Lotus Domino Administrator 6.5 Help - Multi-server session-based name-and-password authentication for Web users (single sign-on)

SECURITY

Multi-server session-based name-and-password authentication for Web users (single sign-on)
Multi-server session-based authentication, also known as single sign-on (SSO), allows Web users to log in once to a Domino or WebSphere server, and then access any other Domino or WebSphere servers in the same DNS domain that are enabled for single sign-on (SSO) without having to log in again.

User Web browsers must have cookies enabled since the authentication token that is generated by the server is sent to the browser in a cookie.

You set this up by doing one of the following:

Creating a domain-wide configuration document -- the Web SSO Configuration document -- in the Domino Directory. (You can have multiple Web SSO Configuration documents in a Domino Domain or directory.)
Enabling the "Multi-server" option for session-based authentication in the Web Site or in the Server document.

You can enable single sign-on across multiple Domino domains. See the topic Setting up the Web SSO Configuration document for more than one Domino domain.

Checklist for enabling single sign-on

The SSO feature makes logging in and using multiple servers in a mixed environment easier for users. Use the following list to configure your Domino environment to ensure that your SSO configuration is successful.

General issues

URLs issued to servers configured for single sign-on must specify the full DNS server name, not the host name or IP address. For browsers to be able to send cookies to a group of servers, the DNS domain must be included in the cookie, and the DNS domain in the cookie must match the server URL. This is why cookies cannot be used across TCP/IP domains.
Clustered servers must have the full DNS server name in the host name field of the Web Site or Server document. This enables the Internet Cluster Manager (ICM) to redirect to cluster members using SSO. If the DNS server host name is not there, ICM will redirect URLs to clustered Web servers with only the TCP/IP host name, by default, and will not be able to send the cookie because the DNS domain is not included in the URL.

WebSphere issues

WebSphere and Domino should both be configured for the same LDAP directory. The authentication token used for SSO stores the full Distinguished Name of the user (DN) -- for example, cn=john smith,ou=sales, o=ibm, c=us. To set up LDAP for SSO, set up Directory Assistance in Domino and configure it to point to an LDAP server that the WebSphere server uses. Or, load LDAP on the Domino Directory and configure WebSphere to use the Domino LDAP server.
If the group of servers participating in single sign-on includes WebSphere servers that use a Domino LDAP directory, users with flat names in that directory cannot use SSO (if the participating servers are all Domino, then SSO will work with flat user names).

Setting up Domino to work with other Web servers

Glossary

Help on Help

Open Full Help Window

Glossary

Help on Help

Open Full Help Window