Domino SSO Configuration

5 pts.
Tags:
Domino
Lotus Domino
Server configuration
SSO
I have not got to configure SSO for multiple servers in the same DOMINO domain, the login screen apear again when switching to another DOMINO server.

Software/Hardware used:
Lotus Domino
ASKED: August 17, 2011  12:13 PM
UPDATED: March 31, 2012  6:25 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

If you are using Session based authentication for multiple servers then you will need to turn on multserver session based authentication. This will require an LTPA token and Configuration.

from admin help

<b>Enabling single sign-on and basic authentication </b>
This procedure ensures that a server can participate in single sign-on (SSO). An SSO-enabled server creates single sign-on cookies for users, which allowing them to log in to the server and then be able to access other participating servers without having to log in again.
Before you begin, make sure that the SSO keys have been created or imported from a WebSphere file.
To enable single sign-on and basic authentication for a Web Site
Use this procedure to enable single sign-on for IBM® Lotus® Domino® servers (Domino 6 and higher) configured with Web Site documents.
Note When you enable the use of Internet Sites on a Domino server, any existing SSO configurations are automatically disabled. Make sure that you have enabled this option prior to configuring SSO.
1. In the Domino Administrator, click Configuration – Web – Internet Sites.
2. Open the Web Site document for which you want to enable single sign-on.
3. Click Domino Web Engine.
4. In Session authentication, select “Multiple Servers (SSO).”
5. In the Web SSO Configuration field, select the Web SSO Configuration for this Web Site from the drop-down list.
6. Click Security. For both TCP and SSL authentication, enable Name & Password.
7. Save and close the Web Site document.
8. At the server console, start the HTTP process by typing:
load HTTP
If the HTTP process is already running, type:
tell HTTP restart
Note If something is wrong with the configuration, the browser will receive an Error 500 message stating that single sign-on is not configured.
To enable single sign-on and basic authentication in the Server document
Use this procedure to enable single sign-on for Domino Release 5.0x servers, or for Domino 6 and higher servers not configured with Web Site documents.
1. Open the Server document.
2. Click Ports – Internet Ports – Web, and enable Name-and-password authentication for the Web (HTTP/HTTPS) port.
3. Click Internet Protocols – Domino Web Engine, and select Multiple Servers (SSO) in the Session authentication field.
Note The “Idle session timeout” and “Maximum active sessions” fields will be disabled.
4. In the Web SSO Configuration field, select the Web SSO Configuration for this server from the drop-down list.
5. Save and close the Server document.
Note You can optionally enable the use of client certificates for SSL authentication for users on an SSO-enabled server. If the user authenticates with a client certificate, the server still creates an SSO token for the user in case it will be useful for accessing resources on participating SSO servers.

<b>Multi-server session-based authentication (single sign-on)</b>
Multi-server session-based authentication, also known as single sign-on (SSO), allows Web users to log in once to a IBM® Lotus® Domino® or WebSphere server, and then access any other Domino or WebSphere servers in the same DNS domain that are enabled for single sign-on (SSO) without having to log in again.
User Web browsers must have cookies enabled since the authentication token that is generated by the server is sent to the browser in a cookie.
You set this up by doing the following:
Creating a domain-wide configuration document — the Web SSO Configuration document — in the Domino Directory. (You can have multiple Web SSO Configuration documents in a Domino Domain or directory.) If you are using Internet sites, you can create SSO configuration documents for each Internet Sites(however, not all protocols honor Internet Site configurations).
Enabling the “Multi-servers (SSO)” option for session-based authentication in a Web Site document or in the Server document.
You can enable single sign-on across multiple Domino domains.
Checklist for enabling single sign-on
The SSO feature makes logging in and using multiple servers in a mixed environment easier for users. Use the following list to configure your Domino environment to ensure that your SSO configuration is successful.
General issues
It is important that all servers participating in an SSO group must use the same mechanism for configuring Internet access. They must either all use Internet Site documents, or they must all have Internet access configured in the Server document.
The DNS domain that applies to the participating SSO servers is specified in the SSO configuration document. URLs issued to servers configured for single sign-on must specify the full DNS server name, not the host name or IP address. For browsers to be able to send cookies to a group of servers, the DNS domain is included in the cookie (as specified by the configuration), and the DNS domain in the cookie must match the server URL. This is why cookies cannot be used across TCP/IP domains.
Clustered servers must have the full DNS server name in the host name field of the Web Site or Server document. This enables the Internet Cluster Manager (ICM) to redirect to cluster members using SSO. If the DNS server host name is not there, ICM will redirect URLs to clustered Web servers with only the TCP/IP host name, by default, and will not be able to send the cookie because the DNS domain is not included in the URL.
If you enable Internet Sites in the Server document, any existing SSO configuration is automatically disabled.

There is more in the admin help – if you also want to use single sign on using the windows account information then check out <b>Setting up Windows single sign-on for Web clients </b> in the admin help.

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following