Single sign-on for authentication using LTPA cookies
With SSO support, Web users can authenticate once when accessing...
Application servers distributed in multiple cells can securely communicate using the LTPA protocol, which secures authentication-related data using...
LTPA also provides the SSO feature wherein a user is required to authenticate only once in a DNS domain and can access resources in other cells without getting prompted. Web users can authenticate once to a WAS or to a Domino server.
This authentication is accomplished by configuring WAS and the Domino servers to share authentication information. Without logging in again, Web users can access other WAS or Domino servers in the same DNS domain that are enabled for SSO.
Prerequisites and conditions
To use SSO between WAS servers or between WAS and Domino servers, applications must meet the following conditions...
- All servers are configured as part of the same DNS domain.
Realm names on each system in the DNS domain are case sensitive and match identically. For example, if the DNS domain is specified as...setgetweb.com
...then SSO is effective with any Domino server or WAS appserver on a host that is part of the setgetweb.com domain, for example...
- All servers share the same registry.
This registry can be either a supported LDAP directory server or, if SSO is configured between two appservers, a standalone custom registry.
Domino servers do not support standalone custom registries, but we can use a Domino-supported registry as a standalone custom registry within WAS. Use a Domino directory configured for LDAP access or other LDAP directories for the registry. The LDAP directory product must have WAS support. Supported products include both Domino and LDAP servers, such as IBM Tivoli Directory Server.
Regardless of the choice to use an LDAP or a standalone custom registry, the SSO configuration is the same. The difference is in the configuration of the registry.
- Define all users in a single LDAP directory.
Using multiple Domino directory assistance documents to access multiple directories also is not supported.
- Enable HTTP cookies in browsers.
The authentication information generated by the server is transported to the browser in a cookie.
The cookie is used to propagate the authentication information for the user to other servers, exempting the user from entering the authentication information for every request to a different server.
- For a Domino server:
- Domino Release 6.5.4 for iSeries and other platforms are supported.
- A Lotus Notes client Release 5.0.5 or later is required for configuring the Domino server for SSO.
- We can share authentication information across multiple Domino domains.
- For WAS:
- WAS V3.5 or later for all platforms are supported.
- Use any HTTP Web server that is supported by WAS.
- We can share authentication information across multiple product administrative domains.
- Basic authentication (user ID and password) using the basic and form-login mechanisms is supported.
- By default, WAS does a case-sensitive comparison for authorization. This comparison implies that a user who is authenticated by Domino matches the entry exactly (including the base distinguished name) in the WAS authorization table. If case sensitivity is not considered for the authorization, enable the Ignore Case property in the LDAP user registry settings.
Related conceptsSingle sign-on for HTTP requests using SPNEGO Web authentication
Single sign-on for authentication
Related tasksCreate a single sign-on for HTTP requests using SPNEGO Web authentication