Configure single sign-on between WebSphere Portal and Lotus Domino

 

+

Search Tips   |   Advanced Search

 

You configure the single sign-on (SSO) feature between the IBM WebSphere Portal and IBM Lotus Domino servers so that authentication works the same way for all Domino and Extended Products Portlets. A user can log into the portal and then access portlets that contain information from a Lotus Domino application or service without having to enter additional credentials for authentication.

 

Understanding Single Sign-On

  • A best practice is to install and configure all Lotus Domino servers and then enable single sign-on for them all. For example, install and configure servers for Lotus Domino messaging/applications servers, and servers for Lotus QuickPlace and Lotus Sametime, before you enable single sign-on.

  • All servers participating in single sign-on must be in the same Internet domain.

  • To enable single sign-on, enable the IBM LTPA capabilities included in both WebSphere Application Server and Lotus Domino. Lotus Domino imports the WebSphere LTPA token generated by WebSphere Application Server, and this token can be used for all servers within the Lotus Domino domain.

  • To enable single sign-on across multiple Lotus Domino domains, import the same WebSphere LTPA token into those Lotus Domino domains.

  • One Web SSO configuration document per Lotus Domino domain can be replicated to all the other Lotus Domino servers in that domain, but enabling multi-server authentication must be done on every server in a Domino domain.

The checklist of tasks for configuring SSO assumes that no Web SSO configuration document exists in Lotus Domino. Before you begin the checklist, to see whether a document exists and whether it contains the required WebSphere LTPA key file, perform the following steps:

  1. In the Lotus Notes client, open the NAMES.NSF file on the Domino server you want to include in single sign-on (for example, a Domino messaging/application server, or a Domino server running Lotus QuickPlace or Lotus Sametime ).

  2. Click...

    Configuration | Web Configurations

    ...to open the Web Configurations view. If you see a -Web SSO Configurations- triangle with a Web SSO Configuration for LTPA document, the Web SSO configuration document already exists.

  3. If the document exists and already contains the WebSphere LTPA key, perform the following steps:

    1. Open the document on the server where it was created, and add the name of the Lotus Domino server you want to include in single sign-on to the Domino Server Names field in the document.

    2. Replicate the change to any other Lotus Domino servers in the portal site by typing the following command on the Lotus Domino server console on the source server (server where you added the new server's name): 

          rep servername/org_name names.nsf

    3. For the change to take effect, restart the Lotus Domino server where you typed the command.

    4. Instead of performing the sequence of single sign-on configuration tasks in the checklist below, proceed to Testing single sign-on.

  4. If the Web SSO configuration document does not exist, contains a different key, or if you are unsure if it is the same key exported from the WebSphere Portal server, perform the following steps:

    1. Delete the key.

    2. Replicate this change around to any other Lotus Domino server(s) in the portal site as above.

    3. Re-create the key by performing all the tasks listed in the following checklist for configuring single sign-on.

The following checklist of tasks configures single sign-on (SSO) between WebSphere Portal and Lotus Domino.

To include a Lotus Domino server running Lotus QuickPlace or Lotus Sametime in single sign-on, perform all tasks. To include a Lotus Domino messaging/application server, perform all tasks except the support for Inline QuickPlace.

If the portal server is using an LDAP directory other than Lotus Domino, but the Collaborative Services are using a Lotus Domino LDAP, perform the last task. Checklist of tasks

  1. Create the WebSphere LTPA key
    Create the WebSphere LTPA key on the portal server so that we can export and use the key on the IBM Lotus Domino server that runs the Domino Extended Product for which you are configuring single sign-on (for example, IBM Lotus QuickPlace or IBM Lotus Sametime, or Lotus Domino on a messaging/application server).

  2. Import the WebSphere LTPA key into Lotus Domino
    Create a Web SSO configuration document on the IBM Lotus Domino server that runs the Domino and Extended Product or application (for example, a Lotus Domino back-end messaging server or a IBM Lotus Sametime or IBM Lotus QuickPlace server). Then you import the WebSphere LTPA key created on the IBM WebSphere Portal server into the document, so that the same token can be used for single sign-on on both servers.

  3. Enable multi-server SSO authentication
    When you enable multi-server SSO authentication between the Lotus Domino and WebSphere Portal servers, Lotus Domino can authenticate users in the Web browser by examining LTPA tokens.

  4. Provide a custom login form for Lotus QuickPlace
    Create the Domino Web Services configuration database (domcfg.nsf), a database that functions as a container for custom HTML pages. Then use the database to provide a custom form (QuickPlaceLoginForm) displayed during the process of authenticating portal users with a name and password.

  5. Increase SSO security by preventing anonymous access to HTML files
    We can modify the NOTES.INI file to prevent anonymous access to files in the HTML directory. The NoWebFileSystemACLs parameter, when set equal to 1 in the NOTES.INI file, prevents anonymous access to files served up in the HTML directory on the IBM Lotus Domino server, increasing security and reliance on the single sign-on method of authentication.

  6. Test single sign-on for Lotus Domino, Lotus QuickPlace, or Lotus Sametime
    Use the Web browser to go to a Web page where we can test the operation of single sign-on between the portal server and the IBM Lotus Domino, IBM Lotus QuickPlace, or IBM Lotus Sametime server.

  7. Test meeting services for Inline QuickPlace
    You test meeting services by publishing a meeting and checking that the invitees receive the notification.

  8. Check the page source for awareness configuration
    In a browser, determine whether awareness provided by the Lotus Sametime server and the STLinks applet is properly configured by examining the page source.

  9. Reconcile single sign-on across Lotus Domino and another LDAP directory
    When the portal authenticates against a non- Lotus Domino LDAP user directory such as IBM Tivoli Directory Server, and Lotus Collaborative Services authenticates against a Lotus Domino LDAP directory, administrators must perform tasks to synchronize names across the directories to support single sign-on.

 

Parent Topic

Integrate Lotus Domino and the Extended Products and Portlets into WebSphere Portal

 

Previous topic

Integrate the Lotus Sametime server and portlets

 

Related concepts


About automatic detection of mail files

 

Related tasks


Increase SSO security by preventing anonymous access to HTML files
Copy the Java files for chat and awareness in Inline QuickPlace
Designate the Sametime Community server for Inline QuickPlace