Configuring user name mapping in the SSO LTPA token

The LTPA token that is created to authenticate users for single sign-on includes the name of the user who has been authenticated. When HCL Domino® creates an LTPA token, it places the Domino distinguished name in the token by default. If a IBM® WebSphere® Application Server server obtains the token from a user trying to access the server, the Websphere server must be able to recognize this name format. If it does not, the token is ignored, single sign-on fails, and the user is prompted to log in again.

About this task

This situation typically occurs in end-user configurations in which there are multiple directories used by various servers participating in SSO, and consequently a user may have multiple identities. For example, a user may be known in a Websphere LDAP directory as uid=jdoe,cn=sales,dc=renovations, dc=com, but in a Domino directory the same user is John P Doe/Sales/Renovations. If Websphere receives an LTPA token containing a user name like John P Doe/Sales/Renovations, it attempts to find this user in the Websphere directory and when it can't, rejects the token.

Domino administrators can now map the user name that appears in a Domino-created LTPA token to the name expected by WebSphere, to ensure that the name is recognized in a mixed Domino and Websphere environment where Domino and WebSphere do not share the same directory.

Note: In a mixed-release Domino environment, user name mapping in the LTPA token works only if the token is generated by a Domino 7.0 or later server. If the user name value that is used in the LTPA token is also added as a secondary value in the fullname field of the Person record in pre-Domino 7.0 servers (for the purposes of aliasing, for example), users will also be able to access databases on Domino 6.02 and higher servers, as well as Websphere servers.

How you specify the user name to be used in the LTPA token depends on the directory configuration used in your single sign-on environment:

  • If HCL Notes® user information is contained only in a Domino Directory, you specify the user name mapping in the Person document.
  • If Notes user information is contained in a corporate LDAP directory, you configure the user name mapping in Directory Assistance.
  • If the organization uses both Domino and LDAP directories, you configure both the Domino person record and the Directory Assistance SSO information.

As LDAP directory fields and Domino directory fields generally do not have a one-to-one correspondence, the use of Directory Assistance documents for name mapping allows LDAP administrators to specify which LDAP field should be used as the equivalent of the LTPA User Name field.

Note: Any name mapping configuration in Directory Assistance documents will be ignored if the mapping feature is not enabled in the SSO configuration document.

To configure user name mapping in a Domino Directory environment

About this task

In this environment, there are Domino SSO users who have Person records in the Domino directory.

Procedure

  1. Enable name mapping for the LTPA token. In the Web SSO Configuration document that defines your SSO environment, select Enabled for the Map names in LTPA token option.
  2. In the user Person document, click Administration. Under Client Information, enter the user name DN that is expected by WebSphere in the LTPA user name field.

    The value entered in this field must be unique. That is, the value should not match more than one person in the organization. Typically, this will be the user's LDAP distinguished name (DN). Be sure to separate the name components with forward slashes (/). For example, if the LDAP DN is

    uid=jdoe,cn=sales,dc=renovations, dc=com 

    enter the value as follows:

    uid=jdoe/cn=sales/dc=renovations/dc=com

Results

Although the name is entered into the LTPA user name field in Domino format, Domino transforms the configured LTPA user name into the appropriate LDAP format expected by Websphere before placing it into the Domino-created LTPA token.

To configure user name mapping in a corporate LDAP directory environment (a mixed Domino and LDAP directory environment)

About this task

In this environment, some or all Domino users do not have Person records in the Domino directory. Instead, these Domino users have records in an external LDAP directory that is accessible to Domino through Directory Assistance.

Procedure

  1. Enable name mapping for the LTPA token. In the Web SSO Configuration document that defines your SSO environment, select Enabled for the Map names in LTPA token option.
  2. Open the Directory Assistance document for the LDAP Directory. In the SSO Configuration section, enter an LDAP attribute that should be used as the name in an SSO token created for this user. This attribute will be used in the LTPA token when the LTPA_UserNm field is requested. It is important to ensure that the selected field contains the user name that WebSphere expects. Options for this field include:
    • Any appropriate LDAP attribute, as long as it uniquely identifies the user.
    • A value of $DN to use the LDAP distinguished name. This is the most commonplace configuration, indicating that the user's LDAP DN is the name expected by WebSphere, rather than a name in some arbitrary LDAP field.
    • Leaving it blank to default to the Domino distinguished name, if known. Otherwise, the default will be the LDAP distinguished name.

Results

If Directory Assistance is configured such that a search on a particular user finds a match in both the Domino Directory and in an LDAP directory, Domino requires consistency between a Domino Person record and an LDAP record. Domino takes extra steps to determine that there are matching values for the Internet email address located in both directories. To accomplish this, DA searches for the user's LDAP mail attribute. This value must match the information found in the Domino Person record field internetaddress.

Table 1. Values that must match for SSO to succeed
Attribute in LDAP Directory Attribute in Domino Directory

mail: Jbond@secret.spies.com

internetaddress: Jbond@secret.spies.com

Keep in mind these additional considerations when setting up name mapping:

  • To support aliasing, in the Person document, add the LDAP name to both the LTPA_UserNm field and as a secondary value in the User Name (for example, document property Fullname) field.
  • An HCL Sametime® server does not support Internet Sites configurations.
  • Name mapping in the LTPA token is not supported when user information is stored in condensed directory catalogs.