Configure single sign-on between WebSphere Portal and Lotus Domino
You configure the single sign-on (SSO) feature between the WebSphere Portal server and the IBM Lotus Dominoservers so that authentication works the same way for all Lotus Domino and Extended Products Portlets. A user can log in to WebSphere Portal and then access portlets that contain information from a Lotus Domino application or service without having to enter additional credentials for authentication.
Before setting up SSO, review the following requirements and best practices.
- All servers participating in single sign-on must be in the same Internet domain.
- To enable single sign-on, enable the IBM LTPA capabilities included in both WAS and Lotus Domino. The WebSphere LTPA token generated by WAS is imported into Lotus Domino, and this token can be used for all servers within the Lotus Domino domain. Verify that automatic LTPA key generation is disabled on each node of the single sign-on domain. For instructions, see Retrieving the WebSphere LTPA key.
- To enable single sign-on across multiple Lotus Domino domains, import the same WebSphere LTPA token into those Lotus Domino domains.
The Domino-WebSphere Portal Integration Wizard cannot integrate servers in multiple Lotus Domino domains.
- Best practice: Install and configure all Lotus Domino servers and then enable SSO for them all. For example, install and configure Lotus Domino messaging/applications servers, and servers for Lotus Sametime®, before you enable single sign-on.
- One Web SSO configuration document per Lotus Domino domain can be replicated to all the other Lotus Domino servers in that domain, but enabling multi-server authentication must be done individually for every server in a Lotus Domino domain.
- Additional configuration may be needed if WebSphere Portal is configured for multiple realms. See Problem: Single Sign-On may fail when the portal is configured to use multiple realms in the troubleshooting topic under Related concepts.
Wait! The Domino-WebSphere Portal Integration Wizard can do several parts of this task for you. The exceptions are increasing SSO security by preventing anonymous access, and the three testing and checking procedures (do these manually after running the wizard). Also, reconciling SSO across Lotus Domino and another LDAP directory, and enabling a third-party authentication server are not procedures compatible with the wizard, which integrates only a Lotus Domino LDAP directory.
1. Use LTPA keys to configure single sign-on
One approach to configuring single sign-on is to use the LTPA tokens included with IBM WebSphere Portal. To use the LTPA tokens, retrieve the tokens from the WebSphere Portal server and import them to the IBM Lotus Domino server.
2. Enable a third-party authentication server to work with the Lotus Notes View portlet
If IBM Lotus Domino is back-end system and WebSphere Portal installation is configured for Single Sign-on through a third-party authentication system such as Computer Associates eTrust SiteMinder, messaging portlets such as Lotus Notes View require parameters to manage custom authentication with the Lotus Domino server.
3. Test single sign-on between WebSphere Portal, Domino, and Sametime servers
Use Web browser to go to a Web page where you can test the operation of single sign-on between the portal server and the IBM Lotus Domino or IBM Lotus Sametime server.
Parent
Integrate Lotus Domino applications and mail
Next topic
Configure email integration