InfoCenter Home >
5: Securing applications -- special topics >
5.8: Single Sign-On

5.8: Single Sign-On

Single sign-on (SSO) support allows Web users to authenticate once when accessing both WebSphere Application Server resources, such as HTML, JSPs, servlets, and enterprise beans, and Domino resources, such as documents in a Domino database, or when accessing resources in multiple WebSphere domains.

A SSO domain defines the DNS domain which is set on the LTPA Token cookie which is the login token. The cookie is only sent to a system in the domain for which it is set. Therefore, SSO is limited to one domain by current design. If multiple domain support is needed, this is done by not setting the SSO domain on the LTPA Token cookie. The cookie specification states that if the domain is not set, the cookie is only sent back to the host which issued it. This effectively disables SSO, but does allow form login to be used on multiple domains by the same system. To do this on Websphere Application Server 4.0.2 or 3.5.6, set the property com.ibm.ejs.security.setSSODomain to false on each application server's JVM properties.

Web users can authenticate once to a WebSphere application server or Domino server and then access any other WebSphere application servers or Domino servers in the same DNS domain that are enabled for Single Sign-On (SSO) without logging on again. This is accomplished by configuring the WebSphere application servers and the Domino servers to share authentication information.

To enable SSO among WebSphere application servers, you must configure SSO for WebSphere. To enable SSO between WebSphere application servers and Domino servers, you must configure SSO for both WebSphere and for Domino.

This configuration is described in subsequent sections, but there are prerequisites that applications must meet in order to support the use of single sign-on.

Prerequisites and conditions

To take advantage of support for single sign-on between WebSphere application servers or between WebSpere and Domino, applications must meet the following prerequisites and conditions:

  • All servers must be configured as part of the same DNS domain. For example, if the DNS domain is specified as mycompany.com, then SSO will be effective with any Domino or WebSphere application server on a host that is part of the mycompany.com domain, for example, a.mycompany.com and b.mycompany.com.
  • All servers must share the same user registry. This registry can be either a supported LDAP directory server or, if SSO is being configured between two WebSphere application servers, a custom user registry. Domino does not support the use of custom registries, but a Domino-supported registry can be used as a custom registry within WebSphere. For more information on custom registries, see Introduction to custom registries.
    A Domino Directory (configured for LDAP access) or other LDAP directory can be used for the user registry. The LDAP directory product must be supported by WebSphere Application Server. Supported products include both Domino and all IBM SecureWay LDAP directory servers. Regardless of the choice to use an LDAP or custom registry, the SSO configuration is the same. The difference is in the configuration of the registry.
  • All users must be defined in a single LDAP directory. Using LDAP referrals to connect more than one directory together is not supported. Using multiple Domino Directory Assistance documents to access multiple directories is not supported.
  • Users must enable HTTP cookies in their browsers, because the authentication information that is generated by the server is transported to the browser in a cookie. The cookie is then used to propagate the user's authentication information to other servers, exempting the user from entering the authentication information for every request to a different server.
  • For Domino
    • Domino R5.0.6a for iSeries 400 (or later) and Domino R5.0.5 (or later) for other platforms are supported.
    • A Lotus Notes client R5.0.5 (or later) is required for configuring the Domino server for SSO.
    • Authentication information can be shared across multiple Domino domains.
  • For WebSphere Application Server
    • WebSphere Application Server V3.5 (or later) for all platforms is supported.
    • Any HTTP Web server supported by WebSphere Application Server can be used.
    • Authentication information can be shared across multiple WebSphere administrative domains.
    • Basic authentication (user ID and password) using the basic and form-login mechanisms is supported.
    • Permissions for either all authenticated users or groups of users is supported. If you are using the Domino Directory for authentication and have not specified a Base Distinguished Name during setup, permissions for individual users is also supported.

Go to previous article: Selectively disabling security Go to next article: Configuring SSO for WebSphere Application Server

 

 
Go to previous article: Selectively disabling security Go to next article: Configuring SSO for WebSphere Application Server