InfoCenter Home >
5: Securing applications -- special topics >
5.8: Single Sign-On >
5.8.2: Configuring SSO for Lotus Domino
To use SSO with Domino and WebSphere Application Server, you
must first configure SSO for WebSphere Application Server and
then configure SSO for Domino.
Configuring SSO for Domino is accomplished by selecting a new
Multi-server option in a Server document for session-based authentication,
and by creating a new domainwide configuration document, called
the Web SSO Configuration document, in the Domino Directory.
The Web SSO Configuration document, which must be replicated to all
Domino servers participating in the SSO domain, is encrypted for
participating Domino servers and contains a shared secret used by
Domino servers for authenticating user credentials.
To provide SSO to Domino servers, do the following:
In addition, you can optionally do the following:
To complete this procedure, you need the following information
from the configuration of SSO for WebSphere Application Server:
- The path and name of the file containing the LTPA keys
created during SSO configuration for WebSphere Application Server
- The password used to protect the LTPA keys from WebSphere
Application Server
- The name of DNS domain in which WebSphere Application Server
is configured
To create the Web SSO Configuration document, use a Lotus Notes Client
R5.0.5 (or later) and follow these steps:
- In the Domino Directory, select the Servers view.
- Click on the Web pull-down menu item.
- Select the Create Web SSO Configuration option
to create the document.
- On the Web SSO Configuration document, click the
Keys pull-down menu.
- Select the Import WebSphere LTPA Keys option to import
the LTPA keys previously created for WebSphere Application
Server and stored in a file.
- Type the path to the file containing the keys for WebSphere
Application Server and click OK.
- Type the password that was used when generating the
LTPA keys. The SSO Configuration document is automatically updated to
reflect the information in the imported file.
- Fill in remaining fields in this document. Groups and wildcards
are not allowed in the fields. The following list describes
the fields and the expected values:
- Token Expiration: The number of minutes a token can
exist before expiring.
A token does not expire based on inactivity; it is valid
for only the number of minutes specified from the time
of issue.
- Token Domain: The DNS domain portion of your system's
fully qualified Internet name. This is a required field.
All servers participating in SSO must reside in the same
DNS domain; this value must be the same as the Domain value
specified when configuring WebSphere Application Server.
Also, WebSphere Application Server treats the DNS domain
as case sensitive, so ensure that the DNS domain value is
specified in exactly the same way, including the same case.
- Domino Server Names: The Domino servers that will be
participating in SSO. This SSO Configuration document will
be encrypted for the creator of the document, the members
of the Owners and Administrators fields, and the
servers specified in this field. These servers can be in different
Domino domains; however they must be in the same DNS domain.
You must specify a fully qualified Domino server name, for
example, MyDominoServer/MyOu . The Domino server
name that you specify here must also match the name of the
corresponding server's Connection document in your
client's Domino Directory.
- LDAP Realm: The fully qualified DNS host name of the
LDAP server.
This field is initialized from the information provided
in the imported LTPA keys file. You need to change this
value only if an port value for the LDAP server was
specified for the WebSphere Application Server administrative
domain. If a port was specified, a backslash character (\) must
be inserted into the value before the colon character (:).
For example, replace myhost.mycompany.com:389
with myhost.mycompany.com\:389.
- Save the Web SSO Configuration document. It now appears in the
Web Configurations view.
If you are configuring multiple Domino servers for SSO, refer to
Configuring additional Domino servers.
To update the Server document for SSO, follow these steps:
- In the Domino Directory, select the Servers view.
- Edit the Server document.
- Select the Ports --> Internet Ports --> Web tab
- Click the Enable Name & Password Authentication for the HTTP Port
box to enable basic authentication for Web users.
- Select Internet Protocols --> Domino Web Engine.
- Select Multi-server in the Session Authentication field
to enable SSO for Domino.
- Save the Server document.
If you are configuring multiple Domino servers for SSO, refer to
Configuring additional Domino servers.
Before continuing, finish configuring the Domino server for
use by Web users. The remaining configuration steps are not specific
to SSO and are not covered here in detail. Refer to the
Domino 5 Administration Help for information on the following:
- Configuring access to an LDAP directory when the Domino
Directory is not being used
- Authorizing Web users to Domino resources
To verify the SSO configuration for Domino, ensure that the
Domino server is configured correctly and that Web users are
authorized to access Domino resources by performing the following
steps:
- To verify that the Domino server is configured correctly,
stop and restart the Domino HTTP Web server. If SSO is
configured correctly, the following message appears on the
Domino server console:
HTTP: Successfully loaded Web SSO Configuration.
If a Domino server enabled for SSO cannot find a
Web SSO Configuration document or is not included in the
Domino Server Names field and therefore cannot decrypt the document,
the following message appears on your server's console:
HTTP: Error Loading Web SSO configuration. Reverting to
single-server session authentication.
- To verify that users are authorized, attempt to access a Domino
resource, such as a Domino Directory, first as a user defined in
the Domino Directory itself, for local authorization, and then as
a user defined in the LDAP directory service, for authorization
of WebSphere Application Server users.
If you are using SSO with multiple Domino servers, perform the
following steps for each additional server:
- Replicate the initial Web SSO Configuration document to each
additional Domino server.
- Update the Server document for each additional Domino server.
- Restart each of the Domino HTTP web servers.
If you are using SSO with Domino servers is multiple Domino domains,
you must also set up cross-domain authentication among the Domino
servers. For example, assume there are Domino servers in two
Domino domains, X and Y. Use the following procedure to enable
the Domino servers to perform SSO between the domains:
- A Domino administrator must copy the Web SSO Configuration
document from the Domino Directory for Domain X and paste it
into the Domino Directory for Domain Y. The Domino administrator
needs rights to decrypt the Web SSO Configuration
document in Domain X and to create documents in the Domino Directory
for Domain Y.
- Ensure that your Lotus Notes client's location home server is
set to a Domino server in Domain Y.
- Edit the Web SSO Configuration document for Domain Y.
- In the Participating Domino Servers field, include only the
Domino servers with Server documents in Domain Y that will
participate in SSO.
- Save the Web SSO Configuration document. It is now to be encrypted
for the participating Domino servers in Domain Y, so these servers
now have the same key information as the Domino servers in domain
X. This shared information allows Domino servers in Domain Y to
perform SSO with Domino servers in Domain X.
|
|