SECURING
Multi-server session-based authentication, also known as single sign-on (SSO), allows Web users to log in once to a Domino® or WebSphere® server, and then access any other Domino or WebSphere servers in the same DNS domain that are enabled for single sign-on (SSO) without having to log in again.
About this task
User Web browsers must have cookies enabled since the authentication token that is generated by the server is sent to the browser in a cookie.
You set this up by doing the following:
The SSO feature makes logging in and using multiple servers in a mixed environment easier for users. Use the following list to configure your Domino environment to ensure that your SSO configuration is successful.
Enabling single sign-on and basic authentication This procedure ensures that a server can participate in single sign-on (SSO). An SSO-enabled server creates single sign-on cookies for users, allowing them to log in to the server and then be able to access other participating servers without having to log in again.
Setting up the Web SSO Configuration document for more than one Domino domain You can enable servers in your current Domino domain for single-sign on (SSO) with servers in another Domino domain, by setting up both domains to use the same key information.
Configuring user name mapping in the SSO LTPA token The LTPA token that is created to authenticate users for single sign-on includes the name of the user who has been authenticated. When HCL Domino creates an LTPA token, it places the Domino distinguished name in the token by default. If a IBM® WebSphere Application Server server obtains the token from a user trying to access the server, the Websphere server must be able to recognize this name format. If it does not, the token is ignored, single sign-on fails, and the user is prompted to log in again.
Caching Internet password changes for SSO When Web users change their Internet passwords, the HCL Domino HTTP server remembers the new Internet password in its cache. Caching is required because it can take some time for the password change to take effect, as the change must be processed by the Domino administration server and replicated throughout the Domino environment.
Setting up Windows single sign-on for Web clients You can set up a Domino Web server to honor Microsoft™ Windows™ users' Active Directory logon credentials. Web users who are logged on to the Active Directory domain can open applications on the server from a browser without being prompted for a password.
General issues
Related tasks Setting up the Web SSO Configuration document for more than one Domino domain Configuring user name mapping in the SSO LTPA token Using Notes distinguished names in a remote LDAP directory