In order for a device from the internet to establish a communication session with an IBM Lotus Notes Traveler server on the internal network, user authentication is required. This function is normally provided by the entry-point server, which is either the reverse proxy or load balancer. Rather than having to maintain multiple or duplicate credentials, it is preferable to have the entry-point server validate the offered credentials by submitting them to the primary credentials server.
When the primary credentials server is Domino, you can use the LDAP function of Domino to perform an LDAP-bind with the credentials. After the entry-point server authenticates the device, that device is trusted by the internal network. Establishing that trust relationship is how single sign-on (SSO) is accomplished.
If the entry-point server is IBM Mobile Connect, the steps for using Domino as the primary credentials server are described in 3.4.3 Additional configurations
which also references configuring IBM Mobile Connect to generate a lightweight third party authentication (LTPA) token. By following the configuration procedure, IBM Mobile Connect can generate an LTPA token which the device inserts in the HTTP header of its messages to the Lotus Notes Traveler server. This token allows the server to trust the device, which eliminates the need to perform its own authentication of the device.