InfoCenter Home >

5: Securing applications -- special topics >

5.8: Single Sign-On >
5.8.2: Configuring SSO for Lotus Domino

5.8.2: Configuring SSO for Lotus Domino

To use SSO with Domino and WebSphere Application Server, you

must first configure SSO for WebSphere Application Server and
then configure SSO for Domino.

Configuring SSO for Domino is accomplished by selecting a new

Multi-server option in a Server document for session-based
authentication, and by creating a new domainwide configuration
document, called the Web SSO Configuration document, in the
Domino Directory. The Web SSO Configuration document, which
must be replicated to all Domino servers participating in the SSO
domain, is encrypted for participating Domino servers and
contains a shared secret used by Domino servers for
authenticating user credentials.

To provide SSO to Domino servers, do the following:

• Create the Web SSO Configuration document.

• Configure the Server document.
• Finish the Domino configuration.
• Verify the SSO for Domino configuration.

In addition, you can optionally do the following:

• Configure additional Domino servers in the original

domain.
• Configure Domino servers in different domains.

To complete this procedure, you need the following information

from the configuration of SSO for WebSphere Application Server:

• The path and name of the file containing the LTPA keys
created during SSO configuration for WebSphere
Application Server
• The password used to protect the LTPA keys from
WebSphere Application Server
• The name of DNS domain in which WebSphere
Application Server is configured
Create the Web SSO Configuration document

To create the Web SSO Configuration document, use a Lotus

Notes Client R5.0.5 (or later) and follow these steps:

1. In the Domino Directory, select the Servers view.

2. Click on the Web pull-down menu item.
3. Select the Create Web SSO Configuration option to
create the document.
4. On the Web SSO Configuration document, click the Keys
pull-down menu.
5. Select the Import WebSphere LTPA Keys option to
import the LTPA keys previously created for WebSphere
Application Server and stored in a file.
6. Type the path to the file containing the keys for
WebSphere Application Server and click OK.
7. Type the password that was used when generating the
LTPA keys. The SSO Configuration document is
automatically updated to reflect the information in the
imported file.
8. Fill in remaining fields in this document. Groups and
wildcards are not allowed in the fields. The following list
describes the fields and the expected values:
o Token Expiration: The number of minutes a token
can exist before expiring.
A token does not expire based on inactivity; it
is valid for only the number of minutes specified
from the time of issue.
o Token Domain: The DNS domain portion of your
system's fully qualified Internet name. This is a
required field.
All servers participating in SSO must reside in
the same DNS domain; this value must be the
same as the Domain value specified when
configuring WebSphere Application Server. Also,
WebSphere Application Server treats the DNS
domain as case sensitive, so ensure that the DNS
domain value is specified in exactly the same way,
including the same case.
o Domino Server Names: The Domino servers that
will be participating in SSO. This SSO
Configuration document will be encrypted for the
creator of the document, the members of the
Owners and Administrators fields, and the
servers specified in this field. These servers can be
 in different Domino domains; however they must
be in the same DNS domain.
You must specify a fully qualified Domino
server name, for example, MyDominoServer/MyOu.
The Domino server name that you specify here
must also match the name of the corresponding
server's Connection document in your client's
Domino Directory.
o LDAP Realm: The fully qualified DNS host name
of the LDAP server.
This field is initialized from the information
provided in the imported LTPA keys file. You need
to change this value only if an port value for the
LDAP server was specified for the WebSphere
Application Server administrative domain. If a port
was specified, a backslash character (\) must be
inserted into the value before the colon character
(:). For example, replace
myhost.mycompany.com:389 with
myhost.mycompany.com\:389.
9. Save the Web SSO Configuration document. It now
appears in the Web Configurations view.

If you are configuring multiple Domino servers for SSO, refer to

Configuring additional Domino servers.

Configure the Server document

To update the Server document for SSO, follow these steps:

1. In the Domino Directory, select the Servers view.

2. Edit the Server document.
3. Select the Ports --> Internet Ports --> Web tab
4. Click the Enable Name & Password Authentication for
the HTTP Port box to enable basic authentication for
Web users.
5. Select Internet Protocols --> Domino Web Engine.
6. Select Multi-server in the Session Authentication field to
enable SSO for Domino.
7. Save the Server document.

If you are configuring multiple Domino servers for SSO, refer to

Configuring additional Domino servers.

Finish the Domino configuration

Before continuing, finish configuring the Domino server for use
by Web users. The remaining configuration steps are not specific
to SSO and are not covered here in detail. Refer to the Domino 5
Administration Help for information on the following:

• Configuring access to an LDAP directory when the

Domino Directory is not being used
• Authorizing Web users to Domino resources

Verify the SSO for Domino configuration

To verify the SSO configuration for Domino, ensure that the

Domino server is configured correctly and that Web users are
authorized to access Domino resources by performing the
following steps:

• To verify that the Domino server is configured correctly,

stop and restart the Domino HTTP Web server. If SSO is
configured correctly, the following message appears on
the Domino server console: HTTP: Successfully
loaded Web SSO Configuration.
If a Domino server enabled for SSO cannot find a
Web SSO Configuration document or is not included in
the Domino Server Names field and therefore cannot
decrypt the document, the following message appears on
your server's console: HTTP: Error Loading Web SSO
configuration. Reverting to single-server
session authentication.
• To verify that users are authorized, attempt to access a
Domino resource, such as a Domino Directory, first as a
user defined in the Domino Directory itself, for local
authorization, and then as a user defined in the LDAP
directory service, for authorization of WebSphere
Application Server users.

Configure additional Domino servers in a single domain

If you are using SSO with multiple Domino servers, perform the
following steps for each additional server:

1. Replicate the initial Web SSO Configuration document to

each additional Domino server.
2. Update the Server document for each additional Domino
server.
 3. Restart each of the Domino HTTP web servers.

Configure Domino servers in multiple Domino domains

If you are using SSO with Domino servers is multiple Domino

domains, you must also set up cross-domain authentication
among the Domino servers. For example, assume there are
Domino servers in two Domino domains, X and Y. Use the
following procedure to enable the Domino servers to perform
SSO between the domains:

1. A Domino administrator must copy the Web SSO

Configuration document from the Domino Directory for
Domain X and paste it into the Domino Directory for
Domain Y. The Domino administrator needs rights to
decrypt the Web SSO Configuration document in Domain
X and to create documents in the Domino Directory for
Domain Y.
2. Ensure that your Lotus Notes client's location home server
is set to a Domino server in Domain Y.
3. Edit the Web SSO Configuration document for Domain Y.
4. In the Participating Domino Servers field, include only
the Domino servers with Server documents in Domain Y
that will participate in SSO.

5. Save the Web SSO Configuration document. It is now to

be encrypted for the participating Domino servers in
Domain Y, so these servers now have the same key
information as the Domino servers in domain X. This
shared information allows Domino servers in Domain Y to
perform SSO with Domino servers in Domain X.
 Related topics

Home (Getting
started page)

5.8: Support for

single sign-on
Peer topics

5.8.1: Configuring
SSO for WebSphere
Application Server

5.8.3: Verifying
SSO between
WebSphere and
Domino

5.8.4:
Troubleshooting
SSO configurations

InfoCenter

To launch the full

documentation set in
a separate browser
window, click:
Display InfoCenter

PDF library

To browse the PDF

library for this
product, containing
this article and others,
click:
PDF versions

Using this
documentation

Become an