• Add a Comment
  • Edit
  • More Actions v
  • Quarantine this Entry

Comments (5)

1 localhost commented Permalink

At the risk of asking the obvious, once a notes 8 user has authenticated to their home server, how can I ensure the user gets authenticated for access to a domino http server. This must be built in to the product because the token issuing apis are certainly there in notes. The user case is the authenticated Notes user who can access a domino server without providing their username and httpassword.

2 localhost commented Permalink

Sorry for responding so late. Was out on vacation. I'll ask someone from our security team to answer this question.

3 localhost commented Permalink

Thanks Niklas, amazingly I'm still watching this topic... (the power of tagging)

4 localhost commented Permalink

Peter, this is what I got from our security team. Sorry, was sitting in my inbox and I only discovered today again.

Obtaining a Domino LTPA cookie by using the Accounts API
The Accounts API can be used to get an LTPA token from a Domino server or cluster of Domino servers. The token can then be used for authentication with Sametime, Portal, and other servers that accept LTPA. This method of authentication uses the Notes ID, so no separate user name or password is required. Keep in mind that this will only work if the user can access the Domino server from within Notes. So, for instance if the user can go to the menu item: File -> Open -> Lotus Notes Application and successfully connect to the Domino server specified in the Account, then the code sample below will work. If needed, connection documents should be setup ahead of time in the Notes client.
The following code sample demonstrates how to obtain an LTPA token from a Domino server using the Accounts API and Java Authorization and Authentication Service (JAAS) provided by Notes.
try { AccountsManager manager = AccountsManagerFactory .getAccountsManager(); // Create a new Account object Account account = manager.newAccount("HTTP"); // Name can be any String value (no special characters) account.setName("myNewAccount");
// Type must be "HTTP" account.setType("HTTP"); // Authentication type tells the platform how to // do the login account.setAuthType("DOMINO-SSO"); // The server that you want to connect to. If the // "dominossoserver" property is not set, then this must // be a Domino server. If not, then it can be any server // that accepts the LTPA token returned by Domino account.setProperty(Account.SERVER, "http://myPortalServer.com/wps/myportal"); // Allows this account to get the LTPA token from Domino account.setProperty("dominosso", "true"); // (Optional) The name of the Domino Server that will provide // a token. If this value is not set, the SERVER value will be // used instead, and MUST point to a Domino server. account.setProperty("dominossoserver", "MYDOMINOSERVER/US/IBM"); // (Optional) Persists the account to disk. Not required. manager.addAccount(account); // Perform the login by connecting to Domino and getting back // the LTPA token account.getLoginContext().login(); // Get the Subject which contains the token Subject subject = account.getLoginContext().getSubject(); // Extract the token, in the from of cookie(s) Set ssoCreds = subject.getPrivateCredentials(SingleSignonToken.class); Iterator it = ssoCreds.iterator( ); if(it.hasNext()){ SingleSignonToken ssoCred = (SingleSignonToken)it.next( ); Cookie [] cookies = ssoCred.getSsoTokens(); } } catch (AccountsException ae) { // There is a problem adding (or updating) the account to disk ae.printStackTrace(); } catch (LoginException le) { // There is a problem logging into Domino le.printStackTrace(); }

5 localhost commented Permalink

Thanks very much. My test case will be executing that code and then hitting the domino server using the embedded browser. If that works I'll be happy. It means I can start up a window to our portal/qp servers without the user being prompted for their credentials. (I don't expect it to work from a new instance of the browser started from Notes but would be chuffed if it did :-). Thanks for this.

Add a Comment Add a Comment