With single sign-on (SSO) support, Web users can authenticate once
when accessing both WebSphere Application Server resources, such as HTML,
JavaServer Pages (JSP) files, servlets, enterprise beans, and Lotus Domino
resources, such as documents in a Domino database, or accessing resources
in multiple WebSphere Application Server domains.
Application servers distributed in multiple nodes and cells can securely
communicate using the Lightweight Third Party Authentication (LTPA) protocol.
LTPA is intended for distributed, multiple application server and machine
environments. LTPA can support security in a distributed environment through
cryptography. This support permits LTPA to encrypt, digitally sign, and securely
transmit authentication-related data, and later decrypt and verify the signature.
LTPA also provides the SSO feature wherein a user is required to authenticate
only once in a domain name system (DNS) domain and can access resources in
other WebSphere Application Server cells without getting prompted. Web users
can authenticate once to a WebSphere Application Server or to a Domino server.
This authentication is accomplished by configuring WebSphere Application Servers
and the Domino servers to share authentication information.
Without logging in again, Web users can access other WebSphere Application
Servers or Domino servers in the same DNS domain that are enabled for SSO.
You can enable SSO among WebSphere Application Servers by configuring SSO
for WebSphere Application Server. To enable SSO between WebSphere Application
Servers and Domino servers, you must configure SSO for both WebSphere Application
Server and for Domino.
Prerequisites and conditions
To take advantage of
support for SSO between WebSphere Application Servers or between WebSphere
Application Server and a Domino server, applications must meet the following
prerequisites and conditions:
- Verify that all servers are configured as part of the same DNS domain.
The realm names on each system in the DNS domain are case sensitive and must
match identically. For example, if the DNS domain is specified as mycompany.com,
then SSO is effective with any Domino server or WebSphere Application Server
on a host that is part of the mycompany.com domain, for example, a.mycompany.com and b.mycompany.com.
- Verify that all servers share the same user registry.
This
registry can be either a supported Lightweight Directory Access Protocol (LDAP)
directory server or, if SSO is configured between two WebSphere Application
Servers, a custom user registry.
Domino servers do not support custom
registries, but you can use a Domino-supported registry as a custom registry
within WebSphere Application Server. You can use a Domino directory that
is configured for LDAP access or other LDAP directories for the user registry.
The LDAP directory product must have WebSphere Application Server support.
Supported products include both Domino and Lightweight Directory Access Protocol
(LDAP) servers, such as IBM Tivoli Directory Server. Regardless of the choice
to use an LDAP server or a custom registry, the SSO configuration is the same.
The difference is in the configuration of the registry.
- Define all users in a single LDAP directory. Using multiple Domino directory
assistance documents to access multiple directories also is not supported.
- Enable HTTP cookies in browsers because the authentication information
that is generated by the server is transported to the browser in a cookie.
The cookie is used to propagate the authentication information for the user
to other servers, exempting the user from entering the authentication information
for every request to a different server.
- For a Domino server:
- Domino Release 5.0.6a for iSeries 400 or later and Domino Release 5.0.5
or later for other platforms are supported.
- A Lotus Notes client Release 5.0.5 or later is required for configuring
the Domino server for SSO.
- You can share authentication information across multiple Domino domains.
- For WebSphere Application Server:
- WebSphere Application Server Version 3.5 or later for all platforms are
supported.
- You can use any HTTP Web server that is supported by WebSphere Application
Server.
- You can share authentication information across multiple product administrative
domains.
- Basic authentication (user ID and password) using the basic and form-login
mechanisms is supported.
- By default, WebSphere Application Server does a case-sensitive comparison
for authorization. This comparison implies that a user who is authenticated
by Domino matches the entry exactly (including the base distinguished name)
in the WebSphere Application Server authorization table. If case sensitivity
is not considered for the authorization, enable the Ignore Case property
in the LDAP user registry settings.