Prerequisites:
-
A running Domino Server
-
A user with administrative access to the Domino server
-
A functioning Lotus Connections deployment using a LDAP server as the user directory
I. Prepare the Lotus Connections installation for single sign-on (SSO) with a Domino® server.
By default, applications deployed on servers within the same WebSphere Application Server cell are enabled for single-sign-on. To support this, the servers share the same set of LTPA keys and the same LDAP directory configuration. Use this configuration if you want to set up SSO between applications that use different LDAP directory configurations.
To enable SSO between a Lotus Connections application and a Domino server, complete the following steps:
1. Log in to the WebSphere Application Server Integrated Solutions Console by going to the following web address in a browser:
http://:9060/ibm/console
2. Log in to the Welcome page.
3. Click . For WAS 7, click Security > Global Security.
4. Select Federated Repositories from the Available realm definitions field, and then click Configure. For WAS 7, click the "Configure" button next to the Federated Repositories drop-down box.
5. On the Federated repositories page, add the : of the standalone LDAP server to the Realm name field.
For example:
enterprise.st.acme.com:389
6. Click Apply, and then click Save to save this setting.
7. Do one of the following:
Standalone deployment: Restart the servers.
Network deployment: Synchronize the nodes with the deployment manager, and then restart the servers by completing the following steps:
Log into the Integrated Solutions Console for the deployment manager.
From the Integrated Solutions Console, expand . Select the name of the node that you have updated, and then click Full Resynchronize.
From the main Integrated Solutions Console page, select . Select the check box beside the cluster you want to restart, click Stop, and then click Start.
II. Configure WebSphere for SSO and export the LPTA Key.
1. Start WebSphere Application Server.
2. Log in to the WebSphere Application Server Integrated Solutions Console.
3. Click Security > Secure Administration, applications and infrastructure. On WAS 7 click Security > Global Security
4. Under Authentication, expand Web security, and then select single sign-on (SSO). On WAS 7 click "Web and SIP Security" to access this option
5. Type your domain name in the Domain name field, ensuring that you add a dot (.) before the domain name.
For example: .acme.com. You will need to enter this domain name again in the Domino configuration steps below
6. Select the Interoperability Mode and Web inbound security attribute propagation check boxes.
7. Restart all of your installed features and check that you can switch between them without needing to authenticate more than once.
8. Log in to the WebSphere Application Server Integrated Solutions Console.
9. Click Security > Secure Administration, applications and infrastructure. On WAS 7 click Security > Global Security
10. Click Authentication mechanisms and expiration. On WAS 7 click LTPA in the Authentication box on the Global Security page
11. Enter the password used to protect the exported key in the Password and Confirm password fields.
12. Enter the full file name of the key file to be generated in the Fully qualified key file name field.
13. Click Export keys.
III. Set up the SSO configuration document on the Domino server.
To do so, follow the steps described following topic in the IBM Lotus Domino Domino and Notes information center:
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin.doc/DOC/H_CREATING_THE_WEB_SSO_DOCUMENT_4695_STEPS.html
IV. Ensure that the Domino server maps correctly between the user IDs stored in the LDAP that Connections is connected to and the Notes Canonical Name format used inside the Domino address book and authentication/authorization.
You may skip this step if Domino Server and WebSphere Application Server share the same directory.
-
If the users exist in both the LDAP directory and the Domino Directory:
In the user Person document, click Administration. Under Client Information, enter the user name DN that is expected by WebSphere Application Server in the LTPA user name field. Typically, this will be the user's LDAP distinguished name (DN). Be sure to separate the name components with slashes.
For example, if the LDAP DN is uid=jdoe,cn=sales,dc=acme, dc=com, then enter the value as follows:
uid=jdoe/cn=sales/dc=acme/dc=com
-
If users exist in only the LDAP directory:
Open the Directory Assistance document for the LDAP Directory (or create a directory assistance database and configure the Domino server to use this DA database). In the SSO Configuration section, enter a LDAP attribute that should be used as the name in an SSO token created for this user. This attribute will be used in the LTPA token when the LTPA_UserNm field is requested. It is important to ensure that the selected field contains the user name that WebSphere Application Server expects. Options for this field include:
-
Any appropriate LDAP attribute, as long as it uniquely identifies the user.
-
A value of $DN to use the LDAP distinguished name. This is the most commonplace configuration, indicating that the user's LDAP DN is the name expected by WebSphere Application Server, rather than a name in some arbitrary LDAP field.
-
Leaving it blank to default to the Domino distinguished name, if known. Otherwise, the default will be the LDAP distinguished name.
The following topic in the IBM Lotus Domino Domino and Notes information center provides further reference information that will help you to choose the correct configuration parameters based on your environment:
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin.doc/DOC/H_CONFIGURING_NAME_IN_THE_LTPA_TOKEN_3205_STEPS.html
V. Configure Domino Server to use the Web SSO Configuration Document
In the Domino Administrator, click Files, and then open the server’s Address Book (NAMES.NSF).
Select the Servers view.
Open the server that you want to configure.
Navigate to the Internet Protocols\Domino Web Engine.
Change to Edit mode.
Select your newly created Web SSO Document in the Web SSO Configuration selection box.
Save and Close.
Using the Domino console, stop and start the HTTP task by issuing the following commands:
tell http quit
load http
N.B. "tell http restart" or "restart task http" will not read the updated SSO configuration
You have now configured SSO between Lotus Connections and the Domino server and should see the user credentials seamlessly propagate between the two servers when accessed in the same browser session.