Altering the Domino Web SSO configuration following the Sametime server installation
The IBM® Sametime® installation automatically enables and configures the Domino® SSO feature on the Domino server. In some cases, it may be necessary to alter the default configuration of the Domino SSO feature following the Sametime server installation.
This topic discusses the following issues pertaining to the Sametime installation and the Domino SSO feature:
- SSO configurations performed by the Sametime installation - This section explains how the Sametime installation configures the Domino Web SSO feature. You can use this information to determine if it is necessary to alter the default SSO configuration following a Sametime server installation.
- Altering the SSO configuration - This section explains the most common reasons for altering the SSO configuration following the Sametime server installation. In multiple Sametime server environments, it is frequently necessary to add the Domino server names of Sametime servers to the Domino Web SSO Configuration document.
- Viewing and editing the Domino Web SSO configuration document - This section explains how to edit the Domino Web SSO configuration document in the Domino Directory. This document contains the parameters for the Web SSO configuration that you may need to change.
SSO configurations performed by the Sametime installation
The Sametime installation enables the Domino SSO feature and performs the SSO configurations described later in this topic. The Sametime installation:
- Creates a Web SSO Configuration document named
LtpaToken. This document contains the SSO configuration needed for
generation and validation of LTPA tokens. The following fields are
populated into this document:
- DNS Domain - To populate the DNS
Domain field, the installation determines the fully-qualified
domain name of the Sametime server
computer and then subtracts the hostname value from the fully-qualified
domain name.
For example, if the installation determines the fully qualified name of the Sametime server is "Sametimeserver.east.acme.com," the installation writes ".east.acme.com" in the DNS Domain field.
The LTPA token is then valid for the servers that belong to the DNS domain specified in the DNS Domain field.
- Expiration (minutes) - This field specifies the length of time for which the LTPA token is valid. This value is 30 minutes by default. You may want to provide a longer value for the token expiration. Best practice is to use a setting of 120 minutes.
- Domino Server Names: Each Domino/Sametime server that can accept the SSO token must be listed in the Domino Server Names field. By default, the installation writes only the name of the Domino server on which Sametime is installed in this field. It may be necessary to add the names of all other Domino/Sametime servers in the community to this field. For more information, see Altering the SSO configuration.
- DNS Domain - To populate the DNS
Domain field, the installation determines the fully-qualified
domain name of the Sametime server
computer and then subtracts the hostname value from the fully-qualified
domain name.
- Alters the Sametime/Domino server Server document. The installation changes the Internet Protocols-Domino Web Engine-Session authentication field in the Server document to the value "Multiple servers (SSO)." The Server authentication field must have the "Multiple servers (SSO)" value even if your Sametime community uses only one Sametime server. If the "Multiple server (SSO)" value is not selected, the SSO feature will not function properly for Sametime.
Altering the SSO configuration
The default configuration meets the basic requirements necessary for a Sametime server to support SSO. In some cases, it may be necessary for the administrator to alter the DNS Domain field or the Domino Server Names field of the Domino Web SSO Configuration document following the Sametime server installation.
- Altering the DNS Domain field - The Sametime installation may not always accurately detect the fully-qualified domain name of the Sametime server computer. If this problem occurs, the DNS Domain field may not specify the appropriate DNS domain. The administrator might need to manually edit the Domino web SSO Configuration document to add the appropriate entry in the DNS Domain field of the Domino web SSO Configuration document. Follow the instructions in "Viewing and editing the Domino Web SSO Configuration document" to manually edit the document.
- Altering the Domino Server Names field
- If the Sametime community
consists of multiple Sametime/Domino servers, the Domino server names of
all of the Sametime/Domino servers in the Sametime community must
exist in the Domino Server Names field of the Domino Web SSO Configuration
document. By default, the installation writes only the name of the Domino server on which Sametime is installed to
this field. If you have multiple Sametime servers, it may
be necessary to manually open the Domino Web SSO configuration
document and enter the names of the Domino/Sametime servers in the Domino
Server Names field.
For example, if you have Sametimeserver1/East/Example and Sametimeserver2/East/Example in your Sametime community, and you install Sametimeserver3/East/Example, only Sametimeserver3/East/Example is written to the Domino Server Names field during the Sametime installation. The administrator may need to open the Domino Web SSO Configuration document and manually enter the names Sametimeserver1/East/Example and Sametimeserver2/East/Example in the Domino Server Names field on the Domino Web SSO Configuration document on Sametimeserver3/East/Example to ensure that all servers in the community are entered in this field. To manually open the Domino Web SSO Configuration document, see "Viewing and editing the Domino Web SSO Configuration document".
Note that in multiple server environments, the Domino Directory may already be replicated to the Domino server at the time the Sametime server is installed. If the Domino Directory already exists on the server and contains a Domino Web SSO configuration document, the Sametime installation will not attempt to alter the existing configuration in any way. In this case, the existing Domino Web SSO configuration document may already contain the names of the existing servers in the community and it may be necessary to add the name of the newly installed Sametime server to the Domino Web SSO configuration document.
For example, the names Sametimeserver1/East/Example and Sametimeserver2/East/Example may already exist in the Domino Web SSO configuration document in the Domino Directory on the server reserved for the Sametimeserver3/East/Example installation. Since the Sametimeserver3/East/Example installation does not alter an existing SSO configuration, that server name will not appear in the Domino Web SSO Configuration document following the Sametime server installation. In this scenario, it is necessary to open the Domino Web SSO configuration document in the Domino Directory on Sametimeserver3/East/Example and manually enter "Sametimeserver3/East/Example" in the Domino Server Names field. All other parameters in the existing Web SSO Configuration document should be valid for the newly-added server.
Altering the SSO key
By default the Sametime installation creates a Domino SSO key. If WebSphere® is participating in SSO, this key should be replaced by the WebSphere LTPA key to allow both Domino and WebSphere to have an identical key for token validation and generation. Do this by importing the LTPA key from WebSphere to Domino. For more information, see Setting up single sign-on for Sametime browser clients.
Viewing and editing the Domino Web SSO Configuration document
To view or edit the Web SSO configuration document that is created by the Sametime installation, do the following:
- From a Notes® client, open the Domino Directory on the Sametime server.
- Choose the view.
- In the navigation list, expand Web SSO Configurations.
- Double-click on the document titled Web SSO Configuration for LtpaToken to open the Domino Web SSO Configuration document.
- Click Edit to put the document in edit mode.
- Edit the appropriate field (for example, the DNS Domain or Domino Server Names field).
- Click Save and Close after editing the document.
- ST_TOKEN_TYPE must contain the name of the Web SSO document used by the Sametime Community server. The default value is LtpaToken.
- ST_ORG_NAME must contain the organization name that is set in the Web SSO document used by Sametime Community server. The default value is an empty organization name.