Configuring user name mapping in the SSO LTPA token
The LTPA token that is created to authenticate users for single sign-on includes the name of the user who has been authenticated. When HCL Domino® creates an LTPA token, it places the Domino® distinguished name in the token by default. If a IBM® WebSphere® Application Server server obtains the token from a user trying to access the server, the Websphere server must be able to recognize this name format. If it does not, the token is ignored, single sign-on fails, and the user is prompted to log in again.
About this task
This situation typically occurs in end-user configurations
in which there are multiple directories used by various servers participating
in SSO, and consequently a user may have multiple identities. For
example, a user may be known in a Websphere LDAP directory as uid=jdoe,cn=sales,dc=renovations,
dc=com, but in a Domino® directory
the same user is John P Doe/Sales/Renovations. If
Websphere receives an LTPA token containing a user name like John
P Doe/Sales/Renovations, it attempts to find this user in
the Websphere directory and when it can't, rejects the token.
Domino® administrators can now map the user name that appears in a Domino-created LTPA token to the name expected by WebSphere®, to ensure that the name is recognized in a mixed Domino® and Websphere environment where Domino® and WebSphere® do not share the same directory.
How you specify the user name to be used in the LTPA token depends on the directory configuration used in your single sign-on environment:
- If HCL Notes® user information is contained only in a Domino® Directory, you specify the user name mapping in the Person document.
- If Notes® user information is contained in a corporate LDAP directory, you configure the user name mapping in Directory Assistance.
- If the organization uses both Domino® and LDAP directories, you configure both the Domino® person record and the Directory Assistance SSO information.
As LDAP directory fields and Domino® directory fields generally do not have a one-to-one correspondence, the use of Directory Assistance documents for name mapping allows LDAP administrators to specify which LDAP field should be used as the equivalent of the LTPA User Name field.
To configure user name mapping in a Domino® Directory environment
About this task
In this environment, there are Domino® SSO users who have Person records in the Domino® directory.
Procedure
- Enable name mapping for the LTPA token. In the Web SSO Configuration document that defines your SSO environment, select Enabled for the Map names in LTPA token option.
- In the user Person document, click Administration.
Under Client Information, enter the user name
DN that is expected by WebSphere® in
the LTPA user name field.
The value entered in this field must be unique. That is, the value should not match more than one person in the organization. Typically, this will be the user's LDAP distinguished name (DN). Be sure to separate the name components with forward slashes (/). For example, if the LDAP DN is
uid=jdoe,cn=sales,dc=renovations, dc=comenter the value as follows:
uid=jdoe/cn=sales/dc=renovations/dc=com
Results
Although the name is entered into the LTPA user name field in Domino® format, Domino® transforms the configured LTPA user name into the appropriate LDAP format expected by Websphere before placing it into the Domino-created LTPA token.
To configure user name mapping in a corporate LDAP directory environment (a mixed Domino® and LDAP directory environment)
About this task
In this environment, some or all Domino® users do not have Person records in the Domino® directory. Instead, these Domino® users have records in an external LDAP directory that is accessible to Domino® through Directory Assistance.
Procedure
- Enable name mapping for the LTPA token. In the Web SSO Configuration document that defines your SSO environment, select Enabled for the Map names in LTPA token option.
- Open the Directory Assistance document for the LDAP Directory.
In the SSO Configuration section, enter an LDAP attribute that should
be used as the name in an SSO token created for this user. This attribute
will be used in the LTPA token when the LTPA_UserNm field
is requested. It is important to ensure that the selected field contains
the user name that WebSphere® expects.
Options for this field include:
- Any appropriate LDAP attribute, as long as it uniquely identifies the user.
- A value of
$DNto use the LDAP distinguished name. This is the most commonplace configuration, indicating that the user's LDAP DN is the name expected by WebSphere®, rather than a name in some arbitrary LDAP field. - Leaving it blank to default to the Domino® distinguished name, if known. Otherwise, the default will be the LDAP distinguished name.
Results
If Directory Assistance is configured such that a search
on a particular user finds a match in both the Domino® Directory and in an LDAP directory, Domino® requires consistency between
a Domino® Person record and
an LDAP record. Domino® takes
extra steps to determine that there are matching values for the Internet
email address located in both directories. To accomplish this, DA
searches for the user's LDAP mail attribute. This
value must match the information found in the Domino® Person record field internetaddress.
| Attribute in LDAP Directory | Attribute in Domino® Directory |
|---|---|
| mail: Jbond@secret.spies.com |
internetaddress: Jbond@secret.spies.com |
Keep in mind these additional considerations when setting up name mapping:
- To support aliasing, in the Person document, add the LDAP name to both the LTPA_UserNm field and as a secondary value in the User Name (for example, document property Fullname) field.
- An HCL Sametime® server does not support Internet Sites configurations.
- Name mapping in the LTPA token is not supported when user information is stored in condensed directory catalogs.