Configuring Dynamic Workload Console to use Single Sign-On
Single Sign-On (SSO) is a method of access control that allows a user to authenticate once and gain access to the resources of multiple applications sharing the same user registry.
This means that using SSO you can run queries on the plan or manage object definitions on the database accessing the engine without authenticating, automatically using the same credentials you used to log in to the Dynamic Workload Console.
The same is true when working with the Self-Service Catalog and Self-Service Dashboards apps from a mobile device. If the Dynamic Workload Console has been configured to use SSO, then these apps automatically use the same credentials used to log in to the Dynamic Workload Console.
After the installation completes you can configure Dynamic Workload Console and the HCL Workload Automation engine to use SSO. To do this they must share the same LDAP user registry.
The Lightweight Directory Access Protocol (LDAP) is an application protocol for querying and modifying directory services running over TCP/IP - see Configuring authentication for more details.
- If engine connection has the user credentials specified in its definitions
- These credentials are used. This behavior regards also engine connections that are shared along with their user credentials.
- If the user credentials are not specified in the engine connection
- The credentials you specified when logging in to Dynamic Workload Console are used. This behavior regards also shared engine connections having unshared user credentials.
Before you proceed, ensure that the same value is defined for the WMMRealm property in both the Dynamic Workload Console and master domain manager. For more information about how to verify and correct this setting, see Configuring the Dynamic Workload Console and master domain manager for Single Sign On.
In addition to sharing the same LDAP user registry, the instance of WebSphere Application Server used by the Dynamic Workload Console and also the instance used by the engine where the Single Sign-On is required, must both be configured to use the same Lightweight Third-Party Authentication token-keys. See Configuring the use of Lightweight Third-Party Authentication