Setting up Single Sign-On authentication

IBM® Sametime® single sign-on (SSO) authentication allows web users to log in once to an IBM Domino® or IBM WebSphere® server, and then access any other Domino or WebSphere server in the same DNS domain that is enabled for single sign-on (SSO) without having to log in again. In a multiple server environment, it is possible that one or more servers in your Domino domain are already configured for Domino SSO, and the Domino Directory already contains a Domino Web SSO configuration document. When you install Sametime, it creates a Web SSO configuration document called LtpaToken unless one already exists in the Domino Directory. If an LtpaToken configuration document already exists, Sametime does not attempt to alter it.

About this task

In some cases, it may be necessary to alter the default configuration of the Domino SSO feature following the Sametime server installation. For instructions, see Altering the Domino Web SSO configuration following the Sametime server installation.

Complete the steps in this section if your Domino server is not configured for Web SSO, and you want to use the Web SSO document that Sametime creates to configure it.

When you enable SSO, the LTPA level used in Domino (on the Sametime Community Server) must match the LTPA level used by WebSphere on the Sametime Meeting Server and any other server that is part of the SSO environment.

Procedure

  1. From the Domino Administrator or a Notes® client, click File > Database > Open. Browse to the Domino server and type names.nsf in the Filename field. Click Open.
    Note: If you attempt to open this document from Domino Administrator Configurations tab, Web - web Configurations view, the Web SSO Configuration document will not display.
  2. Expand the list of Web SSO Configurations.
  3. Double click the "Web SSO Configuration for LtpaToken" document to open it in edit mode.
  4. Update these fields as necessary:
    • Configuration name -- Enter LtpaToken.
    • DNS Domain -- make sure this is the fully qualified domain suffix of the Sametime server. For example, if the server's fully qualified name is server.domain.com, the .domain.com should be entered in this field. Ensure that the leading period (.) is present in front of the domain suffix.
    • Organization -- Leave this field blank.
    • Participating servers -- Add the Sametime server and other servers that belong to the SSO realm to the list.
  5. After entering the information, select Keys and do one of the following:
    • Create a DominoSSO Key
    • If WebSphere is participating in SSO, the Domino SSO key created by the install program should be replaced by the WebSphere LTPA key to allow both Domino and WebSphere to have an identical key for token validation and generation. Do this by importing the LTPA key from WebSphere to Domino. For more information, see Setting up single sign-on for Sametime clients.
      Note: When adding servers to the Participating servers field, click the arrow and choose the name from an Address Book when possible. If this is not possible, make sure that you use the full hierarchical name when you add a server (for example, Server1/Example where CN=Server/O=Org).