Portal, Express Beta Version 6.1 Operating systems: i5/OS, Linux,Windows

Configuring single sign-on between WebSphere Portal Express and Lotus Domino

You configure the single sign-on (SSO) feature between the IBM^® WebSphere^® Portal Express server and the IBM Lotus^® Domino^® servers so that authentication works the same way for all Domino and Extended Products Portlets. A user can log into WebSphere Portal Express and then access portlets that contain information from a Lotus Domino application or service without having to enter additional credentials for authentication.

Wait! The Domino-WebSphere Portal Express Integration Wizard can do several parts of this task for you. The exceptions are creating a custom login form for Lotus QuickPlace, increasing SSO security by preventing anonymous access, and the three testing and checking procedures (do these manually after running the wizard). Also, reconciling SSO across Lotus Domino and another LDAP directory, and enabling a third-party authentication server are not procedures compatible with the wizard, which integrates only a Lotus Domino LDAP directory.

Understanding Single Sign-On

• A best practice is to install and configure all Lotus Domino servers and then enable single sign-on for them all. For example, install and configure servers for Lotus Domino messaging/applications servers, and servers for Lotus QuickPlace and Lotus Sametime, before you enable single sign-on.
• All servers participating in single sign-on must be in the same Internet domain.
• To enable single sign-on, enable the IBM LTPA capabilities included in both WebSphere Application Server and Lotus Domino. The WebSphere LTPA token generated by WebSphere Application Server is imported into Lotus Domino, and this token can be used for all servers within the Lotus Domino domain.
• To enable single sign-on across multiple Lotus Domino domains, import the same WebSphere LTPA token into those Lotus Domino domains.Note: The Domino-WebSphere Portal Express Integration Wizard cannot integrate servers in multiple Lotus Domino domains.
• One Web SSO configuration document per Lotus Domino domain can be replicated to all the other Lotus Domino servers in that domain, but enabling multi-server authentication must be done individually for every server in a Lotus Domino domain.
• Additional configuration may be needed if WebSphere Portal Express is configured for multiple realms. See Problem: Single Sign-On may fail when the portal is configured to use multiple realms in the troubleshooting topic under Related concepts.

The following set of tasks for configuring SSO assumes that no Web SSO configuration document exists in Lotus Domino. Before you begin the SSO tasks, to see whether a document exists and whether it contains the required WebSphere LTPA key file, perform the following steps:

1. In the Lotus Notes client, open the NAMES.NSF file on the Domino server you want to include in single sign-on (for example, a Domino messaging/application server, or a Domino server running Lotus QuickPlace or Lotus Sametime).
2. Click Configuration > Web > Web Configurations to open the Web Configurations view. If you see a -Web SSO Configurations- triangle with a Web SSO Configuration for LTPA document, the Web SSO configuration document already exists.
3. If the document exists and already contains the WebSphere LTPA key, perform the following steps:

   1. Open the document on the server where it was created, and add the name of the Lotus Domino server you want to include in single sign-on to the Domino Server Names field in the document.
   2. Replicate the change to any other Lotus Domino servers in your site by typing the following command on the Lotus Domino server console on the source server (server where you added the new server's name):

      rep server_name/org_name names.nsf

   3. For the change to take effect, restart the Lotus Domino server where you typed the command.
   4. Instead of performing the sequence of single sign-on configuration tasks in the section below, proceed to Testing single sign-on.
4. If the Web SSO configuration document does not exist, contains a different key (for example, a key created during the installation of Lotus Sametime), or if you are unsure if it is the same key exported from your WebSphere Portal Express server, perform the following steps to delete the unwanted key:

   1. Locate the document that contains the key.
   2. Set Session authentication to disabled for each participating server listed in the document.
   3. Delete the document that contains the key, or back it up under a name other than "LtpaToken."
   4. Replicate this change around to all other Lotus Domino server(s) in your site as above.
   5. Re-acquire the key by performing all the following tasks listed for configuring single sign-on.

The following tasks configure single sign-on (SSO) between WebSphere Portal Express and Lotus Domino.

To include a Lotus Domino server running Lotus QuickPlace or Lotus Sametime in single sign-on, perform all tasks. To include a Lotus Domino messaging/application server, perform all tasks except the support for Inline QuickPlace.

If the WebSphere Portal Express server is using an LDAP directory other than Lotus Domino, but the Collaborative Services are using a Lotus Domino LDAP, perform the last task.

1. Retrieving the WebSphere LTPA key
   You retrieve the WebSphere LTPA key from the IBM WebSphere Portal Express server so that you can use the key on the IBM Lotus Domino server that runs the Domino Extended Product for which you are configuring single sign-on (for example, IBM Lotus QuickPlace^® or IBM Lotus Sametime, or Lotus Domino on a messaging/application server).
2. Importing the WebSphere LTPA key into Lotus Domino
   You create a Web SSO configuration document on the IBM Lotus Domino server that runs the Domino and Extended Product or application (for example, a Lotus Domino back-end messaging server or an IBM Lotus Sametime or IBM Lotus QuickPlace server). Then you import the WebSphere LTPA key retrieved from the IBM WebSphere Portal Express server into the document, so that the same token can be used for single sign-on on both servers.
3. Enabling multi-server SSO authentication
   When you enable multi-server SSO authentication between the IBM Lotus Domino and IBM WebSphere Portal Express servers, Lotus Domino can authenticate users in the Web browser by examining LTPA tokens.
4. Providing a custom login form for Lotus QuickPlace
   Create the Domino Web Services configuration database (domcfg.nsf), a database that functions as a container for custom HTML pages. You then use the database to provide a custom form (QuickPlaceLoginForm) displayed during the process of authenticating portal users with a name and password.
5. Increasing SSO security by preventing anonymous access to HTML files
   You can modify the NOTES.INI file to prevent anonymous access to files in the HTML directory. The NoWebFileSystemACLs parameter, when set equal to 1 in the NOTES.INI file, prevents anonymous access to files served up in the HTML directory on the IBM Lotus Domino server, increasing security and reliance on the single sign-on method of authentication .
6. Testing single sign-on for Lotus Domino, Lotus QuickPlace, or Lotus Sametime
   Use your Web browser to go to a Web page where you can test the operation of single sign-on between the portal server and the IBM Lotus Domino, IBM Lotus QuickPlace, or IBM Lotus Sametime server.
7. Checking the page source for awareness configuration
   In a browser, determine whether awareness provided by the Lotus Sametime server and the STLinks applet is properly configured by examining the page source.
8. Reconciling single sign-on across Lotus Domino and another LDAP directory
   When the portal authenticates against a non-Lotus Domino LDAP user directory such as IBM Tivoli^® Directory Server, and Lotus Collaborative Services authenticates against a Lotus Domino LDAP directory, administrators must perform tasks to synchronize names across the directories to support single sign-on.
9. Enabling a third-party authentication server to work with the Lotus Notes View portlet
   If IBM Lotus Domino is your back-end system and your WebSphere Portal Express installation is configured for Single Sign-on through a third-party authentication system, messaging portlets such as Lotus Notes View require parameters to manage custom authentication with the Lotus Domino server.