WebSphere Portal, Express Beta Version 6.1
Operating systems: i5/OS, Linux,Windows

Configuring single sign-on between WebSphere Portal Express and Lotus Domino

You configure the single sign-on (SSO) feature between the IBM® WebSphere® Portal Express server and the IBM Lotus® Domino® servers so that authentication works the same way for all Domino and Extended Products Portlets. A user can log into WebSphere Portal Express and then access portlets that contain information from a Lotus Domino application or service without having to enter additional credentials for authentication.

Wait! The Domino-WebSphere Portal Express Integration Wizard can do several parts of this task for you. The exceptions are creating a custom login form for Lotus QuickPlace, increasing SSO security by preventing anonymous access, and the three testing and checking procedures (do these manually after running the wizard). Also, reconciling SSO across Lotus Domino and another LDAP directory, and enabling a third-party authentication server are not procedures compatible with the wizard, which integrates only a Lotus Domino LDAP directory.

Understanding Single Sign-On

The following set of tasks for configuring SSO assumes that no Web SSO configuration document exists in Lotus Domino. Before you begin the SSO tasks, to see whether a document exists and whether it contains the required WebSphere LTPA key file, perform the following steps:

  1. In the Lotus Notes client, open the NAMES.NSF file on the Domino server you want to include in single sign-on (for example, a Domino messaging/application server, or a Domino server running Lotus QuickPlace or Lotus Sametime).
  2. Click Configuration > Web > Web Configurations to open the Web Configurations view. If you see a -Web SSO Configurations- triangle with a Web SSO Configuration for LTPA document, the Web SSO configuration document already exists.
  3. If the document exists and already contains the WebSphere LTPA key, perform the following steps:
    1. Open the document on the server where it was created, and add the name of the Lotus Domino server you want to include in single sign-on to the Domino Server Names field in the document.
    2. Replicate the change to any other Lotus Domino servers in your site by typing the following command on the Lotus Domino server console on the source server (server where you added the new server's name): 
      rep server_name/org_name names.nsf
    3. For the change to take effect, restart the Lotus Domino server where you typed the command.
    4. Instead of performing the sequence of single sign-on configuration tasks in the section below, proceed to Testing single sign-on.
  4. If the Web SSO configuration document does not exist, contains a different key (for example, a key created during the installation of Lotus Sametime), or if you are unsure if it is the same key exported from your WebSphere Portal Express server, perform the following steps to delete the unwanted key:
    1. Locate the document that contains the key.
    2. Set Session authentication to disabled for each participating server listed in the document.
    3. Delete the document that contains the key, or back it up under a name other than "LtpaToken."
    4. Replicate this change around to all other Lotus Domino server(s) in your site as above.
    5. Re-acquire the key by performing all the following tasks listed for configuring single sign-on.

The following tasks configure single sign-on (SSO) between WebSphere Portal Express and Lotus Domino.

To include a Lotus Domino server running Lotus QuickPlace or Lotus Sametime in single sign-on, perform all tasks. To include a Lotus Domino messaging/application server, perform all tasks except the support for Inline QuickPlace.

If the WebSphere Portal Express server is using an LDAP directory other than Lotus Domino, but the Collaborative Services are using a Lotus Domino LDAP, perform the last task.

Checklist of tasks
  1. Retrieving the WebSphere LTPA key
    You retrieve the WebSphere LTPA key from the IBM WebSphere Portal Express server so that you can use the key on the IBM Lotus Domino server that runs the Domino Extended Product for which you are configuring single sign-on (for example, IBM Lotus QuickPlace® or IBM Lotus Sametime, or Lotus Domino on a messaging/application server).
  2. Importing the WebSphere LTPA key into Lotus Domino
    You create a Web SSO configuration document on the IBM Lotus Domino server that runs the Domino and Extended Product or application (for example, a Lotus Domino back-end messaging server or an IBM Lotus Sametime or IBM Lotus QuickPlace server). Then you import the WebSphere LTPA key retrieved from the IBM WebSphere Portal Express server into the document, so that the same token can be used for single sign-on on both servers.
  3. Enabling multi-server SSO authentication
    When you enable multi-server SSO authentication between the IBM Lotus Domino and IBM WebSphere Portal Express servers, Lotus Domino can authenticate users in the Web browser by examining LTPA tokens.
  4. Providing a custom login form for Lotus QuickPlace
    Create the Domino Web Services configuration database (domcfg.nsf), a database that functions as a container for custom HTML pages. You then use the database to provide a custom form (QuickPlaceLoginForm) displayed during the process of authenticating portal users with a name and password.
  5. Increasing SSO security by preventing anonymous access to HTML files
    You can modify the NOTES.INI file to prevent anonymous access to files in the HTML directory. The NoWebFileSystemACLs parameter, when set equal to 1 in the NOTES.INI file, prevents anonymous access to files served up in the HTML directory on the IBM Lotus Domino server, increasing security and reliance on the single sign-on method of authentication .
  6. Testing single sign-on for Lotus Domino, Lotus QuickPlace, or Lotus Sametime
    Use your Web browser to go to a Web page where you can test the operation of single sign-on between the portal server and the IBM Lotus Domino, IBM Lotus QuickPlace, or IBM Lotus Sametime server.
  7. Checking the page source for awareness configuration
    In a browser, determine whether awareness provided by the Lotus Sametime server and the STLinks applet is properly configured by examining the page source.
  8. Reconciling single sign-on across Lotus Domino and another LDAP directory
    When the portal authenticates against a non-Lotus Domino LDAP user directory such as IBM Tivoli® Directory Server, and Lotus Collaborative Services authenticates against a Lotus Domino LDAP directory, administrators must perform tasks to synchronize names across the directories to support single sign-on.
  9. Enabling a third-party authentication server to work with the Lotus Notes View portlet
    If IBM Lotus Domino is your back-end system and your WebSphere Portal Express installation is configured for Single Sign-on through a third-party authentication system, messaging portlets such as Lotus Notes View require parameters to manage custom authentication with the Lotus Domino server.
Parent topic: Integrating Lotus Domino and the Extended Products and Portlets into WebSphere Portal Express
Previous topic: Integrating the Lotus Sametime server and portlets
Related concepts
Domino-WebSphere Portal Express Integration wizard overview
Related reference
Troubleshooting Lotus Domino and the Extended Products
Library | Support | Terms of use |

Last updated: Wednesday, February 20, 2008 10:51am EST

Copyright IBM Corporation 2000, 2008. All Rights Reserved.
This information center is powered by Eclipse technology. (http://www.eclipse.org)