® Single Sign-On (SSO) feature must be enabled on the Sametime
® server. This feature creates Lightweight Third Party Authentication (LTPA) tokens that enable web browser users to log in a single time to access multiple Sametime
, or IBM
® servers that are in the same DNS domain. This capability is called "single sign-on."
Sametime also uses LTPA tokens to authenticate connections from Sametime
clients to the Community Services, Meeting Services, and Recorded Meeting Broadcast Services on the Sametime
server. These clients are Java
™ applets and include the Meeting Room client, and Recorded Meeting client.
Sametime supports two versions of LTPA tokens: LTPAv1 and LTPAv2. Sametime allows authenticating by a single LTPA token or by a list of LTPA tokens. For example, a client can send an LTPAv1 token and LTPAv2 token in the same authentication request to authenticate a user. The Domino
configuration determines which token is validated.
The LTPA token types supported by Domino
are configured in the Web SSO document in names.nsf. When using a Domino
SSO key, only LTPAv1 tokens are supported. When importing a WebSphere
LTPA key, both LTPAv1 and LTPAv2 tokens are supported by Domino
. The supported formats are defined in the Token Format field under the WebSphere
Information section of the Web SSO document.
Sametime can generate a single LTPA token or a list of LTPA tokens depending on the SSO key that is configured in Domino
and the Token Format field in the case of WebSphere
also requires users to present an authentication token when attending an instant meeting. Client applications generate this token from the user's home Sametime
server. Users with Sametime
2.5 (or earlier) home Sametime
servers will present Sametime
tokens (generated from the Secrets and Tokens databases) when connecting to instant meetings started on a Sametime
8.x server. For this reason, Sametime
8.x servers operating in Sametime
environments that include Sametime
servers from previous releases must also support the Secrets and Tokens databases for authentication by token.
Authentication by LTPA token occurs after a user has already authenticated once using password authentication. For example, authentication by token on a Sametime
server might occur as follows:
- A user accesses a Sametime Meeting Center database that requires authentication or clicks the "Log onto Sametime" link in the Sametime Meeting Center.
Note To successfully authenticate, the user must enter the fully qualified domain name of the Sametime server (for example, sametimeserver.meeting.acme.com) in the web browser URL locator when accessing the Sametime server.
- An SSO logon form appears, and the user enters a valid user name and password from the Domino Directory (or LDAP directory) to authenticate.
Note Sametime provides a custom Sametime SSO logon form that can be enabled by the administrator. If the custom logon form is not enabled, the standard Domino SSO logon form displays to the user.
- After a successful authentication, the Domino Single Sign-On (SSO) feature generates an LTPA token containing the user's authentication information and passes the token to the user's web browser in a cookie.
The user's web browser must have cookies enabled to accept the LTPA token.
- The user attends a meeting, and the Meeting Room client loads in the user's web browser.
- The Meeting Room client connects to the Meeting Services and Community Services and passes the LTPA token to Sametime. The Meeting Services and Community Services connections are authenticated using the LTPA token. The user is not required to re-enter authentication credentials to authenticate these connections.
The same LTPA token described above can be used to authenticate the user when the user accesses other Sametime
, or WebSphere
servers in the same DNS domain during a single web browser session. The other Sametime
, or WebSphere
servers must also support the SSO feature (that is, the servers must accept LTPA tokens).
If the Domino
SSO feature is not enabled when you install Sametime
, the Sametime
installation automatically enables and configures the Domino
SSO feature. In some environments, it may be necessary to alter the SSO configuration following the Sametime
server installation. For more information, see Altering the Domino Web SSO configuration following the Sametime server installation
Parent topic: Authentication by token using LTPA and Sametime tokens
Authentication by token using Secrets and Tokens databases