Altering the Domino® Web SSO configuration following the Sametime® server installation

The HCL® Sametime® installation automatically enables and configures the Domino® SSO feature on the Domino® server. In some cases, it may be necessary to alter the default configuration of the Domino® SSO feature following the Sametime® server installation.

This topic discusses the following issues pertaining to the Sametime® installation and the Domino® SSO feature:

  • SSO configurations performed by the Sametime® installation - This section explains how the Sametime® installation configures the Domino® Web SSO feature. You can use this information to determine if it is necessary to alter the default SSO configuration following a Sametime® server installation.
  • Altering the SSO configuration - This section explains the most common reasons for altering the SSO configuration following the Sametime® server installation. In multiple Sametime® server environments, it is frequently necessary to add the Domino® server names of Sametime® servers to the Domino® Web SSO Configuration document.
  • Viewing and editing the Domino® Web SSO configuration document - This section explains how to edit the Domino® Web SSO configuration document in the Domino® Directory. This document contains the parameters for the Web SSO configuration that you may need to change.
Note: If for some reason it is necessary to manually enable the Domino® SSO feature, you can use the procedures described in Manually enabling the Domino® SSO feature. You can also review these procedures to understand all configurations that are required to support SSO for the Sametime® server.

SSO configurations performed by the Sametime® installation

The Sametime® installation enables the Domino® SSO feature and performs the SSO configurations described later in this topic. The Sametime® installation:

  • Creates a Web SSO Configuration document named LtpaToken. This document contains the SSO configuration needed for generation and validation of LTPA tokens. The following fields are populated into this document:
    • DNS Domain - To populate the DNS Domain field, the installation determines the fully-qualified domain name of the Sametime® server computer and then subtracts the hostname value from the fully-qualified domain name.

      For example, if the installation determines the fully qualified name of the Sametime® server is "Sametimeserver.east.acme.com," the installation writes ".east.acme.com" in the DNS Domain field.

      The LTPA token is then valid for the servers that belong to the DNS domain specified in the DNS Domain field.

    • Expiration (minutes) - This field specifies the length of time for which the LTPA token is valid. This value is 30 minutes by default. You may want to provide a longer value for the token expiration. Best practice is to use a setting of 120 minutes.
    • Domino® Server Names: Each Domino®/Sametime® server that can accept the SSO token must be listed in the Domino Server Names field. By default, the installation writes only the name of the Domino® server on which Sametime® is installed in this field. It may be necessary to add the names of all other Domino®/Sametime® servers in the community to this field. For more information, see Altering the SSO configuration section.
  • Alters the Sametime®/Domino® server Server document. The installation changes the Internet Protocols-Domino Web Engine-Session authentication field in the Server document to the value "Multiple servers (SSO)." The Server authentication field must have the "Multiple servers (SSO)" value even if your Sametime® community uses only one Sametime® server. If the "Multiple server (SSO)" value is not selected, the SSO feature will not function properly for Sametime®.

Altering the SSO configuration

The default configuration meets the basic requirements necessary for a Sametime® server to support SSO. In some cases, it may be necessary for the administrator to alter the DNS Domain field or the Domino Server Names field of the Domino® Web SSO Configuration document following the Sametime® server installation.

  • Altering the DNS Domain field - The Sametime® installation may not always accurately detect the fully-qualified domain name of the Sametime® server computer. If this problem occurs, the DNS Domain field may not specify the appropriate DNS domain. The administrator might need to manually edit the Domino® web SSO Configuration document to add the appropriate entry in the DNS Domain field of the Domino® web SSO Configuration document. Follow the instructions in Viewing and editing the Domino® Web SSO Configuration document section, to manually edit the document.
  • Altering the Domino Server Names field - If the Sametime® community consists of multiple Sametime®/Domino® servers, the Domino® server names of all of the Sametime®/Domino® servers in the Sametime® community must exist in the Domino Server Names field of the Domino® Web SSO Configuration document. By default, the installation writes only the name of the Domino® server on which Sametime® is installed to this field. If you have multiple Sametime® servers, it may be necessary to manually open the Domino® Web SSO configuration document and enter the names of the Domino®/Sametime® servers in the Domino Server Names field.

    For example, if you have Sametimeserver1/East/Example and Sametimeserver2/East/Example in your Sametime® community, and you install Sametimeserver3/East/Example, only Sametimeserver3/East/Example is written to the Domino Server Names field during the Sametime® installation. The administrator may need to open the Domino® Web SSO Configuration document and manually enter the names Sametimeserver1/East/Example and Sametimeserver2/East/Example in the Domino Server Names field on the Domino® Web SSO Configuration document on Sametimeserver3/East/Example to ensure that all servers in the community are entered in this field. To manually open the Domino® Web SSO Configuration document, see Viewing and editing the Domino® Web SSO Configuration document section.

    Note that in multiple server environments, the Domino® Directory may already be replicated to the Domino® server at the time the Sametime® server is installed. If the Domino® Directory already exists on the server and contains a Domino® Web SSO configuration document, the Sametime® installation will not attempt to alter the existing configuration in any way. In this case, the existing Domino® Web SSO configuration document may already contain the names of the existing servers in the community and it may be necessary to add the name of the newly installed Sametime® server to the Domino® Web SSO configuration document.

    For example, the names Sametimeserver1/East/Example and Sametimeserver2/East/Example may already exist in the Domino® Web SSO configuration document in the Domino® Directory on the server reserved for the Sametimeserver3/East/Example installation. Since the Sametimeserver3/East/Example installation does not alter an existing SSO configuration, that server name will not appear in the Domino® Web SSO Configuration document following the Sametime® server installation. In this scenario, it is necessary to open the Domino® Web SSO configuration document in the Domino® Directory on Sametimeserver3/East/Example and manually enter "Sametimeserver3/East/Example" in the Domino Server Names field. All other parameters in the existing Web SSO Configuration document should be valid for the newly-added server.

Altering the SSO key

By default the Sametime® installation creates a Domino® SSO key.

Viewing and editing the Domino® Web SSO Configuration document

To view or edit the Web SSO configuration document that is created by the Sametime® installation, do the following:

  1. From a Notes® client, open the Domino® Directory on the Sametime® server.
  2. Choose the Configuration > Web > Web Configurations view.
  3. In the navigation list, expand Web SSO Configurations.
  4. Double-click on the document titled Web SSO Configuration for LtpaToken to open the Domino® Web SSO Configuration document.
  5. Click Edit to put the document in edit mode.
  6. Edit the appropriate field (for example, the DNS Domain or Domino Server Names field).
  7. Click Save and Close after editing the document.
In some cases the name of the Web SSO configuration document can be different than LtpaToken, and the Organization field in the document might not be empty. This is mainly relevant for Internet Sites configuration. In this case the following settings must be set in the [AuthToken] section of the sametime.ini file:
  • ST_TOKEN_TYPE must contain the name of the Web SSO document used by the Sametime® Community server. The default value is LtpaToken.
  • ST_ORG_NAME must contain the organization name that is set in the Web SSO document used by Sametime® Community server. The default value is an empty organization name.

TOKEN_TYPE_TO_RETURN

This defines which token type will be returned to the Sametime client in cases in which the Sametime client sends a request to generate a single token, and the Domino server generates both LTPA v1 and LTPA v2 tokens. The possible values are:
LTPA – LTPA v1 token 
LTPA2 – LTPA v2 token
Note: LTPA – LTPA v1 token (This is the default value that is used when the setting is absent from the sametime.ini)