Topics

Beginning with R5.0.5, Web users can log on once to a Domino or WebSphere server, then access any other Domino or WebSphere server in the same DNS domain that are enabled for Single Sign-on (SSO) without logging on again. This is accomplished by selecting a new "Multi-server" option (in a Server document) for session-based authentication, along with creating a new domain-wide configuration document in the Domino Directory called the Web SSO Configuration document. This document, which should be replicated to all servers participating in the Single Sign-on domain, is encrypted for participating servers and contains a shared secret used by servers for authenticating user credentials.

All servers participating in Single Sign-on must be at the Domino 5.0.5 level or above. The users' Web browsers must have cookies enabled since the authentication token that is generated by the server is transported to the browser in a cookie.

Notes:

• The Web SSO Configuration document must be created using a Notes Client that is R5.0.5.
• You can create only one Web SSO Configuration document in your domain.
• You can create Single Sign-on across multiple domains. (For instructions, refer to the "Setting up the Web SSO Configuration document for more than one Domino domain" section below.)
• Domino Single Sign-on has been tested on all Domino supported platforms. WebSphere Single Sign-On with Domino has been tested with WebSphere 3.5 on NT only.
• For more information, refer to the Release Note "Troubleshooting Single Sign-on for Domino and WebSphere."

1. In the Domino Directory, select the Servers view.

2. Select the Web... pull-down menu button.

3. Select Create Web SSO Configuration.

4. In the document, select the Keys... pull-down menu button.

5. Initialize the Web SSO Configuration with the shared secret in one of two ways:


1. Domino only (no WebSphere servers participating in Single Sign-on).

1. Select Create Domino SSO Key.

2. Domino and WebSphere (Single Sign-on with WebSphere 3.5).

1. Select Import WebSphere LTPA Keys.

2. Browse and select the WebSphere LTPA export file (See WebSphere documentation for details).

3. Enter the password (Specified when generating the keys in WebSphere).

4. The document should update to reflect the information in the export file.

6. Configure the Token Expiration field. Note that a token does not expire based on inactivity, it is valid for only the number of minutes specified from the time of issue.

7. In the Token Domain field, enter the DNS domain (for example, lotus.com) for which the tokens will be generated. The servers enabled for Single Sign-on must all belong to the same DNS domain. This is a required field.

8. In the Server Names field, enter the servers that will be participating in Single Sign-on. This document will be encrypted for the creator of the document, the members of the Owners and Administrators fields, and the servers specified in the Server Names field.

Note: Groups and wildcards are not allowed in the fields. WebSphere servers do not get listed as a participating server in the Server Names field, only Domino Servers.

9. Save the Web SSO Configuration document. It will appear in the Web Configurations view.

1. Edit the Server document.

2. Select the Ports tab -> Internet Ports tab -> Web tab, enable Name & Password authentication for the HTTP port.

3. Select the Internet Protocols tab -> Domino Web Engine tab, select Multi-server in the Session authentication field.

4. Save the Server document.

1. Start the HTTP web server.

2. On the Domino console, the following message should appear:

HTTP: Successfully loaded Web SSO Configuration.

3. If a server enabled for Single Sign-on cannot find a Web SSO Configuration document or is not included in the Server Names field (and thus cannot decrypt the document), then the following message should appear on your server's console:

HTTP: Error Loading Web SSO configuration. Reverting to single-server session authentication.

1. An Administrator (with the rights to decrypt the Web SSO Configuration document in Domain X and to create documents in the Directory for Domain Y) should copy the Web SSO Configuration document out of the Directory for Domain X and paste it into the Directory for Domain Y.

2. Edit the Web SSO Configuration document for Domain Y and edit the "Participating Domino Servers" field to include only the servers with server documents in Domain Y that will participate in Single Sign-On.

3. Make sure that your client's location home server is set to a server in Domain Y. Save the document. It should now be encrypted for the participating Servers in Domain Y, and should enable servers in Domain Y to do Single Sign-On with servers in Domain X, as both domains are now using the same key information.

• When IIS's Directory Security is set to allow anonymous access, Single Sign-on will work with both Domino and WebSphere servers and Domino/IIS servers. If IIS's Directory Security is set to Basic Authentication or Windows NT Challenge/Response (NTLM), Single Sign-on is not supported for this release of Domino. NTLM is a Microsoft-specific protocol supported by Internet Explorer, in which the user's current NT logon account name is used to authenticate to the server. In both cases, IIS will authenticate the NT account name against the NT registry on the IIS Server first and because the user is already authenticated, a cookie is not generated nor honored.