Configuring single sign-on between Lotus Quickr and Lotus SametimeAdded by IBM on June 11, 2010 | Version 1 (Original)
|You configure the single sign-on (SSO) feature between the IBM® Lotus® Quickr™ for WebSphere Portal server and the IBM Lotus Domino® server running IBM Lotus Sametime® to support Chat features provided by Lotus Sametime. A user can log into Lotus Quickr and then use Chat features without having to enter additional credentials for authentication.
You configure the single sign-on (SSO) feature between the IBM® Lotus® Quickr™ for WebSphere Portal server and the IBM Lotus Domino® server running IBM Lotus Sametime® to support Chat features provided by Lotus Sametime. A user can log into Lotus Quickr and then use Chat features without having to enter additional credentials for authentication.
- All servers participating in single sign-on must be in the same Internet domain.
- To enable single sign-on, you must enable the IBM LTPA capabilities included in both WebSphere® Application Server and Lotus Domino. The WebSphere LTPA token generated by WebSphere Application Server is imported into Lotus Domino, and this token can be used for all servers within the Lotus Domino domain.
- To enable single sign-on across multiple Lotus Domino domains, import the same WebSphere LTPA token into those Lotus Domino domains.
- One Web SSO configuration document per Lotus Domino domain can be replicated to all the other Lotus Domino servers in that domain, but enabling multi-server authentication must be done individually for every server in a Lotus Domino domain.
- Additional configuration may be needed if Lotus Quickr is configured for multiple realms.
The following set of tasks for configuring SSO assumes that no Web SSO configuration document exists in Lotus Domino. Before you begin the SSO tasks, to see whether a document exists and whether it contains the required WebSphere LTPA key file, perform the following steps:
- In the Lotus Notes client, open the NAMES.NSF file on the Domino server you want to include in single sign-on (for example, a Domino server running Lotus Sametime).
- Click Configuration -> Web -> Web Configurations to open the Web Configurations view. If you see a -Web SSO Configurations- triangle with a Web SSO Configuration for LTPA document, the Web SSO configuration document already exists.
- If the document exists and already contains the WebSphere LTPA key, perform the following steps:
- Open the document on the server where it was created, and add the name of the Lotus Domino server you want to include in single sign-on to the Domino Server Names field in the document.
- Replicate the change to any other Lotus Domino servers in your site by typing the following command on the Lotus Domino server console on the source server (server where you added the new server's name):
rep server_name/org_name names.nsf
- For the change to take effect, restart the Lotus Domino server where you typed the command.
- Instead of performing the sequence of single sign-on configuration tasks in the section below, proceed to Testing single sign-on.
- If the Web SSO configuration document does not exist, contains a different key (for example, a key created during the installation of Lotus Sametime), or if you are unsure if it is the same key exported from your Lotus Quickr server, perform the following steps to delete the unwanted key:
- Locate the document that contains the key.
- Set Session authentication to disabled for each participating server listed in the document.
- Delete the document that contains the key, or back it up under a name other than "LtpaToken."
- Replicate this change around to all other Lotus Domino server(s) in your site as above.
- Re-acquire the key by performing all the following tasks listed for configuring single sign-on.
The following tasks configure single sign-on (SSO) between Lotus Quickr and Lotus Domino.
To include a Lotus Domino server running Lotus Sametime in single sign-on, perform all tasks.
Retrieving the WebSphere LTPA key: qp85
You retrieve the WebSphere LTPA key from the IBM Lotus Quickr for WebSphere Portal server so that you can use the key on the IBM Lotus Domino server that runs IBM Lotus Sametime.
Importing the WebSphere LTPA key into Lotus Domino: qp85
You create a Web SSO configuration document on the IBM Lotus Domino server that runs IBM Lotus Sametime. Then you import the WebSphere LTPA key retrieved from the IBM Lotus Quickr for WebSphere Portal server into the document, so that the same token can be used for single sign-on on both servers.
Enabling multiserver SSO authentication: qp85
When you enable multi-server SSO authentication between the IBM Lotus Domino and IBM Lotus Quickr for WebSphere Portal servers, the Lotus Domino server running IBM Lotus Sametime can authenticate users in the Web browser by examining LTPA tokens.
Increasing SSO security by preventing anonymous access to HTML files: qp85
You can modify the NOTES.INI
file to prevent anonymous access to files in the HTML directory. The NoWebFileSystemACLs
parameter, when set equal to 1 in the NOTES.INI
file, prevents anonymous access to files served up in the HTML directory on the IBM Lotus Domino server, increasing security and reliance on the single sign-on method of authentication for IBM Lotus Sametime.
Testing Lotus Sametime chat features: qp85
Checking whether the Chat action appears tells you whether single sign-on is operating properly between the IBM Lotus Quickr for WebSphere Portal server and the IBM Lotus Sametime server.
Parent topic: Enabling Lotus Sametime chat features: qp85