Authentication by token using the Domino Single Sign-On (SSO) feature

The IBM® Domino® Single Sign-On (SSO) feature must be enabled on the IBM Sametime® server. This feature creates Lightweight Third Party Authentication (LTPA) tokens that enable web browser users to log in a single time to access multiple Sametime, Domino, or IBM WebSphere® servers that are in the same DNS domain. This capability is called "single sign-on."

Sametime also uses LTPA tokens to authenticate connections from Sametime clients to the Community Services and Meeting Services.

Sametime supports two versions of LTPA tokens: LTPAv1 and LTPAv2. Sametime allows authenticating by a single LTPA token or by a list of LTPA tokens. For example, a client can send an LTPAv1 token and LTPAv2 token in the same authentication request to authenticate a user. The Domino configuration determines which token is validated.

The LTPA token types supported by Domino are configured in the Web SSO document in names.nsf. When using a Domino SSO key, only LTPAv1 tokens are supported. When importing a WebSphere LTPA key, both LTPAv1 and LTPAv2 tokens are supported by Domino. The supported formats are defined in the Token Format field in the WebSphere Information section of the Web SSO document.

Sametime can generate a single LTPA token or a list of LTPA tokens depending on the SSO key that is configured in Domino and the Token Format field in the case of WebSphere LTPA keys.

Authentication by LTPA token occurs after a user has already authenticated once using password authentication. For example, authentication by token on a Sametime server might occur as follows:

  1. ASametime user logs into Sametime by using a Sametime Connect Client.
  2. After a successful authentication, the Domino Single Sign-On (SSO) feature on the Sametime Community Server generates an LTPA token containing the user's authentication information and passes the token to the user's client.
  3. The user invites other users to an instant meeting room.
  4. TheSametime Connect Client connects to the Sametime Meeting Server and passes the LTPA token for authentication. The Sametime Meeting Server authenticates the user by the provided LTPA token. The user is not required to re-enter authentication credentials.

The same LTPA token described previously can be used to authenticate the user when the user accesses other Sametime, Domino, or WebSphere servers in the same DNS domain during a single web browser session. The other Sametime, Domino, or WebSphere servers must also support the SSO feature (that is, the servers must accept LTPA tokens).

If the Domino SSO feature is not enabled when you install Sametime, the Sametime installation automatically enables and configures the Domino SSO feature. In some environments, it may be necessary to alter the SSO configuration following the Sametime server installation. For more information, see Altering the Domino Web SSO configuration following the Sametime server installation.