SECURING
The LTPA token that is created to authenticate users for single sign-on includes the name of the user who has been authenticated. When HCL Domino® creates an LTPA token, it places the Domino distinguished name in the token by default. If a IBM® WebSphere® Application Server server obtains the token from a user trying to access the server, the Websphere server must be able to recognize this name format. If it does not, the token is ignored, single sign-on fails, and the user is prompted to log in again.
About this task
This situation typically occurs in end-user configurations in which there are multiple directories used by various servers participating in SSO, and consequently a user may have multiple identities. For example, a user may be known in a Websphere LDAP directory as uid=jdoe,cn=sales,dc=renovations, dc=com, but in a Domino directory the same user is John P Doe/Sales/Renovations. If Websphere receives an LTPA token containing a user name like John P Doe/Sales/Renovations, it attempts to find this user in the Websphere directory and when it can't, rejects the token.
Domino administrators can now map the user name that appears in a Domino-created LTPA token to the name expected by WebSphere, to ensure that the name is recognized in a mixed Domino and Websphere environment where Domino and WebSphere do not share the same directory.
Note: In a mixed-release Domino environment, user name mapping in the LTPA token works only if the token is generated by a Domino 7.0 or later server. If the user name value that is used in the LTPA token is also added as a secondary value in the fullname field of the Person record in pre-Domino 7.0 servers (for the purposes of aliasing, for example), users will also be able to access databases on Domino 6.02 and higher servers, as well as Websphere servers.
How you specify the user name to be used in the LTPA token depends on the directory configuration used in your single sign-on environment:
Note: Any name mapping configuration in Directory Assistance documents will be ignored if the mapping feature is not enabled in the SSO configuration document.
Parent topic: Multi-server session-based authentication (single sign-on)
To configure user name mapping in a Domino Directory environment
In this environment, there are Domino SSO users who have Person records in the Domino directory.
Procedure
1. Enable name mapping for the LTPA token. In the Web SSO Configuration document that defines your SSO environment, select Enabled for the Map names in LTPA token option.
2. In the user Person document, click Administration. Under Client Information, enter the user name DN that is expected by WebSphere in the LTPA user name field.
uid=jdoe,cn=sales,dc=renovations, dc=com
enter the value as follows:
uid=jdoe/cn=sales/dc=renovations/dc=com
Although the name is entered into the LTPA user name field in Domino format, Domino transforms the configured LTPA user name into the appropriate LDAP format expected by Websphere before placing it into the Domino-created LTPA token.
To configure user name mapping in a corporate LDAP directory environment (a mixed Domino and LDAP directory environment)
In this environment, some or all Domino users do not have Person records in the Domino directory. Instead, these Domino users have records in an external LDAP directory that is accessible to Domino through Directory Assistance.
2. Open the Directory Assistance document for the LDAP Directory. In the SSO Configuration section, enter an LDAP attribute that should be used as the name in an SSO token created for this user. This attribute will be used in the LTPA token when the LTPA_UserNm field is requested. It is important to ensure that the selected field contains the user name that WebSphere expects. Options for this field include:
If Directory Assistance is configured such that a search on a particular user finds a match in both the Domino Directory and in an LDAP directory, Domino requires consistency between a Domino Person record and an LDAP record. Domino takes extra steps to determine that there are matching values for the Internet email address located in both directories. To accomplish this, DA searches for the user's LDAP mail attribute. This value must match the information found in the Domino Person record field internetaddress.
Table 1. Values that must match for SSO to succeed
Keep in mind these additional considerations when setting up name mapping:
Related tasks Configuring alias dereferencing in a Directory Assistance document for a remote LDAP directory Multi-server session-based authentication (single sign-on)