Single signon
With single signon (SSO) support, Web users can authenticate once when accessing both WAS resources, such as HTML, JavaServer Pages (JSP) files, servlets, enterprise beans, and Lotus Domino resources, such as documents in a Domino database, or accessing resources in multiple WAS domains.
Web users can authenticate once to a WAS or to a Domino server. Without logging in again, Web users can access any other WAS appservers or Domino servers in the same Domain Name Service (DNS) domain that are enabled for SSO. This authentication is accomplished by configuring the WAS appservers and the Domino servers to share authentication information.
Enable SSO among WAS appservers by configuring SSO for WebSphere Application Server. To enable SSO between WAS appservers and Domino servers, configure SSO for both WebSphere Application Server and for Domino.
Prerequisites
To take advantage of support for single signon between WAS appservers or between WAS and a Domino server, applications must meet the following prerequisites and conditions:
- Verify that all servers are configured as part of the same DNS domain.
For example, if the DNS domain is specified as mycompany.com, then SSO is effective with any Domino server or WAS on a host that is part of the mycompany.com domain, for example...
a.mycompany.com
b.mycompany.com- Verify that all servers share the same user registry.
This registry can be either a supported LDAP directory server or, if SSO is configured between two WAS appservers, a custom user registry.
Domino servers do not support custom registries, but use a Domino-supported registry as a custom registry within WebSphere Application Server.
We can use a Domino directory (configured for LDAP access) or other LDAP directory for the user registry. The LDAP directory product must have WebSphere Application Server support. Supported products include both Domino and IBM SecureWay LDAP directory servers. Regardless of the choice to use an LDAP or a custom registry, the SSO configuration is the same. The difference is in the configuration of the registry.
- Define all users in a single LDAP directory. Using LDAP referrals to connect more than one directory together is not supported.
Using multiple Domino directory assistance documents to access multiple directories also is not supported.
- Enable HTTP cookies in browsers because the authentication information that is generated by the server is transported to the browser in a cookie.
The cookie is then used to propagate the authentication information for the user to other servers, exempting the user from entering the authentication information for every request to a different server.
- For a Domino server:
- Domino Release 5.0.6a for iSeries 400 or later and Domino Release 5.0.5 or later for other platforms are supported.
- A Lotus Notes client Release 5.0.5 or later is required for configuring the Domino server for SSO.
- We can share authentication information across multiple Domino domains.
- For WebSphere Application Server:
- WebSphere Application Server V3.5 or later for all platforms is supported.
- Use any HTTP Web server supported by WebSphere Application Server.
- We can share authentication information across multiple product administrative domains.
- Basic authentication (user ID and password) using the basic and form-login mechanisms is supported.
- By default, WAS does a case-sensitive comparison for authorization.
This comparison implies that a user who is authenticated by Domino matches the entry exactly (including the base distinguished name) in the WAS authorization table. If case sensitivity is not considered for the authorization, enable the Ignore Case property in the LDAP user registry settings.
Related Tasks
Configuring single signon