SECURITY


Creating a Web SSO configuration document
The Web SSO configuration document is a domain-wide configuration document stored in the Domino Directory. This document, which should be replicated to all servers participating in the single sign-on domain, is encrypted for participating servers and administrators, and contains a shared secret key used by servers for authenticating user credentials.

To create a Web SSO configuration document if you are using Internet Sites

You should have already created a Web Site document, and enabled the use of Internet Site documents in the Server document.

Also be sure that your client location document has the home/mail server set to a server in the same domain as the servers participating in SSO. This ensures that all public keys for participating server can be found when the SSO document is encrypted.

1. In the Domino Administrator, click Files, and open the server’s Address Book (NAMES.NSF).

2. Select the Internet Sites view.

3. Click Create Web SSO Configuration.

4. In the document, click Keys.

5. Initialize the Web SSO Configuration with the shared secret key in one of two ways:

6. Complete the rest of the document as follows:
FieldAction
Configuration NameEnter the name of the SSO configuration.

Note If the single sign-on configuration includes both Domino 6 and Release 5.0x servers, the Configuration Name must be LtpaToken, as Release 5.0x servers only work with this configuration name.

Organization Name(Required) Enter the name of the organization. This must match the organization name for the corresponding Web site. The SSO document will then appear in the Internet sites view, along with the Web Sites documents.
DNS Domain(Required) Enter the DNS domain (for example -- lotus.com) for which the tokens will be generated. The servers enabled for single sign-on must all belong to the same DNS domain.
Domino Server NamesEnter the names of the servers that will be participating in single sign-on (for example -- server1/acme, server2/acme). This document will be encrypted for the creator of the document, the members of the Owners and Administrators fields, and the servers specified in the Domino Server Names field.

Groups, wildcards, and the names of WebSphere servers are not allowed in this field. Only Domino servers can be listed as participating servers in the Server Names field.

Note There is a 64K-size limit on this field. An error message appears when the limit is reached, such as when the names of several hundreds of servers are entered. It is recommended that you create more than one Web SSO Document if this limit is reached.

Expiration (minutes)Specify the time period, in minutes, for which the token will be valid. This time period begins at the time the token is issued. The token is valid for only the number of minutes specified; it does not expire based on inactivity. Default is 30 minutes.
7. Save the Web SSO Configuration document. A message on the status bar indicates the number of servers/people for whom the document was encrypted. The document(s) will appear in the Internet Sites view.

To create a Web SSO configuration document if you are using the Web Server Configurations view

Use this procedure to create a Web SSO configuration document if your server is a Release 5.0x server, or if you are using Domino 6 but you do not use Web Site documents to manage your Web sites.

1. In the Domino Administrator, click Files, and open the server’s Address Book (NAMES.NSF).

2. Select the Servers view.

3. Click Create Web SSO Configuration.

4. In the Web SSO Configuration document, click Keys.

5. Initialize the Web SSO Configuration with the shared secret key in one of two ways:

6. Complete the rest of the document as follows:
FieldAction
Configuration NameEnter the name of the SSO configuration.

Note If the single sign-on configuration includes both Domino 6 and Release 5.0x servers, the Configuration Name must be LtpaToken, as Release 5.0x servers only work with this configuration name.

Organization NameLeave this field blank, and this document will appear in the Web Configurations view.
DNS Domain(Required) Enter the DNS domain (for example, lotus.com) for which the tokens will be generated. The servers enabled for single sign-on must all belong to the same DNS domain.
Domino Server NamesEnter the names of the servers that will be participating in single sign-on (for example -- server1/acme, server2/acme). This document will be encrypted for the creator of the document, the members of the Owners and Administrators fields, and the servers specified in the Domino Server Names field.

Note Groups, wildcards, and the names of WebSphere servers are not allowed in this field. Only Domino Servers can be listed as participating servers in the Server Names field.

Expiration (minutes)Specify the time period, in minutes, for which the token will be valid. This time period begins at the time the token is issued. The token is valid for only the number of minutes specified; it does not expire based on inactivity. Default is 30 minutes.
7. Save the Web SSO Configuration document. A message on the status bar indicates the number of servers/people for whom the document was encrypted. The document(s) will appear in the Internet Sites View.
See Also