InfoCenter Home >
5: Securing applications -- special topics >
5.8: Single Sign-On >
5.8.3: Verifying SSO between WebSphere and Domino

5.8.3: Verifying SSO between WebSphere and Domino

This document discusses the verification of SSO between Domino and WebSphere Application Server. Before proceeding, verify that the following conditions are met:

  • The LDAP directory contains at least one user that is defined for testing purposes.
  • The WebSphere Application Server administrative console can be started for each of the WebSphere Application Server administrative domains involved in SSO.
  • A user can authenticate to each administrative domain using a security name defined in the LDAP directory.
  • At least one user in the LDAP directory must be authorized to access at least one Domino resource, such as the Domino Directory.
  • At least one user in the LDAP directory must be authorized to access at least one WebSphere Application Server resource, such as the Hello servlet.
  • From a Web browser that is configured not to accept HTTP cookies, you are able to reach the following resources:
    • WebSphere-protected resources, like servlets, after being prompted for a user ID and password.
    • Domino-protected resources, like Lotus Notes databases, after being prompted for a user ID and password.

If all of the preliminary tests succeed, you are ready to verify that SSO is working correctly. To test the SSO functionality, perform the following steps:

  1. Restart the Web browser.
  2. Configure the Web browser to accept HTTP cookies. (If you are using Internet Explorer, enable the per-session (not stored) type of cookies.
  3. Configure the browser to notify you before accepting HTTP cookies. This will provide visual confirmation that Domino and WebSphere Application Server are generating and returning HTTP cookies to your browser after you authenticate. (You can suppress the cookie notifications after you verify that cookies are being exchanged.)
  4. From the browser, specify the URL for a resource protected by the Domino server; for example, attempt to open a database that permits no access to anonymous users, as described in the following example:
    • Make sure to user a fully qualified DNS host name in the URL; for example, enter http://myhost.mycompany.com/names.nsf instead of http://myhost/names.nsf.
    • When prompted for a user ID and password, make sure that you specify a user ID that is authorized to resources for both the Domino and WebSphere application servers.
      Note   The format of the name depends on the level of restriction Domino is using for Web users and whether Domino or another LDAP directory is being used. (For details on the options for basic authentication, refer to the Domino 5 Administrative Help; in particular, see the information on controlling the level of authentication for Web clients.) The level of restriction Domino uses for Web users is set in the Web server authentication field on the Security window of the Server document. If you are using the default configuration settings, you can specify the user's short name or user ID.
    • When prompted, accept the HTTP cookie.
    Successfully accessing such a resource verifies that the token generated by the Domino server is accepted by WebSphere Application Server.
  5. From the same browser session, attempt to access a resource protected by WebSphere Application Server. If SSO is working correctly, access is granted without prompting you to log in. (If you are prompted, refer to SSO fails when accessing protected resources for assistance.) Make sure to use the fully qualified DNS host name in the URL. For example, type http://myhost.mycompany.com/webapp/examples/showCfg instead of http://myhost/webapp/examples/showCfg.
  6. From the same browser session, attempt to access resources managed by any additional Domino and WebSphere Application Server domains included in your SSO configuration.
  7. Restart your browser session and perform the SSO-verification steps again, but this time, start by accessing a resource protected by WebSphere Application Server. This will verify that the token generated by WebSphere Application Server is accepted by the Domino server or servers. When prompted for a user ID and password, use the user's short name or user ID; this is the default naming convention for users in WebSphere Application Server.

Go to previous article: Configuring SSO for Lotus Domino Go to next article: Troubleshooting SSO configurations

 

 
Go to previous article: Configuring SSO for Lotus Domino Go to next article: Troubleshooting SSO configurations