Single Signon
With single signon (SSO) support, Web users can authenticate once
when accessing both WebSphere Application Server resources, such as HTML,
JavaServer page (JSP) files, servlets, enterprise beans, and Lotus Domino
resources, such as documents in a Domino database, or accessing resources
in multiple WebSphere domains.
Web users can authenticate once to a WebSphere Application Server or to
a Domino server. Without logging in again, Web users can access any other
WebSphere Application Servers or Domino servers in the same Domain Name Service
(DNS) domain that are enabled for SSO. This authentication is accomplished
by configuring the WebSphere Application Servers and the Domino servers to
share authentication information.
Enable SSO among WebSphere Application Servers by configuring SSO for WebSphere
Application Server. To enable SSO between WebSphere Application Servers and
Domino servers, you must configure SSO for both WebSphere Application Server
and for Domino.
Prerequisites and conditions
To take advantage of
support for single signon between WebSphere Application Servers or between
WebSphere Application Server and a Domino server, applications must meet the
following prerequisites and conditions:
- Verify that all servers are configured as part of the same DNS domain.
For example, if the DNS domain is specified as mycompany.com, then
SSO is effective with any Domino server or WebSphere Application Server on
a host that is part of the mycompany.com domain, for example, a.mycompany.com
and b.mycompany.com.
- Verify that all servers share the same user registry. This registry can
be either a supported Lightweight Directory Access Protocol (LDAP) directory
server or, if SSO is configured between two WebSphere Application Servers, a
custom user registry. Domino servers do not support custom registries, but
you can use a Domino-supported registry as a custom registry within WebSphere
Application Server. For more information on custom registries, see Introduction
to custom registries.
You can use a Domino directory (configured for
LDAP access) or other LDAP directory for the user registry. The LDAP directory
product must have WebSphere Application Server support. Supported products
include both Domino and IBM SecureWay LDAP directory servers. Regardless of
the choice to use an LDAP or a custom registry, the SSO configuration is the
same. The difference is in the configuration of the registry.
- Define all users in a single LDAP directory. Using LDAP referrals to connect
more than one directory together is not supported. Using multiple Domino directory
assistance documents to access multiple directories also is not supported.
- Enable HTTP cookies in browsers because the authentication information
that is generated by the server is transported to the browser in a cookie.
The cookie is then used to propagate the authentication information
for the user to other servers, exempting the user from entering the authentication
information for every request to a different server.
- For a Domino server:
- Domino Release 5.0.6a for iSeries 400 or later and Domino Release 5.0.5
or later for other platforms are supported.
- A Lotus Notes client Release 5.0.5 or later is required for configuring
the Domino server for SSO.
- You can share authentication information across multiple Domino domains.
- For WebSphere Application Server:
- WebSphere Application Server Version 3.5 or later for all platforms is
supported.
- You can use any HTTP Web server supported by WebSphere Application Server.
- You can share authentication information across multiple product administrative
domains.
- Basic authentication (user ID and password) using the basic and form-login
mechanisms is supported.
- By default, WebSphere Application Server does a case-sensitive comparison
for authorization. This comparison implies that a user who is authenticated
by Domino matches the entry exactly (including the base distinguished name)
in the WebSphere Application Server authorization table. If case sensitivity
is not considered for the authorization, enable the Ignore Case property
in the LDAP user registry settings.

Configuring single signon
Searchable topic ID:
csecsso
Last updated: Jun 21, 2007 8:07:48 PM CDT
WebSphere Business Integration Server Foundation, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.wasee.doc/info/ee/ae/csec_sso.html