Sametime uses authentication by token to authenticate connections that occur after a user has authenticated to Domino
® once using password authentication.
Authentication by token prevents a user from having to re-enter authentication credentials when accessing different servers or using Sametime web clients or Domino
applications that connect to a Sametime server.
The Sametime server includes two separate security features capable of generating the authentication token used by Sametime
If the Domino
SSO feature is not enabled on the Domino
server when you install Sametime, the Sametime installation automatically enables and configures the Domino
SSO feature. In some environments, you might need to alter the default SSO configuration provided by the Sametime installation. For more information, see Altering the Domino Web SSO configuration following the Sametime server installation
The user must enter the fully qualified domain name of the Sametime server (for example, sametimeserver.meetings.example.com) in the web browser URL locator when accessing the Sametime server to authenticate successfully using SSO.
If your Sametime environment includes only Sametime 3.0 (or higher) servers, and you do not use Sametime
TeamRoom or Discussion databases that were available with earlier Sametime server releases, only the Domino
SSO feature is required to support authentication by token.
If your Sametime environment includes Sametime 3.0 (or higher) servers that interoperate with Sametime servers from releases earlier than Sametime 3.0, both the Domino
SSO feature and the Secrets and Tokens databases must be supported on the Sametime server to enforce authentication by token.
Sametime includes a custom logon form for the SSO feature. This custom logon form can be used in place of the default SSO logon form. The custom logon form is presented to the user the first time the user accesses a database on the server that requires basic password authentication.
If the Sametime Server is configured to use Internet Sites, the Notes
® client integration with Sametime (and therefore SSO with Sametime) has been supported only since Sametime 8.5.1 and Notes
client 8.5. When configuring the Sametime Server to use Internet Sites the following settings must be configured under the [AuthToken]
section of the sametime.ini
- ST_TOKEN_TYPE must contain the name of the Web SSO document used by the Sametime Community server. The default value is LtpaToken.
- ST_ORG_NAME must contain the organization name that is set in the Web SSO document used by Sametime Community server. The default value is an empty organization name.
For additional information about the Domino
Internet Sites configuration see Domino
Parent topic: Configuring security for the Sametime Community Server
A Sametime 8.x server supports Secrets and Tokens authentication by default. The following are required to support Secrets and Tokens authentication:
- The Secrets and Tokens databases must be present on the server following a Sametime server installation.
- The "Allow users to authenticate using either LTPA token or Sametime Token (stauths.nsf and stautht.nsf)" option must be selected in the Configuration-Community Services-General settings of the Sametime Administration Tool.
Both conditions above exist on a Sametime server following the server installation, so no additional procedures are required to support Secrets and Tokens authentication following the installation. However, if you have enhanced security by enabling the SametimeSecretsGenerator agent in one Secrets database on one Sametime server in your community, you must ensure that this Secrets database is replicated to all Sametime servers in the community. For more information, see Replicating the Secrets database (optional)
Authentication by token using the Domino Single Sign-On (SSO) feature
Single Sign-On (SSO) feature must be enabled on the Sametime
server. This feature creates Lightweight Third Party Authentication (LTPA) tokens that enable web browser users to log in a single time to access multiple Sametime
, or IBM WebSphere
servers that are in the same DNS domain. This capability is called "single sign-on."
Manually enabling the Domino SSO feature
If your environment requires you to manually enable the Domino
SSO feature instead of using the default configuration provided by the IBM
Sametime installation, you can use the steps in this section to manually enable the Domino
Using the Sametime custom logon form for SSO
Sametime installation automatically configures the Sametime server to use the Sametime custom logon form for SSO.
Authentication by token using Secrets and Tokens databases
To authenticate by token, the Sametime
server can accept an authentication token created by the Secrets and Tokens authentication databases, the Domino
Single Sign-On (SSO) feature, or both. The Sametime
server can also generate tokens using the Secrets and Tokens authentication databases or the Domino