Configuring SSO for Domino is accomplished by selecting a new Multi-server option in a Server document for session-based authentication, and by creating a new domainwide configuration document, called the Web SSO Configuration document, in the Domino Directory. The Web SSO Configuration document, which must be replicated to all Domino servers participating in the SSO domain, is encrypted for participating Domino servers and contains a shared secret used by Domino servers for authenticating user credentials.
To provide SSO to Domino servers, do the following:
1.Create the Web SSO Configuration document.
2.Configure the Server document.
3.Finish the Domino configuration.
4.Verify the SSO for Domino configuration.
In addition, you can optionally do the following:
1.Configure additional Domino servers in the original domain.
2.Configure Domino servers in different domains.
To complete this procedure, you need the following information from the configuration of SSO for WebSphere Application Server:
1.The path and name of the file containing the LTPA keys created during SSO configuration for WebSphere Application Server
2.The password used to protect the LTPA keys from WebSphere Application Server
3.The name of DNS domain in which WebSphere Application Server is configured
Create the Web SSO Configuration document
To create the Web SSO Configuration document, use a Lotus Notes Client R5.0.5 (or later) and follow these steps:
1.In the Domino Directory, select the Servers view.
2.Click on the Web pull-down menu item.
3.Select the Create Web SSO Configuration option to create the document.
4.On the Web SSO Configuration document, click the Keys pull-down menu.
5.Select the Import WebSphere LTPA Keys option to import the LTPA keys previously created for WebSphere Application Server and stored in a file.
6.Type the path to the file containing the keys for WebSphere Application Server and click OK.
7..Type the password that was used when generating the LTPA keys. The SSO Configuration document is automatically updated to reflect the information in the imported file.
8.Fill in remaining fields in this document. Groups and wildcards are not allowed in the fields. The following list describes the fields and the expected values:
Token Expiration: The number of minutes a token can exist before expiring.
A token does not expire based on inactivity; it is valid for only the number of minutes specified from the time of issue.
Token Domain: The DNS domain portion of your system's fully qualified Internet name. This is a required field.
All servers participating in SSO must reside in the same DNS domain; this value must be the same as the Domain value specified when configuring WebSphere Application Server. Also, WebSphere Application Server treats the DNS domain as case sensitive, so ensure that the DNS domain value is specified in exactly the same way, including the same case.
Domino Server Names: The Domino servers that will be participating in SSO. This SSO Configuration document will be encrypted for the creator of the document, the members of the Owners and Administrators fields, and the servers specified in this field. These servers can be in different Domino domains; however they must be in the same DNS domain.
You must specify a fully qualified Domino server name, for example, MyDominoServer/MyOu. The Domino server name that you specify here must also match the name of the corresponding server's Connection document in your client's Domino Directory.
LDAP Realm: The fully qualified DNS host name of the LDAP server.
This field is initialized from the information provided in the imported LTPA keys file. You need to change this value only if an port value for the LDAP server was specified for the WebSphere Application Server administrative domain. If a port was specified, a backslash character (\) must be inserted into the value before the colon character (:). For example, replace myhost.mycompany.com:389 with myhost.mycompany.com\:389.
9.Save the Web SSO Configuration document. It now appears in the Web Configurations view.
If you are configuring multiple Domino servers for SSO, refer to Configuring additional Domino servers.
Configure the Server document
To update the Server document for SSO, follow these steps:
1.In the Domino Directory, select the Servers view.
2.Edit the Server document.
3.Select the Ports --> Internet Ports --> Web tab
4.Click the Enable Name & Password Authentication for the HTTP Port box to enable basic authentication for Web users.
5.Select Internet Protocols --> Domino Web Engine.
6.Select Multi-server in the Session Authentication field to enable SSO for Domino.
7.Save the Server document.
If you are configuring multiple Domino servers for SSO, refer to Configuring additional Domino servers.
Finish the Domino configuration
Before continuing, finish configuring the Domino server for use by Web users. The remaining configuration steps are not specific to SSO and are not covered here in detail. Refer to the Domino 5 Administration Help for information on the following:
1.Configuring access to an LDAP directory when the Domino Directory is not being used
2.Authorizing Web users to Domino resources
Verify the SSO for Domino configuration
1.To verify the SSO configuration for Domino, ensure that the Domino server is configured correctly and that Web users are authorized to access Domino resources by performing the following steps:
2.To verify that the Domino server is configured correctly, stop and restart the Domino HTTP Web server. If SSO is configured correctly, the following message appears on the Domino server console: HTTP: Successfully loaded Web SSO Configuration.
If a Domino server enabled for SSO cannot find a Web SSO Configuration document or is not included in the Domino Server Names field and therefore cannot decrypt the document, the following message appears on your server's console: HTTP: Error Loading Web SSO configuration. Reverting to single-server session authentication.
To verify that users are authorized, attempt to access a Domino resource, such as a Domino Directory, first as a user defined in the Domino Directory itself, for local authorization, and then as a user defined in the LDAP directory service, for authorization of WebSphere Application Server users.
Configure additional Domino servers in a single domain
If you are using SSO with multiple Domino servers, perform the following steps for each additional server:
1.Replicate the initial Web SSO Configuration document to each additional Domino server.
2.Update the Server document for each additional Domino server.
3.Restart each of the Domino HTTP web servers.
Configure Domino servers in multiple Domino domains
If you are using SSO with Domino servers is multiple Domino domains, you must also set up cross-domain authentication among the Domino servers. For example, assume there are Domino servers in two Domino domains, X and Y. Use the following procedure to enable the Domino servers to perform SSO between the domains:
1. A Domino administrator must copy the Web SSO Configuration document from the Domino Directory for Domain X and paste it into the Domino Directory for Domain Y. The Domino administrator needs rights to decrypt the Web SSO Configuration document in Domain X and to create documents in the Domino Directory for Domain Y.
2. Ensure that your Lotus Notes client's location home server is set to a Domino server in Domain Y.
3. Edit the Web SSO Configuration document for Domain Y.
4. In the Participating Domino Servers field, include only the Domino servers with Server documents in Domain Y that will participate in SSO.
5. Save the Web SSO Configuration document. It is now to be encrypted for the participating Domino servers in Domain Y, so these servers now have the same key information as the Domino servers in domain X. This shared information allows Domino servers in Domain Y to perform SSO with Domino servers in Domain X.
浏览网上本帖子最新内�