IBM Support

How to enable multi-server single sign-on for QuickPlace or Lotus Quickr

Technote (FAQ)


Question

How do you enable single sign-on (SSO) for Lotus® QuickPlace® or Lotus Quickr™ services for Lotus Domino®?

Answer

The steps below are provided to supplement the QuickPlace Administrator's Guide and explain in further detail how to enable Single Sign On (SSO) in a Lotus QuickPlace or Lotus Quickr environment. A multimedia demonstration of these steps is also provided.

Setting up multi-server session-based authentication

1. Add the following settings to the NOTES.INI file:

NoWebFileSystemACLs=1
h_ScopeUrlInQP=1

2. To enable session-based authentication in the Domino Directory:

a. Edit the Server document.

b. Click the Internet Protocols - Domino Web Engine tab.

c. Next to Session authentication, select multi-server.

3. Configure the LTPA token for multi-server session-based authentication

  1. In the Domino Directory, select the Servers view.
  2. Select the Web... pull-down menu button.
  3. Select Create Web SSO Configuration.
  4. In the document, select the Keys... pull-down menu button.
  5. Initialize the Web SSO Configuration with the shared server in one of two ways:
  6. Domino only (no WebSphere® servers participating in Single Sign-on).
  7. Select Create Domino SSO Key.
  8. Domino and WebSphere (Single Sign-on with WebSphere).
  9. Select Import WebSphere LTPA Keys.
  10. Browse and select the WebSphere LTPA export file (See WebSphere documentation for details).
  11. Enter the password (Specified when generating the keys in WebSphere).
  12. The Web SSO Configuration document will update to reflect the information in the export file.
  13. Configure the Token Expiration field. Note that a token does not expire based on inactivity; it is valid for only the number of minutes specified from the time of issue.
  14. In the Token Domain field, enter the DNS domain for which the tokens will be generated, for example, lotus.com. The servers enabled for Single Sign-on must all belong to the same DNS domain. This is a required field.
  15. In the Server Names field, enter the servers that will be participating in Single Sign-on. This document will be encrypted for the creator of the document, the members of the Owners and Administrators fields, and the servers specified in the Server Names field.

NOTE: Groups and wildcards are not allowed in the fields.

Save the Web SSO Configuration document. It will appear in the Web Configurations view.

4. Configure the Domino Web Server Configuration database in one of the following two ways:

1. Server's without a customized Web Server Configuration database

a. Create a database from the Domino Web Server Configuration template and give it the file name DOMCFG.NSF.

b. Open the new database.

c. Choose Create - Mapping a Login Form.

d. In the “Target Database file name” field, enter

<QuickPlaceDirectory>/RESOURCES.NSF.
where <QuickPlaceDirectory> is the directory in which you have installed QuickPlace

For a new installation of Lotus Quickr, set the field to LotusQuickr/resources.nsf

e. In the “Target form name” field, enter QuickPlaceLoginForm.

f. Save the new form.

Note: The DOMCFG.NSF is not case-sensitive. Entries may be in lower case, mixed case, or all caps.

2. To customize an existing Domino Web Server Configuration database
that you already use, do the following:

a. From Domino Designer, open <QuickPlaceDirectory>/RESOURCES.NSF , where <QuickPlaceDirectory> is the directory in which you have installed QuickPlace

b. Open the QuickPlaceLoginForm.

c. Copy the <Computed Value> field from this form to the login form
in DOMCFG.NSF.


Notes:

  • URLs issued to servers configured for multi-server session-based authentication must specify the full DNS server name, not the hostname or IP address. See the Domino Release Notes for more information. There is a workaround to this behavior. Refer to the following Technote: "How to avoid using fully qualified DNS name with multi-server SSO" (# 1088953 ).
  • QuickPlace does not support using Internet Sites documents; you must use the Web Server Configuration instead, as documented above and in the Admin Guide. The Web SSO configuration document for Domino 6 is slightly different from R5. Refer to Technote # 1166931 "Error loading HTTP task: "Error Loading Web SSO configuration. Reverting to single-server session authentication"" for additional information on completing the Web SSO Configuration document.

Multimedia presentation

Watch this multimedia presentation to see these steps performed in a Lotus Quickr environment and to reinforce your understanding of the topic discussed in this technote.

Related information

Error loading HTTP task: "Error Loading Web SSO config"

Cross reference information
Segment Product Component Platform Version Edition
Messaging Applications Lotus End of Support Products Lotus Quickr for Domino AIX, i5/OS, Windows 8.1, 8.0

Document information

More support for: Lotus End of Support Products
Lotus QuickPlace

Software version: 6.5.1, 7.0

Operating system(s): AIX, Solaris, Windows

Reference #: 1104931

Modified date: 22 March 2010