InfoCenter Home >
5: Securing applications -- special topics >
5.8: Single Sign-On >
5.8.3: Verifying SSO between WebSphere and Domino
This document discusses the verification of SSO between Domino
and WebSphere Application Server. Before proceeding, verify
that the following conditions are met:
- The LDAP directory contains at least one user that is defined for
testing purposes.
- The WebSphere Application Server administrative console can be started
for each of the WebSphere Application Server administrative domains
involved in SSO.
- A user can authenticate to each administrative domain using a
security name defined in the LDAP directory.
- At least one user in the LDAP directory must be authorized to
access at least one Domino resource, such as the Domino Directory.
- At least one user in the LDAP directory must be authorized to
access at least one WebSphere Application Server resource, such
as the Hello servlet.
- From a Web browser that is configured not to accept HTTP
cookies, you are able to reach the following resources:
- WebSphere-protected resources, like servlets, after being
prompted for a user ID and password.
- Domino-protected resources, like Lotus Notes databases,
after being prompted for a user ID and password.
If all of the preliminary tests succeed, you are ready to verify that
SSO is working correctly. To test the SSO functionality, perform
the following steps:
- Restart the Web browser.
- Configure the Web browser to accept HTTP cookies. (If you are
using Internet Explorer, enable the per-session (not stored) type
of cookies.
- Configure the browser to notify you before accepting HTTP cookies.
This will provide visual confirmation that Domino and WebSphere
Application Server are generating and returning HTTP cookies to your
browser after you authenticate. (You can suppress the cookie
notifications after you verify that cookies are being
exchanged.)
- From the browser, specify the URL for a resource protected
by the Domino server; for example, attempt to open a database
that permits no access to anonymous users, as described in the
following example:
- Make sure to user a fully qualified DNS host name in
the URL; for example, enter
http://myhost.mycompany.com/names.nsf instead
of http://myhost/names.nsf .
- When prompted for a user ID and password, make sure that
you specify a user ID that is authorized to resources for
both the Domino and WebSphere application servers.
The format of the name depends on the level of restriction
Domino is using for Web users and whether Domino
or another LDAP directory is being used. (For details on the
options for basic authentication, refer to the
Domino 5 Administrative Help; in particular, see the information
on controlling the level of authentication for Web clients.)
The level of restriction Domino uses for Web users is set in
the Web server authentication field on the Security window of
the Server document. If you are using the default configuration
settings, you can specify the user's short name or user ID.
- When prompted, accept the HTTP cookie.
Successfully accessing such a resource verifies that the
token generated by the Domino server is accepted by WebSphere
Application Server.
- From the same browser session, attempt to access a resource
protected by WebSphere Application Server. If SSO is working
correctly, access is granted without prompting you to log in.
(If you are prompted, refer to
SSO fails when accessing protected resources for assistance.)
Make sure to use the fully qualified DNS host name in the URL.
For example, type
http://myhost.mycompany.com/webapp/examples/showCfg
instead of http://myhost/webapp/examples/showCfg .
- From the same browser session, attempt to access resources
managed by any additional Domino and WebSphere Application Server
domains included in your SSO configuration.
- Restart your browser session and perform the SSO-verification
steps again, but this time, start by accessing a resource
protected by WebSphere Application Server. This will verify
that the token generated by WebSphere Application Server is
accepted by the Domino server or servers. When prompted for a user ID
and password, use the user's short name or user ID; this is the
default naming convention for users in WebSphere Application
Server.
|
|