Configure single signon for Lotus Domino

To configure single signon for Domino, you select a new multi-server option in a Server document for session-based authentication, and you create a new domain-wide configuration document, called the Web SSO Configuration document, in the Domino Directory. The Web SSO Configuration document, which must be replicated to all Domino servers participating in the single signon domain, is encrypted for participating Domino servers and contains a shared secret that is used by Domino servers for authenticating user credentials.

To complete this procedure, you need the following information from your WebSphere Application Server single signon configuration:

• The path and name of the file that contains the LTPA keys that were created.
• The password you used when LTPA keys from WebSphere Application Server were generated.
• The name of the DNS domain in which WebSphere Application Server is configured.

For more information, see Configure single signon and LTPA for WebSphere Application Server.

To configure single signon for Domino servers, complete the following steps:

1. Create the Web SSO Configuration document.
2. Configure the Server document.
3. Finish the Domino configuration.
4. Verify the single signon configuration for Domino.
5. (Optional) Configure additional Domino servers in the original domain.
6. (Optional) Configure Domino servers in different domains.

Create the Web SSO Configuration document

To create the Web SSO Configuration document, use a Lotus Notes Client 5.0.5 (or later) and follow these steps:

1. In the Domino Directory, select the Servers view.

2. Click on the Web pull-down menu item.

3. Select Create Web SSO Configuration to create the document.

4. On the Web SSO Configuration document, click the Keys pull-down menu.

5. Select Import WebSphere LTPA Keys to import the LTPA keys previously created for WebSphere Application Server and stored in a file.

6. Enter the fully-qualified path name of the file that contains the keys for WebSphere Application Server and click OK.

7. Enter the password that was used when the LTPA keys were generate. The SSO Configuration document is automatically updated to reflect the information in the imported file.

8. Complete the remaining fields in this document. Groups and wildcards are not allowed in the fields. The following list describes the fields and the expected values:

   • Token Expiration
     The number of minutes a token can exist before expiring. A token does not expire based on inactivity; it is valid for only the number of minutes that is specified, from the time of issue.

   • DNS Domain
     The DNS domain portion of your system's fully qualified Internet name. This is a required field.

     All servers participating in single signon must reside in the same DNS domain; this value must be the same as the Domain value that you specified when in your WebSphere Application Server configuration. Also, WebSphere Application Server treats the DNS domain as case sensitive, so ensure that the DNS domain value is specified in exactly the same way, including the same case.

   • Domino Server Names
     The Domino servers that you want to participate in single signon. This SSO Configuration document is encrypted for the creator of the document, the members of the Owners and Administrators fields, and the servers that are specified in this field. These servers can be in different Domino domains; however they must be in the same DNS domain.

     You must specify a fully qualified Domino server name, for example, MyDominoServer/MyOu. The Domino server name that you specify here must also match the name of the corresponding server's Connection document in your client's Domino Directory.

   • LDAP Realm
     The fully qualified DNS host name of the LDAP server. This field is initialized from the information that is provided in the imported LTPA keys file. Change this value only if an port value for the LDAP server was specified for the WebSphere Application Server administrative domain. If a port was specified, an escape character (\) must be inserted into the value before the colon character (:). For example, replace myhost.mycompany.com:389 with myhost.mycompany.com\:389.

9. Save the Web SSO Configuration document. It now appears in the Web Configurations view.

If you are configuring multiple Domino servers for single signon, see Configure additional Domino servers.

Configure the Server document

To update the Server document for single signon, follow these steps:

1. In the Domino Directory, select the Servers view.
2. Edit the Server document.
3. Select the Ports --> Internet Ports --> Web tab.
4. To enable basic authentication for Web users in the HTTP Authentication options section set Name & password to yes.
5. Select Internet Protocols --> Domino Web Engine.
6. Select Multiple Servers (SSO) in the Session Authentication field to enable single signon for Domino.
7. Select the Security tab.
8. In the Internet Access section select "More name variations with lower security" in the Internet authentication field so short names can be used for authentication.
9. Save the Server document.

If you are configuring multiple Domino servers for single signon, see Configure additional Domino servers.

Finish the Domino configuration

Before continuing, finish configuring the Domino server for use by Web users. The remaining configuration steps are not specific to single signon and are not covered here in detail. See the Security topic in the Domino 5 Administration Help (http://www-12.lotus.com/ldd/doc/domino_notes/5.0.3/help5_admin.nsf) for information on the following tasks:

• Configure access to an LDAP directory when the Domino Directory is not being used.
• Authorizing Web users to Domino resources.

Verify the single signon configuration for Domino

To verify the single signon configuration for Domino, ensure that the Domino server is configured correctly and that Web users are authorized to access Domino resources by performing the following steps:

1. To verify that the Domino server is configured correctly, stop and restart the Domino HTTP Web server.

   If single signon is configured correctly, the following message appears on the Domino server console:

   HTTP: Successfully loaded Web SSO Configuration

   If a Domino server enabled for single signon cannot find a Web SSO Configuration document or is not included in the Domino Server Names field and therefore cannot decrypt the document, the following message appears on your server's console:

   HTTP: Error Loading Web SSO configuration. Reverting to single-server session authentication

2. To verify that users are authorized, attempt to access a Domino resource, such as a Domino Directory. First, attempt the access as a user that is defined in the Domino Directory itself, for local authorization. Then, attempt the access as a user that is defined in the LDAP directory service, for authorization of WebSphere Application Server users.

Configure additional Domino servers in a single domain

If you are using single signon with multiple Domino servers, perform the following steps for each additional server:

1. Replicate the initial Web SSO Configuration document to each additional Domino server.
2. Update the Server document for each additional Domino server.
3. Restart each of the Domino HTTP web servers.

Configure Domino servers in multiple Domino domains

If you are using single signon with Domino servers in multiple Domino domains, set up cross-domain authentication among the Domino servers. For example, assume there are Domino servers in two Domino domains, X and Y.

Use the following procedure to enable the Domino servers to perform single signon between the domains:

1. A Domino administrator must copy the Web SSO Configuration document from the Domino Directory for Domain X and paste it into the Domino Directory for Domain Y. The Domino administrator needs rights to decrypt the Web SSO Configuration document in Domain X and to create documents in the Domino Directory for Domain Y.

2. Ensure that your Lotus Notes client's location home server is set to a Domino server in Domain Y.

3. Edit the Web SSO Configuration document for Domain Y.

4. In the Participating Domino Servers field, include only the Domino servers with Server documents in Domain Y that will participate in single signon.

5. Save the Web SSO Configuration document. It is now to be encrypted for the participating Domino servers in Domain Y, so these servers now have the same key information as the Domino servers in domain X. This shared information allows Domino servers in Domain Y to perform single signon with Domino servers in Domain X.