Setting up the Web SSO Configuration document for more than one Domino® domain

You can enable servers in your current Domino® domain for single-sign on (SSO) with servers in another Domino® domain, by setting up both domains to use the same key information.

Before you begin

Two conditions must exist:

  • You must be a registered Notes® user and your server must be a registered server. This gives you and the server the access rights needed to decrypt the Web SSO Configuration document in your current domain, and to create documents in the Domino® Directory for the new domain. It may be necessary to have administrative IDs cross-certified for operating in the two domains.
  • The server document and the administrator's person document must exist in the domain for which you will be creating the Web SSO Configuration, as the public keys that are used for encryption are stored in each registered person and server document.
  • Participating SSO servers must still reside in the same DNS domain -- for example, renovations.com.

Procedure

  1. Copy the Web SSO Configuration document from the Domino® Directory in which it was created, and paste it into the Domino® Directory in the new domain.
  2. Open the Web SSO Configuration document for the new domain and edit the Participating Domino Servers field to include only those servers with server documents in the new domain that will be enabled for single sign-on.
  3. The client must be able to find server documents for the participating single sign-on servers. Make sure that the home server specified in your client's location document is pointing to a server in the same domain as those servers participating in single sign-on, so that lookups will be able to find the public keys of the servers. If the home server cannot find participating servers, then the SSO document cannot be encrypted and SSO will fail.
  4. Save the document. It is encrypted for the participating servers in the new domain, and should enable those servers in the new domain to participate in single sign-on with servers in the current domain.