Altering the Domino Web SSO configuration following the Sametime server installation

The IBM® Sametime® installation automatically enables and configures the Domino® SSO feature on the Domino server. In some cases, it may be necessary to alter the default configuration of the Domino SSO feature following the Sametime server installation.

This topic discusses the following issues pertaining to the Sametime installation and the Domino SSO feature:

  • SSO configurations performed by the Sametime installation - This section explains how the Sametime installation configures the Domino Web SSO feature. You can use this information to determine if it is necessary to alter the default SSO configuration following a Sametime server installation.
  • Altering the SSO configuration - This section explains the most common reasons for altering the SSO configuration following the Sametime server installation. In multiple Sametime server environments, it is frequently necessary to add the Domino server names of Sametime servers to the Domino Web SSO Configuration document.
  • Viewing and editing the Domino Web SSO configuration document - This section explains how to edit the Domino Web SSO configuration document in the Domino Directory. This document contains the parameters for the Web SSO configuration that you may need to change.
Note: If for some reason it is necessary to manually enable the Domino SSO feature, you can use the procedures described in Manually enabling the Domino SSO feature. You can also review these procedures to understand all configurations that are required to support SSO for the Sametime server.

SSO configurations performed by the Sametime installation

The Sametime installation enables the Domino SSO feature and performs the SSO configurations described later in this topic. The Sametime installation:

  • Creates a Web SSO Configuration document named LtpaToken. This document contains the SSO configuration needed for generation and validation of LTPA tokens. The following fields are populated into this document:
    • DNS Domain - To populate the DNS Domain field, the installation determines the fully-qualified domain name of the Sametime server computer and then subtracts the hostname value from the fully-qualified domain name.

      For example, if the installation determines the fully qualified name of the Sametime server is "Sametimeserver.east.acme.com," the installation writes ".east.acme.com" in the DNS Domain field.

      The LTPA token is then valid for the servers that belong to the DNS domain specified in the DNS Domain field.

    • Expiration (minutes) - This field specifies the length of time for which the LTPA token is valid. This value is 30 minutes by default. You may want to provide a longer value for the token expiration. Best practice is to use a setting of 120 minutes.
    • Domino Server Names: Each Domino/Sametime server that can accept the SSO token must be listed in the Domino Server Names field. By default, the installation writes only the name of the Domino server on which Sametime is installed in this field. It may be necessary to add the names of all other Domino/Sametime servers in the community to this field. For more information, see Altering the SSO configuration.
  • Alters the Sametime/Domino server Server document. The installation changes the Internet Protocols-Domino Web Engine-Session authentication field in the Server document to the value "Multiple servers (SSO)." The Server authentication field must have the "Multiple servers (SSO)" value even if your Sametime community uses only one Sametime server. If the "Multiple server (SSO)" value is not selected, the SSO feature will not function properly for Sametime.

Altering the SSO configuration

The default configuration meets the basic requirements necessary for a Sametime server to support SSO. In some cases, it may be necessary for the administrator to alter the DNS Domain field or the Domino Server Names field of the Domino Web SSO Configuration document following the Sametime server installation.

  • Altering the DNS Domain field - The Sametime installation may not always accurately detect the fully-qualified domain name of the Sametime server computer. If this problem occurs, the DNS Domain field may not specify the appropriate DNS domain. The administrator might need to manually edit the Domino web SSO Configuration document to add the appropriate entry in the DNS Domain field of the Domino web SSO Configuration document. Follow the instructions in "Viewing and editing the Domino Web SSO Configuration document" to manually edit the document.
  • Altering the Domino Server Names field - If the Sametime community consists of multiple Sametime/Domino servers, the Domino server names of all of the Sametime/Domino servers in the Sametime community must exist in the Domino Server Names field of the Domino Web SSO Configuration document. By default, the installation writes only the name of the Domino server on which Sametime is installed to this field. If you have multiple Sametime servers, it may be necessary to manually open the Domino Web SSO configuration document and enter the names of the Domino/Sametime servers in the Domino Server Names field.

    For example, if you have Sametimeserver1/East/Example and Sametimeserver2/East/Example in your Sametime community, and you install Sametimeserver3/East/Example, only Sametimeserver3/East/Example is written to the Domino Server Names field during the Sametime installation. The administrator may need to open the Domino Web SSO Configuration document and manually enter the names Sametimeserver1/East/Example and Sametimeserver2/East/Example in the Domino Server Names field on the Domino Web SSO Configuration document on Sametimeserver3/East/Example to ensure that all servers in the community are entered in this field. To manually open the Domino Web SSO Configuration document, see "Viewing and editing the Domino Web SSO Configuration document".

    Note that in multiple server environments, the Domino Directory may already be replicated to the Domino server at the time the Sametime server is installed. If the Domino Directory already exists on the server and contains a Domino Web SSO configuration document, the Sametime installation will not attempt to alter the existing configuration in any way. In this case, the existing Domino Web SSO configuration document may already contain the names of the existing servers in the community and it may be necessary to add the name of the newly installed Sametime server to the Domino Web SSO configuration document.

    For example, the names Sametimeserver1/East/Example and Sametimeserver2/East/Example may already exist in the Domino Web SSO configuration document in the Domino Directory on the server reserved for the Sametimeserver3/East/Example installation. Since the Sametimeserver3/East/Example installation does not alter an existing SSO configuration, that server name will not appear in the Domino Web SSO Configuration document following the Sametime server installation. In this scenario, it is necessary to open the Domino Web SSO configuration document in the Domino Directory on Sametimeserver3/East/Example and manually enter "Sametimeserver3/East/Example" in the Domino Server Names field. All other parameters in the existing Web SSO Configuration document should be valid for the newly-added server.

Altering the SSO key

By default the Sametime installation creates a Domino SSO key. If WebSphere® is participating in SSO, this key should be replaced by the WebSphere LTPA key to allow both Domino and WebSphere to have an identical key for token validation and generation. Do this by importing the LTPA key from WebSphere to Domino. For more information, see Setting up single sign-on for Sametime browser clients.

Viewing and editing the Domino Web SSO Configuration document

To view or edit the Web SSO configuration document that is created by the Sametime installation, do the following:

  1. From a Notes® client, open the Domino Directory on the Sametime server.
  2. Choose the Configuration > Web > Web Configurations view.
  3. In the navigation list, expand Web SSO Configurations.
  4. Double-click on the document titled Web SSO Configuration for LtpaToken to open the Domino Web SSO Configuration document.
  5. Click Edit to put the document in edit mode.
  6. Edit the appropriate field (for example, the DNS Domain or Domino Server Names field).
  7. Click Save and Close after editing the document.
In some cases the name of the Web SSO configuration document can be different than LtpaToken, and the Organization field in the document might not be empty. This is mainly relevant for Internet Sites configuration. In this case the following settings must be set in the [AuthToken] section of the sametime.ini file:
  • ST_TOKEN_TYPE must contain the name of the Web SSO document used by the Sametime Community server. The default value is LtpaToken.
  • ST_ORG_NAME must contain the organization name that is set in the Web SSO document used by Sametime Community server. The default value is an empty organization name.