RE: EIM without SSO -- MIDRANGE-L

EIM can certainly be used for things other than SSO. EIM is designed to
allow you to keep track of ALL of a person's userIDs regardless of where
they are stored.

Further, Kerberos is NOT required to use EIM nor is it required for SSO.
We have enabled many different scenarios that don't use Kerberos, but use
EIM. If an application knows how to generate a Kerberos ticket, there is
no extra effort required.

If an application does not accept Kerberos there are often ways to allow
the user to continue to access i5/OS without supplying their i5/OS user
profile and password. For example, we have built plug-ins for HATS that
bypass the sign-on but doesn't use Kerberos. It does continue to use EIM,
but we use Identity Tokens generated in the plug-in and passed indirectly.
This is combined with a Telnet exit point that verifies the Identity
Token and maps from the WAS userID to the i5/OS userID.

If the application is using something other than Telnet, we often use an
exit point program for the specific interface they are using. We teach the
users to always enter their windows ID/pwd. The exit point uses LDAP bind
to remotely verify the userID and password, and again, we use EIM to map
to the i5/OS user profile.

We have also built a number of DSAPI plug-ins for Notes iAccess for Web.
Depending on what a customer is already using in their environment, we
have plug-ins that use LTPA tokens, ID Tokens, Kerberos tickets, and also
the windows userID/pwd approach described in the paragraph above.

Patrick Botz

Security Architecture Consulting & Implementation

IBM Systems and Technology Group Lab Services

mail: botz@xxxxxxxxxx

phone: 507.253.0917 / mobile: 507.250.5644

ibm.com/servers/eserver/services

midrange-l-bounces@xxxxxxxxxxxx wrote on 04/18/2007 12:43:14 PM:

The TPAs (third party applications) would have to be EIM enabled. Does
Kronos accept a Kerberos ticket to sign on? Probably not. We have

Kronos

here but I never touch the stuff. Without the ability to accept a
Kerberos ticket it isn't going to happen. Well, you can do anything

given

enough time, money and desire. I suppose you could front end the Kronos

to accept a Kerberos ticket yourself. Or, some initial program that

takes

your 5250 id and uses 5250 api's to "pretype" in the next screen.

Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com

<lgoodbar@xxxxxxxxxxxxxx>
Sent by: midrange-l-bounces@xxxxxxxxxxxx
04/18/2007 11:44 AM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>

To
<midrange-l@xxxxxxxxxxxx>
cc

Fax to

Subject
RE: EIM without SSO

This is good stuff to know.

Am I correct in understanding that EIM maps Windows/AD IDs to an iSeries
profile? Does EIM work with third-party systems such as Kronos, etc.?

We are less interested in SSO, though I can see where the benefit. EIM
would help us map user IDs to our various systems, but TIM looks like it
offers workflow and additional management capabilities we're seeking.

--Loyd

Loyd Goodbar
Senior programmer/analyst
BorgWarner
TS Water Valley
662-473-5713
-----Original Message-----
From: midrange-l-bounces+lgoodbar=borgwarner.com@xxxxxxxxxxxx
[mailto:midrange-l-bounces+lgoodbar=borgwarner.com@xxxxxxxxxxxx] On
Behalf Of rob@xxxxxxxxx
Sent: Wednesday, April 18, 2007 08:55
To: Midrange Systems Technical Discussion
Subject: RE: EIM without SSO

There's a difference between "eliminating the need" and "forbidding".
"Eliminating the need" is simply telling the 5250 configuration to
bypass
the signon screen, and, using EIM and SSO to map their AD signon to an
i5
profile.
"Forbidding" is setting their password to a random string (or even
*NONE),
changing LCLPWDMGT to *NO, and using EIM and SSO to map their AD signon
to
an i5 profile and then telling the 5250 configuration to bypass the
signon
screen.

Rob Berendt