Enabling single sign-on for Domino®
If your organization uses HCL Connections™ in a Domino® environment, you can enable single sign-on (SSO) for easier user authentication.
Before you begin
Start your Domino® server.
Ensure that you have a user ID with administrative access to the Domino® server.
Configure an LDAP server as the user directory.
- This is an optional configuration.
- If you are using a reverse proxy, you must specify the reverse proxy address in the LotusConnections-Config.xml file.
- If you are enabling SSO between Connections and a product that is deployed on a pre-6.1 version of WebSphere® Application Server, you must first complete the steps described in the Enabling single sign-on for stand-alone LDAP topic.
About this task
Single sign-on enables users to log into one HCL Connections™ application and switch to other applications without needing to authenticate again.
By default, applications deployed within the same WebSphere® Application Server cell are enabled for single-sign-on. To support this, the application servers share the same set of LTPA keys and the same LDAP directory configuration. Use these instructions if you want to set up SSO where Connections and Domino® use different LDAP directory configurations or are hosted in different WAS cells.
The Configuring user name mapping in the SSO LTPA token topic in the Domino® information center can help you choose the correct configuration parameters for your environment.
To enable SSO for Domino®, complete the following steps:
Procedure
-
Configure the LDAP for Connections:
- Log into the WebSphere® Application Server Integrated Solutions Console on the Deployment Manager.
- Click .
- Select Federated Repositories from the Available realm definitions field and then click Configure.
- Enter the realm name of the LDAP server in the Realm name field. For example: enterprise.example.com:389.
- Click Apply and then click Save.
- Synchronize the nodes.
- Restart your Connections deployment.
- Configure the domain name:
- Export the LTPA key file:
- Log into the WebSphere® Application Server Integrated Solutions Console on the Deployment Manager.
- Click .
- In LTPA. click
- In the Password and Confirm password fields, enter the password that protects the exported key.
- Enter the file name of the key file that you want to generate in the Fully qualified key file name field.
- Click Export keys.
- Click Apply and then click Save.
- Set up the SSO configuration document on the Domino® server by completing the steps in the Creating a Web SSO configuration document topic in the Domino® information center.
-
Verify that the Domino® server maps correctly between
the user IDs stored in the LDAP that is used by Connections and the Domino® address book.
- If user names are present in both the LDAP directory and the Domino® Directory:
- In the user Person document, click Administration.
- Under Client Information, enter the user name DN that is expected by WebSphere® Application Server in the LTPA user
name field. Note: Typically, this name is the user's LDAP distinguished name (DN). Separate the name components with slashes. For example, if the DN is uid=jdoe,cn=sales,dc=example, dc=com, enter the following value: uid=jdoe/cn=sales/dc=example/dc=com.
- If user names are present in the LDAP directory only:
- Open the Directory Assistance document for the LDAP directory. Alternatively, create a directory assistance database and configure the Domino® server to use this database.
- In the SSO Configuration section, enter an LDAP attribute for the name in
an SSO token. Note: This attribute is used in the LTPA token when the LTPA_UserNm field is requested. Ensure that the selected field contains the user name that WebSphere® Application Server expects. Options for this field include:
- To use the LDAP distinguished name, enter a value of $DN. This is the most common configuration; it indicates that the user's LDAP DN is the name expected by WebSphere® Application Server, rather than a name in an arbitrary LDAP field.
- Use any appropriate LDAP attribute, provided it uniquely identifies the user.
- Leave the field blank to default to the Domino® distinguished name, if known. Otherwise, the default is the LDAP distinguished name.
- If user names are present in both the LDAP directory and the Domino® Directory:
- Configure Domino® Server
to use the new Web SSO Configuration Document: