Create the Web SSO Configuration document in the Domino DirectoryAdded by IBM on November 23, 2011 | Version 1 (Original)
|Create a Web SSO document that specifies the servers participating in the shared authentication, the time-out value for the cookie containing the LTPA access token, and the encrypted secret used to create the cookie.
Create a Web SSO document that specifies the servers participating in the shared authentication, the time-out value for the cookie containing the LTPA access token, and the encrypted secret used to create the cookie.
Parent topic: Manually enabling the Domino SSO feature
Manually enabling the Domino SSO feature
- Using a Lotus Notes® client, open the Domino® Directory on the Sametime® server.
- Select Configuration -> Servers -> All Server Documents.
- Select the Web button on the taskbar.
- Select Create Web SSO Configuration.
- In the document, select the Keys pull-down menu button.
- The default value for the Configuration Name field is LtpaToken. This is the preferred value and usually it should not be changed. In case another value is configured as the Web SSO document name, the ST_TOKEN_TYPE setting under the [AuthToken] section of the sametime.ini file must contain the same value.
- Select Create Domino SSO Key.
Note The Import WebSphere® LTPA Keys option is usually used to enable a WebSphere server to communicate with a Domino server. To enable a WebSphere server to communicate with a Domino server, you must export the LTPA keys from the WebSphere server and import the LTPA keys to the Domino server. See the WebSphere Information Center documentation for details.
- Configure the Token Expiration field. Note that a token does not expire based on inactivity; it is valid only for the number of minutes specified from the time of issue. The token is also valid only for a single browser session.
Note Set the expiration value to a value somewhat longer than a typical work day, such as 600 minutes, to minimize the potential for an LTPA token to expire during an active meeting. Setting a higher value may create a security risk. If the LTPA token is intercepted by an attacker, the attacker may use the token to illegally gain access to the Sametime server until the token expires. Setting up the Domino server to support SSL for web browser connections provides the highest level of security against attempts to intercept LTPA tokens.
- In the DNS Domain field, enter the DNS domain (for example, .lotus.com or .meetings.acme.com.) for which the tokens will be generated. The servers enabled for SSO must all belong to the same DNS domain. This field is required and the DNS domain must start with a period.
When users access the Sametime server, they must enter the fully qualified domain name of the Sametime server for authentication to be successful (for example, sametimeserver/meetings/acme/com).
- In the Server Names field, enter the servers that will be participating in SSO.
Generally, this field should contain the Domino hierarchical names of all Sametime servers in your environment. You can browse and select the server names from the Domino Directory.
Note Groups and wildcards are not allowed in the field.
- The Organization field should usually stay empty. In case it has a value, which is mandatory only for Internet Sites configuration, the ST_ORG_NAME field setting under the [AuthToken] section of the sametime.ini file must contain a similar value. For additional information about Internet Sites see the Domino documentation.
- Select Save & Close to save the Web SSO Configuration document. The document will appear in the Web Configurations view. This document will be encrypted for the creator of the document, the members of the Owners and Administrators fields, and the servers specified in the Server Names field.