SSO Configuration Fails for Websphere and Domino (R5.0.5/6) LDAP Server

Technote (FAQ)
Problem
SSO throws login challenge multiple times when accessing protected resources on Websphere. Users must be defined using Hierarchical naming convention, while configuring user registry on both Websphere and Domino end while configuring SSO/Security.
Solution
SSO fails when accessing protected resources

If the Web user is prompted each time they access a resource, SSO is
not configured correctly. The following are some of the possible problems
and solutions.

1.WebSphere Application Server and Domino must both be
configured to use the same LDAP directory. The HTTP cookie
used for SSO stores the full Distinguished Name of the user (DN),
for example, cn=John Doe, ou=Rochester, o=IBM, c=US
and the DNS domain.

2.If the Domino Directory is being used, Web users must be defined
using hierarchical names. For example, update the User name
field in the Person document to include John
Doe/Rochester/IBM as the first value.

3.URLs issued to Domino and WebSphere application servers
configured for SSO must specify the full DNS server name, not
just the host name or an TCP/IP address. For browsers to be able
to send cookies to a group of servers, the DNS domain must be
included in the cookie. The DNS domain in the cookie must match
the URL. This is why cookies cannot be used across TCP/IP
domains.

4.Domino and WebSphere Application Server must be configured to
use the same DNS domain. Verify that the DNS domain value is
exactly the same (including casing). The DNS domain value can be
found in the Configure Global Security Settings of each
WebSphere administrative domain and the Domino Web SSO
Configuration document. If you make a change to the Domino
Web SSO Configuration document, replicate the document to all
Domino servers participating in SSO.

5.Clustered Servers must have the TCP/IP host name populated
with the full DNS server name in the Server document for Domino
ICM (Internet Cluster Manager) to redirect to cluster members
using SSO. If this field is not populated, ICM will redirect URLs to
clustered web servers with only the TCP/IP host name, by default,
and will not be able to send the cookie because the DNS domain
is not included in the URL. To correct the problem,
  1. Edit the Server document
  2. Select the Internet Protocols tab, select the HTTP tab
  3. Enter the server's full DNS name in the host names field.

6.If an LDAP server port value was specified for WebSphere
administrative domain, the Domino Web SSO Configuration
document must be edited and a \ must be added to the LDAP
Realm field for WebSphere servers. For example, replace
mymachine.mydomain.ibm.com:389 with
mymachine.mydomain.ibm.com\:389.











Document Information

Product categories: Software, Application Servers, Distributed Application & Web Servers, WebSphere Application Server, Security
Operating system(s): Multi-Platform
Software version: 3.5, 4.0
Software edition: Standard, Advanced
Reference #: 1005863
IBM Group: Software Group
Modified date: 2004-08-03