Hitachi

JP1 Version 12 JP1/Integrated Management 2 - Manager Overview and System Design Guide


3.7.5 Linkage with external products

The Intelligent Integrated Management Base links with external products (products other than JP1 products) by using OpenID Connect. Linkage with external products allows you to operate JP1 products and business applications by single sign-on, enabling seamless integration of operations. The authentication server used for single sign-on allows the use of authentication information registered with the following OpenID providers:

User information regarding the individuals who use both business applications and JP1 products must be registered with both the OpenID provider and JP1/Base (authentication server).

When linkage with external products by single sign-on is enabled, the login window for single sign-on is displayed. The user can use either authentication by JP1/Base or authentication by the OpenID provider to log in to the Intelligent Integrated Management Base.

A user logging in to the Intelligent Integrated Management Base through authentication by the OpenID provider does not have to be authenticated by JP1/Base by using their JP1 user name and password. Furthermore, the user can bypass the login window and directly access the Intelligent Integrated Management Base from another service that uses authentication by the OpenID provider.

For linkage with external products by single sign-on, user information registered with JP1/Base is required. DS users whose JP1 authentication information is managed in the directory server through directory server linkage of JP1/Base are not applicable for linkage by single sign-on. If a DS user goes through authentication when the user is specified in the single sign-on mapping definition file, the KAJY52027-E error occurs during user authentication. For details about directory server linkage of JP1/Base, see the JP1/Base User's Guide.

The following figure shows an overview of linking with an external product by using authentication by the OpenID provider.

Figure 3‒26: Overview of linking with an external product by using authentication by the OpenID provider

[Figure]

Furthermore, an individual using another service can issue JP1/IM REST APIs with the authentication information authenticated by the OpenID provider attached to them.

Important

The success of single sign-on through the OpenID provider depends on the lifetime of the session on the OpenID provider. For example, if the session is alive, the user can seamlessly display a Web console of another service from the Intelligent Integrated Management Base by single sign-on. If the session has expired or the cookie has been deleted from the Web browser, the login window appears because the user must be authenticated again. In this case, the user must log in again.

Remember that if a user leaves his/her desk while he/she is still authenticated, the system can be subjected to unauthorized use by a third party. A proper lifetime must therefore be set for OpenID provider's sessions after careful consideration of the operation of the system.