Verify single signon between WebSphere Application Server and Lotus Domino

This topic discusses the verification of single signon between Domino and WebSphere Application Server. Before proceeding, verify that the following conditions are met:

• The LDAP directory contains at least one user that is defined for testing purposes.
• The WebSphere Application Server administrative console can be started for each of the WebSphere Application Server administrative domains that are involved in single signon.
• A user can authenticate to each administrative domain with a security name that is defined in the LDAP directory.
• At least one user in the LDAP directory is authorized to access at least one Domino resource, such as the Domino Directory.
• At least one user in the LDAP directory is authorized to access at least one WebSphere Application Server resource, such as the WebSphere administrative console.
• From a Web browser that is configured not to not accept HTTP cookies, you are able to reach the following resources after you enter a user ID and password:
  • WebSphere-protected resources (such as a servlet).
  • Domino-protected resources (such as a Lotus Notes database).

If all of the preliminary tests succeed, you are ready to verify that single signon is working correctly.

To test single signon between WebSphere Application Server and Domino, perform the following steps:

1. Restart your Web browser.

2. Configure the Web browser to accept HTTP cookies. (If you are using Internet Explorer, enable the per-session (not stored) type of cookies.

3. Configure the browser to notify you before it accepts HTTP cookies. The warning provides visual confirmation that Domino and WebSphere Application Server are generating and returning HTTP cookies to your browser after the server authenticates you. (You can suppress the cookie notifications after you verify that cookies are being exchanged.)

4. From the browser, specify the URL for a resource that is protected by the Domino server; for example, attempt to open a database that does not permit access to anonymous users, as shown in the following example:

   1. Make sure to use a fully qualified DNS host name in the URL; for example, enter http://myhost.mycompany.com/names.nsf instead of http://myhost/names.nsf.

   2. When you are prompted for a user ID and password, make sure that you specify a user ID that is authorized to resources for both the Domino and WebSphere application servers.

      The format of the name depends on the level of restriction that Domino enforces for Web users and whether a Domino directory or another LDAP directory is being used. (For details on the options for basic authentication, see the Domino 5 Administration Help (http://www-12.lotus.com/ldd/doc/domino_notes/5.0.3/help5_admin.nsf); in particular, see the information on controlling the level of authentication for Web clients.)

      The level of restriction that Domino enforces for Web users is set in the Web server authentication field on the Security window of the Server document. If you are using the default configuration settings, you can specify the user's short name or user ID.

   3. When you are prompted, accept the HTTP cookie.

   If you can successfully access such a resource, the token that is generated by the Domino server is accepted by WebSphere Application Server.

5. From the same browser session, attempt to access a resource that is protected by WebSphere Application Server. If single signon is working correctly, access is granted without prompting you to log in.

   Make sure to use the fully qualified DNS host name in the URL. For example, enter http://myhost.mycompany.com/snoop instead of http://myhost/snoop.

   Note: If you are getting a message about the session being expired or invalid, a possible cause is that the coordinated universal time offset is not set correctly on one of the systems. Verify that the system value QUTCOFFSET is correct.

6. From the same browser session, attempt to access resources that are managed by any additional Domino and WebSphere Application Server domains which are included in your single signon configuration.

7. Restart your browser session and perform the verification steps again; but this time, start by accessing a resource that is protected by WebSphere Application Server. This verifies that the token that WebSphere Application Server generates is accepted by the Domino server or servers. When you are prompted for a user ID and password, use the user's short name or user ID, which is the default naming convention for users in WebSphere Application Server.