Configuring user name mapping in a Windows single sign-on for Web clients environment

Web users that participate in Windows single sign-on for Web clients have accounts in Active Directory. They usually have Person documents in the Domino® Directory too. You configure user name mapping to enable a IBM® Domino® server to reconcile user names found in both directories.

User name mapping achieves three goals. First, when a Domino® server finds a user's LDAP distinguished name in Active Directory as well as the user's IBM® Notes® Distinguished Name (DN) in the Domino® directory, it enables the server to verify that the two names belong to that one user. To link the two names, the server verifies that the value of the user's mail attribute in the Active Directory user account is the same as the value of the Internet Address in the Person document.

Second, name mapping may be needed to determine a user's Notes® distinguished name. In an SSO environment in which some servers do not use the Domino® Directory but use Active Directory exclusively, a user's LTPA token contains the user's Active Directory distinguished name. For example, an IBM® WebSphere® Application Server server or IBM® Lotus® Quickr® server might be configured to use Active Directory for the user repository. In this environment, LTPA tokens typically contain the Active Directory distinguished names of web users. Because ACLs on Domino® databases usually refer to the Notes® distinguished names of web users, you must map the Active Directory distinguished names in the LTPA tokens to the Notes® distinguished names so that a Domino® server can determine Web user access to its databases. This step is not necessary if LTPA tokens have been configured to contain users' Notes® distinguished names (the default when Domino® SSO keys are used) rather than SSO keys imported from WebSphere®.

Finally, user name mapping specifies which directory to use to verify user passwords when Windows single sign-on is not available and Web users must initially log on when connecting to a server in the SSO domain. Windows single sign-on is not available to:

  • Web clients that connect over the Internet
  • Web clients that connect over the intranet but are not set up for Windows single sign-on
  • Web clients that connect over the intranet and are set up to use Windows single sign-on but are not logged on to the Active Directory domain
  • Web clients that run on the Domino® Web server computer

Ways to configure name mapping

How you configure user name mapping depends on whether you manage users primarily through Active Directory or the Domino® Directory. You should consider which directory is easier for you to modify and maintain. You can also minimize directory modifications if you use a separate IBM® authentication application to authenticate Internet users.