Enabling single sign-on for Domino®
If your organization uses IBM® Connections in a Domino® environment, you can enable single sign-on (SSO) for easier user authentication.
Before you begin
Start your Domino® server.
Ensure that you have a user ID with administrative access to the Domino® server.
Configure an LDAP server as the user directory.
- This is an optional configuration.
- If you are using a reverse proxy, you must specify the reverse proxy address in the LotusConnections-Config.xml file.
- If you are enabling SSO between IBM® Connections and a product that is deployed on a pre-6.1 version of WebSphere® Application Server, you must first complete the steps described in the Enabling single sign-on for stand-alone LDAP topic.
About this task
Single sign-on enables users to log into one IBM® Connections application and switch to other applications without needing to authenticate again.
By default, applications deployed within the same WebSphere® Application Server cell are enabled for single-sign-on. To support this, the application servers share the same set of LTPA keys and the same LDAP directory configuration. Use these instructions if you want to set up SSO where IBM® Connections and Domino® use different LDAP directory configurations or are hosted in different WAS cells.
The Configuring user name mapping in the SSO LTPA token topic in the IBM® Lotus® Domino® information center can help you choose the correct configuration parameters for your environment.
To enable SSO for Domino®, complete the following steps:
Procedure
-
Configure the LDAP for IBM® Connections:
- Log into the WebSphere® Application Server Integrated Solutions Console on the Deployment Manager.
- Click .
- Select Federated Repositories from the Available realm definitions field and then click Configure.
- Enter the realm name of the LDAP server in the Realm name field. For example: enterprise.example.com:389.
- Click Apply and then click Save.
- Synchronize the nodes.
- Restart your IBM® Connections deployment.
- Configure the domain name:
- Export the LTPA key file:
- Log into the WebSphere® Application Server Integrated Solutions Console on the Deployment Manager.
- Click .
- In LTPA. click
- In the Password and Confirm password fields, enter the password that protects the exported key.
- Enter the file name of the key file that you want to generate in the Fully qualified key file name field.
- Click Export keys.
- Click Apply and then click Save.
- Set up the SSO configuration document on the Domino® server by completing the steps in the Creating a Web SSO configuration document topic in the Domino® information center.
- Verify that the Domino® server
maps correctly between the user IDs stored in the LDAP that is used
by IBM® Connections and the Domino® address book.
- If user names are present in both the LDAP directory and the Domino® Directory:
- In the user Person document, click Administration.
- Under Client Information, enter the user
name DN that is expected by WebSphere® Application
Server in the LTPA user name field. Note: Typically, this name is the user's LDAP distinguished name (DN). Separate the name components with slashes. For example, if the DN is uid=jdoe,cn=sales,dc=example, dc=com, enter the following value: uid=jdoe/cn=sales/dc=example/dc=com.
- If user names are present in the LDAP directory only:
- Open the Directory Assistance document for the LDAP directory. Alternatively, create a directory assistance database and configure the Domino® server to use this database.
- In the SSO Configuration section, enter
an LDAP attribute for the name in an SSO token. Note: This attribute is used in the LTPA token when the LTPA_UserNm field is requested. Ensure that the selected field contains the user name that WebSphere® Application Server expects. Options for this field include:
- To use the LDAP distinguished name, enter a value of $DN. This is the most common configuration; it indicates that the user's LDAP DN is the name expected by WebSphere® Application Server, rather than a name in an arbitrary LDAP field.
- Use any appropriate LDAP attribute, provided it uniquely identifies the user.
- Leave the field blank to default to the Domino® distinguished name, if known. Otherwise, the default is the LDAP distinguished name.
- If user names are present in both the LDAP directory and the Domino® Directory:
- Configure Domino® Server
to use the new Web SSO Configuration Document: