If your organization uses IBM® Connections
in a Domino® environment,
you can enable single sign-on (SSO) for easier user authentication.
Before you begin
Before you can enable SSO, verify that you can access the
installed IBM Connections applications
from a web browser. Start your Domino server.
Ensure
that you have a user ID with administrative access to the Domino server.
Configure
an LDAP server as the user directory.
Notes: - This is an optional configuration.
- If you are using a reverse proxy, you must specify the reverse
proxy address in the LotusConnections-Config.xml file.
- If you are enabling SSO between IBM Connections and a product that is deployed on a pre-6.1 version of WebSphere® Application Server, you must first complete the
steps described in the Enabling single sign-on for
stand-alone LDAP topic.
About this task
Single sign-on enables users to log into one IBM Connections application and switch to other
applications without needing to authenticate again.
By default,
applications deployed within the same WebSphere Application Server cell are enabled
for single-sign-on. To support this, the application servers share
the same set of LTPA keys and the same LDAP directory configuration.
Use these instructions if you want to set up SSO where IBM Connections and Domino use different LDAP directory configurations
or are hosted in different WAS cells.
The Configuring user name mapping in the SSO LTPA token topic
in the IBM Lotus® Domino information
center can help you choose the correct configuration parameters for
your environment.
To enable SSO for Domino, complete the following steps:
Procedure
- Configure the LDAP for IBM Connections:
- Log
into the WebSphere Application
Server Integrated Solutions Console on the Deployment Manager.
- Click .
- Select Federated Repositories from
the Available realm definitions field and then
click Configure.
- Enter the realm name of the LDAP server in the Realm
name field. For example: enterprise.example.com:389.
- Click Apply and
then click Save.
- Synchronize the nodes.
- Restart your IBM Connections
deployment.
- Configure the domain name:
- Log
into the WebSphere Application
Server Integrated Solutions Console on the Deployment Manager.
- Click .
- In
the Authentication mechanisms and expiration area,
expand Web and SIP security and click Single
sign-on (SSO).
- Enter your IBM Connections
domain name in the Domain name field, ensuring that you add a dot
(.) before the domain name.
- Select the check boxes for Interoperability
Mode (optional) and Web inbound security attribute
propagation. Make sure Set security
to HTTP Only is not enabled.
- Restart your IBM Connections
deployment.
- Export the LTPA key file:
- Log
into the WebSphere Application
Server Integrated Solutions Console on the Deployment Manager.
- Click .
- In click LTPA.
- In the Password and Confirm
password fields, enter the password that protects the
exported key.
- Enter the file name of the key file that you want to
generate in the Fully qualified key file name field.
- Click Export keys.
- Click Apply and
then click Save.
- Set up the SSO configuration document on the Domino server by completing the steps in the Creating a Web SSO configuration document topic
in the Domino information
center.
- Verify that the Domino server
maps correctly between the user IDs stored in the LDAP that is used
by IBM Connections and the Domino address book.
- If user names are present in both the LDAP directory and the Domino Directory:
- In the user Person document, click Administration.
- Under Client Information, enter the user
name DN that is expected by WebSphere Application
Server in the LTPA user name field.
Note: Typically,
this name is the user's LDAP distinguished name (DN). Separate the
name components with slashes. For example, if the DN is uid=jdoe,cn=sales,dc=example,
dc=com, enter the following value: uid=jdoe/cn=sales/dc=example/dc=com.
- If user names are present in the LDAP directory only:
- Open the Directory Assistance document for the LDAP directory.
Alternatively, create a directory assistance database and configure
the Domino server to use
this database.
- In the SSO Configuration section, enter
an LDAP attribute for the name in an SSO token.
Note: This attribute
is used in the LTPA token when the LTPA_UserNm field is requested.
Ensure that the selected field contains the user name that WebSphere Application Server
expects. Options for this field include:
- To use the LDAP distinguished name, enter a value of $DN. This
is the most common configuration; it indicates that the user's LDAP
DN is the name expected by WebSphere Application
Server, rather than a name in an arbitrary LDAP field.
- Use any appropriate LDAP attribute, provided it uniquely identifies
the user.
- Leave the field blank to default to the Domino distinguished name, if known. Otherwise,
the default is the LDAP distinguished name.
- Configure Domino Server
to use the new Web SSO Configuration Document:
- In Domino Administrator,
click Files and then open the server’s Address
Book (the names.nsf file).
- Select the Servers view and open
the server that you want to configure.
- Navigate to .
- Click Edit Server to change to
Edit mode.
- Select the new Web SSO Configuration Document in the
Web SSO Configuration box.
- Save your changes.
- Using the Domino console,
stop and start the HTTP task by issuing the following commands:
tell http quit
load
http
Note: The tell http restart and restart
task http commands cannot read the updated SSO configuration
What to do next
Verify that you can switch between IBM Connections applications without needing
to authenticate more than once.