Configure single sign-on between WebSphere Portal and Lotus Domino

 

+

Search Tips   |   Advanced Search

 

You configure the single sign-on feature between...

• IBM WebSphere Portal server
• IBM Lotus Domino servers

...so that authentication works the same way for all Domino and Extended Products Portlets.

A user can log into WebSphere Portal and then access portlets that contain information from a Lotus Domino application or service without having to enter additional credentials for authentication.

The Domino-WebSphere Portal Integration Wizard can do several parts of this task for you. The exceptions are...

• increasing SSO security by preventing anonymous access
• three testing and checking procedures

Do these manually after running the wizard.

Also, reconciling SSO across Lotus Domino and another LDAP directory, and enabling a third-party authentication server are not procedures compatible with the wizard, which integrates only a Lotus Domino LDAP directory.

 

Understanding Single Sign-On

• Install and configure all Lotus Domino servers and then enable single sign-on for them all.

  For example, install and configure Lotus Domino messagings servers, and servers for Lotus Sametime, before you enable single sign-on.

• All servers participating in single sign-on must be in the same Internet domain.

• To enable single sign-on, enable the IBM LTPA capabilities included in both WAS and Lotus Domino.

  The WebSphere LTPA token generated by WAS is imported into Lotus Domino, and this token can be used for all servers within the Lotus Domino domain.

• To enable single sign-on across multiple Lotus Domino domains, import the same WebSphere LTPA token into those Lotus Domino domains.

  The Domino-WebSphere Portal Integration Wizard cannot integrate servers in multiple Lotus Domino domains.

• One Web SSO configuration document per Lotus Domino domain can be replicated to all the other Lotus Domino servers in that domain, but enabling multi-server authentication must be done individually for every server in a Lotus Domino domain.

• Additional configuration may be needed if WebSphere Portal is configured for multiple realms.

  See Problem: Single Sign-On may fail when the portal is configured to use multiple realms in the troubleshooting topic under Related concepts.

The following set of tasks for configuring SSO assumes that no Web SSO configuration document exists in Lotus Domino. Before you begin the SSO tasks, to see whether a document exists and whether it contains the required WebSphere LTPA key file...

1. In the Lotus Notes client, open NAMES.NSF on the Domino server you want to include in single sign-on. For example...
   • Domino messaging server
   • Domino server running Lotus Sametime

2. Click...

   Configuration | Web | Web Configurations

   ...to open the Web Configurations view. If you see a -Web SSO Configurations- triangle with a Web SSO Configuration for LTPA document, the Web SSO configuration document already exists.

3. If the document exists and already contains the WebSphere LTPA key...

   1. Open the document on the server where it was created, and add the name of the Lotus Domino server you want to include in single sign-on to the Domino Server Names field in the document.

   2. Replicate the change to any other Lotus Domino servers in your site by typing the following command on the Lotus Domino server console on the source server (server where you added the new server's name):

      rep server/org_name names.nsf

   3. For the change to take effect, restart the Lotus Domino server where you typed the command.

   4. Instead of performing the sequence of single sign-on configuration tasks in the section below, proceed to Testing single sign-on.

4. If the Web SSO configuration document...
   • does not exist
   • contains a different key, for example a key created during the installation of Lotus Sametime
   • if you are unsure if it is the same key exported from your WebSphere Portal server

   ...delete the unwanted key...

   1. Locate the document that contains the key.

   2. Set Session authentication to disabled for each participating server listed in the document.

   3. Delete the document that contains the key, or back it up under a name other than "LtpaToken."

   4. Replicate this change around to all other Lotus Domino server(s) in your site as above.

   5. Re-acquire the key by performing all the following tasks listed for configuring single sign-on.

The following tasks configure single sign-on between WebSphere Portal and Lotus Domino.

To include either a Lotus Domino server running Lotus Sametime or a Lotus Domino messaging server in single sign-on, perform all tasks.

If the WebSphere Portal server is using an LDAP directory other than Lotus Domino, but the Collaborative Services are using a Lotus Domino LDAP perform the last task.

 

Checklist of tasks

1. Retrieve the WebSphere LTPA key
2. Import the WebSphere LTPA key into Lotus Domino
3. Enable multi-server SSO authentication
4. Increase SSO security by preventing anonymous access to HTML files
5. Test single sign-on for Lotus Domino or Lotus Sametime
6. Check the page source for awareness configuration
7. Reconcile single sign-on across Lotus Domino and another LDAP directory
8. Enable a third-party authentication server to work with the Lotus Notes View portlet

 

Parent topic

Integrate collaboration and messaging into WebSphere Portal

 

Previous topic:

Integrate the Lotus Sametime server and portlets

Next topic:

Configure the Common Mail portlet

 

Related concepts

Domino-WebSphere Portal Integration wizard overview