Operating Systems: i5/OS
             Personalize the table of contents and search results

This topic applies only on the i5/OS operating system.

 

Configure single sign-on capability with Lotus Domino

 

You set up Lotus Domino for use by configuring it with WebSphere Application Server. Lightweight Third Party Authentication (LTPA). LTPA is the default authentication mechanism for WebSphere Application Server and needs to be configured prior to configuring single sign-on capability with Lotus Domino and you use information resulting from configuring LTPA to configure Lotus Domino. Lightweight Third Party Authentication (LTPA) is the default authentication mechanism for WebSphere Application Server. However, if LTPA is not the currently configured authentication mechanism, configure LTPA prior to configuring single sign-on capability with Lotus Domino. You can configure LTPA by clicking Security > Secure administration, applications, and infrastructure > Authentication mechanisms and expiration. Additionally, enabling Web security single sign-on (SSO) is required. For more information, see Implementing single sign-on to minimize Web user authentications.

To configure single sign-on with Lotus Domino, you need the following information from your LTPA configuration: the path and name of the file that contains the Lightweight Third Party Authentication (LTPA) keys. Use the same password that you use to generate LTPA keys on the WebSphere Application Server. Also, from the Web security single sign-on (SSO) configuration, you need the domain name service (DNS) name where single sign-on with Lotus Domino will be effective.

 

Overview

You must select a new multi-server option in a server document for session-based authentication and create a new domain-wide configuration document in the Domino Directory. This configuration document is called the Web Single Sign-on (SSO) Configuration document. The Web SSO Configuration document, which must be replicated to all of the Domino servers that are participating in the single sign-on domain, is encrypted and contains a shared secret that is used to authenticate user credentials.

To configure single sign-on for Domino servers, complete the following steps:

 

Procedure

  1. Create the Web SSO Configuration document using Lotus Notes Client 5.0.5 or later.

    1. In the Domino Directory, select the Servers view.

    2. Click the Web menu item.

    3. Select Create Web SSO Configuration to create the document.

    4. On the Web SSO Configuration document, click the Keys menu.

    5. Select Import WebSphere LTPA Keys to import the LTPA keys that WebSphere Application Server previously created and stored in a file.

    6. Enter the fully-qualified path name of the file that contains the keys for WebSphere Application Server and click OK.

    7. Enter the password that was used to generate the LTPA keys. The Web SSO Configuration document is automatically updated to reflect the information in the imported file.

    8. Complete the Token expiration, DNS domain, Domino server names, and LDAP realm fields in this document. Groups and wildcards are not allowed in the fields. The following list describes the fields and the expected values:

      Token expiration

      Specifies the number of minutes a token can exist before expiring. A token does not expire based on inactivity; it is valid for only the number of minutes that is specified from the time of issue.

      DNS domain

      Specifies the DNS domain portion of your system's fully qualified Internet name. This is a required field.

      All of the servers that participate in single sign-on must reside in the same DNS domain. This value must be the same as the Domain value that you specified in your WebSphere Application Server configuration. WebSphere Application Server treats the DNS domain as case sensitive so you must verify that the DNS domain value is specified exactly the same way.

      Domino server names

      Specifies the Domino servers that you want to participate in single sign-on. This Web SSO Configuration document is encrypted for the creator of the document, the members of the Owners and Administrators fields, and the servers that are specified in this field. These servers can be in different Domino domains; however they must be in the same DNS domain.

      You must specify a fully qualified Domino server name. For example, you might specify MyDominoServer/MyOu. The Domino server name that you specify here must also match the name of the corresponding server Connection document in your client Domino Directory.

      LDAP realm

      Fully qualified DNS host name of the Lightweight Directory Access Protocol (LDAP) server. This field is initialized from the information that is provided in the imported LTPA keys file. Change this value only if an port value for the LDAP server is specified for the WebSphere Application Server administrative domain. If a port is specified, insert an escape character (\) into the value before the colon character (:). For example, replace myhost.mycompany.com:389 with myhost.mycompany.com\:389.

    9. Save the Web SSO Configuration document. This configuration document displays in the Web Configurations view.

  2. Configure the Server document. To update the Server document for single sign-on, complete the following steps:

    1. In the Domino Directory, select the Servers view.

    2. Edit the Server document.

    3. Select the Ports > Internet Ports > Web tab.

    4. To enable basic authentication for Web users in the HTTP Authentication options section, set Name and password to Yes.

    5. Select Internet Protocols > Domino Web Engine.

    6. Select Multiple Servers (SSO) in the Session Authentication field to enable single sign-on for Lotus Domino.

    7. Click the Security tab.

    8. In the Internet Access section select More name variations with lower security in the Internet authentication field so that short names can be used for authentication.

    9. Save the Server document.

  3. Finish the Lotus Domino configuration. Before continuing, finish configuring the Lotus Domino server for use by Web users. The remaining configuration steps are not specific to single sign-on and are not covered here in detail. For more information on the following remaining Lotus Domino configuration steps, see the Security topic in the Domino 5 Administration Help:

  4. Verify the single sign-on configuration for Lotus Domino. To verify the single sign-on configuration for Lotus Domino, ensure that the Lotus Domino server is configured correctly and that Web users are authorized to access Domino resources by performing the following steps:

    1. To verify that the Lotus Domino server is configured correctly, stop and restart the Domino HTTP Web server. If single sign-on is configured correctly, the following message is displayed on the Lotus Domino server console: 

      HTTP: Successfully loaded Web SSO Configuration
      If a Domino server that is enabled for single sign-on cannot find a Web SSO Configuration document or the server is not included in the Domino Server Names field and therefore cannot decrypt the document, the following message is displayed on the Lotus Domino server console: 

      HTTP: Error Loading Web SSO configuration. 
Reverting to single-server session authentication

    2. To verify that users are authorized, attempt to access a Domino resource, such as a Domino Directory.

      • To verify local authorization attempt to access a Lotus Domino resource as a user that is defined in the Domino Directory.

      • To verify the authorization for WebSphere Application Server users, attempt to access a Lotus Domino resources as a user that is defined in the LDAP directory service.

  5. Optional: Configure additional Lotus Domino servers in a single domain. If you are using single sign-on with multiple Domino servers, perform the following steps for each additional server:

    1. Replicate the initial Web SSO Configuration document to each additional Domino server.

    2. Update the Server document for each additional Domino server.

    3. Restart each of the Domino HTTP Web servers.

  6. Optional: Configure Lotus Domino servers in multiple Domino domains. If you are using single sign-on with Domino servers in multiple Domino domains, also set up cross-domain authentication among the Domino servers. For example, assume there are Domino servers in two Domino domains, X and Y. Complete the following steps to enable the Domino servers to perform single sign-on between the domains:

    1. As a Lotus Domino administrator, copy the Web SSO Configuration document from the Domino Directory for domain X and paste it into the Domino Directory for domain Y. The Domino administrator needs the rights associated with decrypting the Web SSO Configuration document in domain X and to creating documents in the Domino Directory for domain Y.

    2. Ensure that your location home server for your Lotus Notes client is set to a Domino server in domain Y.

    3. Edit the Web SSO Configuration document for domain Y.

    4. In the Participating domino servers field, include only the Domino servers with server documents in domain Y that you want participate in single sign-on.

    5. Save the Web SSO Configuration document. The configuration document is now to be encrypted for the participating Domino servers in domain Y. These servers have the same key information as the Domino servers in domain X. This shared information allows Domino servers in domain Y to perform single sign-on with Domino servers in domain X.

 

Results

These steps enable you to configure single sign-on for a single or multiple Lotus Domino servers.

}

 

Related tasks


Generating Lightweight Third Party Authentication keys
Exporting Lightweight Third Party Authentication keys
Importing Lightweight Third Party Authentication keys
Implementing single sign-on to minimize Web user authentications

 

Related Reference


Single sign-on configuration troubleshooting tips

 

Related information


Domino 5 Administration Help