EGL Support for SSO

Single Sign-On (SSO) is an authentication process that enables users to access multiple applications with a single set of credentials. This enhances security and user experience by reducing password fatigue and ensuring centralized access control.

This document outlines three approaches to implementing SSO across varied environments and technologies.

SSO using Kerberos (for IBM i Systems)

Kerberos is a network authentication protocol that uses secret-key cryptography to verify identities. In this implementation, Kerberos enables users authenticated in a central domain (e.g., Microsoft Active Directory) to seamlessly access IBM i (AS/400) applications without re-entering credentials.

It works by issuing time-stamped tickets and token exchanges within a trusted domain, providing secure and passwordless access across systems.

Refer to How to configure EIM and NAS using IBM Navigator for i for detailed steps on configuring Kerberos with IBM i systems.

For more information on SSO using Kerberos (for IBM i Systems). Refer SSO using Kerberos (for IBM i Systems)

SSO using Keycloak with Spring Security (JWT-based Resource Server)

This approach configures a Spring Boot application as an OAuth2Resource Server secured with JWT (JSON Web Tokens) issued by Keycloak. Keycloak acts as the Identity Provider (IdP), managing login, token issuance, and session handling.

After authentication, Keycloak provides a signed JWT containing user claims and roles. The Spring application validates these tokens using the public JWK (JSON Web Key) endpoint exposed by Keycloak.

Configuration Example
oauth2ResourceServer(oauth2 -> 
    oauth2.jwt(jwt -> 
        jwt.jwtAuthenticationConverter(jwtAuthConverter)))

The jwtAuthenticationConverter extracts roles/authorities from the token, enabling role-based access control within the application.

For more information, refer to Installing, Configuring, and Enabling the SSO.

SSO using Keycloak with Jakarta EE (JWK for JWT Validation)

For Jakarta EE-based applications, SSO can be implemented using standard JWT validation without requiring Keycloak adapters. Applications validate incoming JWTs issued by Keycloak against the public JWK endpoint.

This integration leverages JAX-RS and Jakarta Security capabilities to ensure lightweight and portable security for enterprise applications.

For more information, refer to Installing, Configuring, and Enabling the SSO.