Enable single sign-on for Domino

If the organization uses IBM Connections in a Domino environment, we can enable single sign-on (SSO) for easier user authentication.

Before we can enable SSO, verify that we can access the installed Connections applications from a web browser.

Start the Domino server.

Ensure you have a user ID with administrative access to the Domino server.

Configure an LDAP server as the user directory.

• This is an optional configuration.

• This task applies to Quickr D. To enable SSO for Quickr J, see the Enable single sign-on for Lotus Quickr topic.

• For a reverse proxy, specify the reverse proxy address in the LotusConnections-Config.xml file.

• For SSO between IBM Connections, and a product deployed on a pre-6.1 version of WAS, first complete the steps described in Enable single sign-on for stand-alone LDAP.

Single sign-on enables users to log into one Connections application, and switch to other applications without needing to authenticate again.

By default, applications deployed within the same WAS cell are enabled for single-sign-on. To support this, the application servers share the same set of LTPA keys and the same LDAP directory configuration. Use these instructions to set up SSO where IBM Connections, and Domino use different LDAP directory configurations or are hosted in different WAS cells.

The Configure user name mapping in the SSO LTPA token.in the IBM Lotus Domino information center can help you choose the correct configuration parameters for your environment.

To enable SSO for Domino:

1. Configure the LDAP for Connections:

   1. Log into the WAS console on the dmgr.

   1. Click...
      Security | Global security | Available realm definitions | Federated Repositories | Configure

   2. Enter the realm name of the LDAP server in the Realm name field. For example: enterprise.myco.com:389.

   3. Click Apply and then click Save.

   4. Synchronize the nodes.

   5. Restart the Connections deployment.

2. Configure the domain name:

   1. Log into the WAS console on the dmgr.

   2. Click...
      Security | Global security | Authentication mechanisms and expiration | Web and SIP security | Single sign-on (SSO)

      • Enter the Connections domain name in the Domain name field, ensuring that add a dot (.) before the domain name.

      • Select the check boxes for Interoperability Mode (optional) and Web inbound security attribute propagation. Make sure Set security to HTTP Only is not enabled.

      • Restart the Connections deployment.

3. Export the LTPA key file:

   1. Log into the WAS console on the dmgr.

   2. Click...
      Security | Global security | Authentication | Authentication mechanism and expiration | LTPA

   3. In the Password and Confirm password fields, enter the password that protects the exported key.

   4. Enter the file name of the key file to generate in the /path/to/key_file field.

   5. Click Export keys.

   6. Click Apply and then click Save.

4. Set up the SSO configuration document on the Domino server by completing the steps in the Create a Web SSO configuration document.in the Domino information center.

5. Verify the Domino server maps correctly between the user IDs stored in the LDAP used by IBM Connections, and the Domino address book.

   • If user names are present in both the LDAP directory, and the Domino Directory:

     1. In the user Person document, click Administration.

     2. Under Client Information, enter the user name DN that is expected by WebSphere Application Server in the LTPA user name field.

        Typically, this name is the user's LDAP distinguished name (DN). Separate the name components with slashes. For example, if the DN is uid=jdoe,cn=sales,dc=example, dc=com, enter the following value: uid=jdoe/cn=sales/dc=example/dc=com.

   • If user names are present in the LDAP directory only:

     1. Open the Directory Assistance document for the LDAP directory. Alternatively, create a directory assistance database, and configure the Domino server to use this database.

     2. In the SSO Configuration section, enter an LDAP attribute for the name in an SSO token.

        This attribute is used in the LTPA token when the LTPA_UserNm field is requested. Ensure the selected field contains the user name that WebSphere Application Server expects. Options for this field include:

        • To use the LDAP distinguished name, enter a value of $DN. This is the most common configuration; it indicates the user's LDAP DN is the name expected by WebSphere Application Server, rather than a name in an arbitrary LDAP field.

        • Use any appropriate LDAP attribute, provided it uniquely identifies the user.

        • Leave the field blank to default to the Domino distinguished name, if known. Otherwise, the default is the LDAP distinguished name.

6. Configure Domino Server to use the new Web SSO Configuration Document:

   1. In Domino Administrator, click Files and then open the server’s Address Book (the names.nsf file).

   2. Select the Servers view and open the server to configure.

   3. Navigate to Internet Protocols > Domino Web Engine.

   4. Click Edit Server to change to Edit mode.

   5. Select the new Web SSO Configuration Document in the Web SSO Configuration box.

   6. Save the changes.

   7. Use the Domino console, stop and start the HTTP task by issuing the following commands:

      tell http quit

      load http

      The tell http restart and restart task http commands cannot read the updated SSO configuration

What to do next

Verify that we can switch between Connections applications without needing to authenticate more than once.

Parent topic:
Configure single sign-on

Related:

Enable single sign-on for Lotus Quickr

Enable single sign-on for standalone LDAP

Troubleshooting single sign-on problems with Lotus Domino