications they should be set
up to access the SharePoint server via WebSEAL.
Next we have the hyphen p and the port number option.
This matches the port number assigned to the SharePoint claims-based web application.
This also means that the virtual host junction is listening on port 8080
and will route requests to the host name entered.
Next is hyphen c, IV user and IV groups, where hyphen c will insert the authenticated user name
in the IV user header and the roles that the user belongs
in in IBM Security Access Manager into a header called IV groups.
Finally is the name of the new virtual host junction.
We will call it sb_ssr.
Once the virtual host junction is successfully created we will move
to the client machine to test this integration.
Open a browser and enter the URL to the new SharePoint claims-based Web application which is
at [hash EDP] followed by the host name colon port 8080.
We are routed to authenticate to WebSEAL
because the browser is accessing SharePoint via access manager WebSEAL
with the fully-qualified host name.
That results to the IP address of the access manager WebSEAL server.
Log in with the primary site collection administrator credentials,
that is sec-master which we have configured.
Upon a successful log-in, the document
and workspace site we created appears in the browser.
Because sec_master is an administrator, the user will have full control
and view access permissions on the site content.
This completes Episode 4 for the IBM Security Role
and Membership Providers for SharePoint 2010 Series.
In the next episode, we will demonstrate how to configure and assign SharePoint site permissions
with IBM Security Access Manager User Groups --
that is, Access Manager group mapping to SharePoint groups.