InfoCenter Home >
5: Securing applications -- special topics >
5.8: Single Sign-On
Single sign-on (SSO) support allows Web users to authenticate once when
accessing both WebSphere Application Server resources, such as HTML, JSPs,
servlets, and enterprise beans, and Domino resources, such as documents
in a Domino database, or when accessing resources in multiple
WebSphere domains.
A SSO domain defines the
DNS domain which is set on the LTPA Token cookie which is
the login token. The cookie is only sent to a system in the
domain for which it is set. Therefore, SSO is limited to one domain by
current design. If multiple domain support is needed, this is
done by not setting the SSO domain on the LTPA Token cookie. The
cookie specification states that if the domain is not set, the cookie
is only sent back to the host which issued it. This effectively
disables SSO, but does allow form login to be used on multiple
domains by the same system. To do this on Websphere Application Server 4.0.2 or
3.5.6, set the property com.ibm.ejs.security.setSSODomain
to false on each application server's JVM properties.
Web users can authenticate once to a WebSphere application server or
Domino server and then access any other WebSphere application servers or
Domino servers in the same DNS domain that are enabled for Single Sign-On (SSO)
without logging on again. This is accomplished by configuring the WebSphere
application servers and the Domino servers to share authentication information.
To enable SSO among WebSphere application servers, you must configure
SSO for WebSphere. To enable SSO between WebSphere application servers
and Domino servers, you must configure SSO for both WebSphere and for
Domino.
This configuration is described in subsequent sections, but there
are prerequisites that applications must meet in order to support the
use of single sign-on.
Prerequisites and conditions
To take advantage of support for single sign-on between WebSphere application
servers or between WebSpere and Domino, applications must meet the
following prerequisites and conditions:
- All servers must be configured as part of the same DNS domain.
For example, if the DNS domain is specified as mycompany.com,
then SSO will be effective with any Domino or WebSphere application
server on a host that is part of the mycompany.com domain,
for example, a.mycompany.com and b.mycompany.com.
- All servers must share the same user registry. This registry
can be either a supported LDAP directory server or, if
SSO is being configured between two WebSphere application
servers, a custom user registry. Domino does not support
the use of custom registries, but a Domino-supported registry
can be used as a custom registry within WebSphere. For more
information on custom
registries, see Introduction to custom
registries.
A Domino Directory (configured for LDAP access) or other
LDAP directory can be used for the user registry. The LDAP directory
product must be supported by WebSphere Application Server.
Supported products include both Domino and all IBM SecureWay LDAP
directory servers. Regardless of the choice to use an
LDAP or custom registry, the SSO configuration is the same.
The difference is in the configuration of the registry.
- All users must be defined in a single LDAP directory. Using LDAP
referrals to connect more than one directory together is not
supported. Using multiple Domino Directory Assistance
documents to access multiple directories is not supported.
- Users must enable HTTP cookies in their browsers, because the
authentication information that is generated by the server is
transported to the browser in a cookie. The cookie is then used
to propagate the user's authentication information to other servers,
exempting the user from entering the authentication information for
every request to a different server.
- For Domino
- Domino R5.0.6a for iSeries 400 (or later) and Domino R5.0.5
(or later) for other platforms are supported.
- A Lotus Notes client R5.0.5 (or later) is required for
configuring the Domino server for SSO.
- Authentication information can be shared across multiple
Domino domains.
- For WebSphere Application Server
- WebSphere Application Server V3.5 (or later) for all
platforms is supported.
- Any HTTP Web server supported by WebSphere Application Server
can be used.
- Authentication information can be shared across multiple
WebSphere administrative domains.
- Basic authentication (user ID and password) using the
basic and form-login mechanisms is supported.
- Permissions for either all authenticated users
or groups of users is supported. If you are using
the Domino Directory for authentication and have not
specified a Base Distinguished Name during setup, permissions
for individual users is also supported.
|
|