This post describes the procedure for integrating IBM Tivoli Access Manager for e-business (Tivoli Access Manager) with Lotus iNotes to achieve Single Sign-On (SSO) and Single Sign-Off capability using LTPA SSO method.
The diagram above shows an integration architecture that supports the following
processes:
1. A browser request for Lotus iNotes is submitted through WebSEAL.
2. WebSEAL intercepts the request, authenticates and authorizes the user as
required.
3. WebSEAL forwards the request to the Domino Server along with a cookie
containing the encrypted LTPA token which holds the unique Distinguished
Name (DN) of the user authenticated by WebSEAL.
4. Domino decrypts the LTPA token and authenticates the DN against those in its
NAB and if a match is found access is granted.
5. The requested iNotes content for the authenticated user is sent back to
WebSEAL.
6. WebSEAL performs filtering as appropriate for the junction method then the
content is returned to the browser.
This integration scenarios is for the following product versions:
Lotus Domino Server 7.0.1, 8.0, 8.5 or 8.5.2
IBM Tivoli Access Manager Base 6.0, 6.1 or 6.1.1
IBM Tivoli Access Manager WebSEAL 6.0, 6.1 or 6.1.1
Note: Lotus iNotes might have additional constraints in the form of supported
browsers. Domino documentation for the supported version numbers should
be consulted prior to proceeding with this integration.
Before we start:: 2 point to keep in mind!
1) Configuring Tivoli Access Manager and the iNotes user
registry
-both Lotus Domino and Tivoli Access Manager use separate
user registries
-For each user in the Domino Address Book that requires iNotes, create a
corresponding user in Tivoli Access Manager
2)Generating the LTPA key file
-The LTPA key file is needed when creating the WebSEAL junction to the
Domino server, and also when creating the SSO document on the Domino server.
Option Description
-A Enable LTPA cookies
-F path_to_LTPA_keyfile Full path name location of the LTPA key file
-Z keyfile_password Password required to open the key file
Configuration Steps:
1)Tivoli Access Manager WebSEAL configuration.
option-1: copy the existing environment junction xml files to the new environment.
may need to generate a new LTPA keyfile here with help of WAs. not sure if the existing
LTPA keyfile(have to check on this),if we use the existing keyfile- make sure we know the
password to open the file.
option-2: create a new junction:-
2) Lotus Domino configuration
step-1: need the LTPA key file that was previously generated and used
when creating the WebSEAL junction. Copy this file from the WebSEAL
machine to an appropriate directory on the Domino server.
step-2: Configuring the SSO document for the Domino server
-Creating Web SSO Configuration.
step-3: Configuring the Domino server for single sign-on
To ensure that the Domino Server is properly configured for Single Sign-On.
step-4: Adding the LDAP DN to the Person documents
This step adds the LDAP DN to the User Name field of the user document. For
each user requiring SSO through WebSEAL to their iNotes database, we need to do this
configuration.
step-5: Configuring the Domino server for single sign off
To ensure that the Domino Server is properly configured for Single Sign Off.
For more details like post installation verification, uninstallation and Troubleshooting,
Please refer the attached pdf from IBM. Integration guide from IBM
processes:
1. A browser request for Lotus iNotes is submitted through WebSEAL.
2. WebSEAL intercepts the request, authenticates and authorizes the user as
required.
3. WebSEAL forwards the request to the Domino Server along with a cookie
containing the encrypted LTPA token which holds the unique Distinguished
Name (DN) of the user authenticated by WebSEAL.
4. Domino decrypts the LTPA token and authenticates the DN against those in its
NAB and if a match is found access is granted.
5. The requested iNotes content for the authenticated user is sent back to
WebSEAL.
6. WebSEAL performs filtering as appropriate for the junction method then the
content is returned to the browser.
This integration scenarios is for the following product versions:
Lotus Domino Server 7.0.1, 8.0, 8.5 or 8.5.2
IBM Tivoli Access Manager Base 6.0, 6.1 or 6.1.1
IBM Tivoli Access Manager WebSEAL 6.0, 6.1 or 6.1.1
Note: Lotus iNotes might have additional constraints in the form of supported
browsers. Domino documentation for the supported version numbers should
be consulted prior to proceeding with this integration.
Before we start:: 2 point to keep in mind!
1) Configuring Tivoli Access Manager and the iNotes user
registry
-both Lotus Domino and Tivoli Access Manager use separate
user registries
-For each user in the Domino Address Book that requires iNotes, create a
corresponding user in Tivoli Access Manager
2)Generating the LTPA key file
-The LTPA key file is needed when creating the WebSEAL junction to the
Domino server, and also when creating the SSO document on the Domino server.
Option Description
-A Enable LTPA cookies
-F path_to_LTPA_keyfile Full path name location of the LTPA key file
-Z keyfile_password Password required to open the key file
Configuration Steps:
1)Tivoli Access Manager WebSEAL configuration.
option-1: copy the existing environment junction xml files to the new environment.
may need to generate a new LTPA keyfile here with help of WAs. not sure if the existing
LTPA keyfile(have to check on this),if we use the existing keyfile- make sure we know the
password to open the file.
option-2: create a new junction:-
2) Lotus Domino configuration
step-1: need the LTPA key file that was previously generated and used
when creating the WebSEAL junction. Copy this file from the WebSEAL
machine to an appropriate directory on the Domino server.
step-2: Configuring the SSO document for the Domino server
-Creating Web SSO Configuration.
step-3: Configuring the Domino server for single sign-on
To ensure that the Domino Server is properly configured for Single Sign-On.
step-4: Adding the LDAP DN to the Person documents
This step adds the LDAP DN to the User Name field of the user document. For
each user requiring SSO through WebSEAL to their iNotes database, we need to do this
configuration.
step-5: Configuring the Domino server for single sign off
To ensure that the Domino Server is properly configured for Single Sign Off.
For more details like post installation verification, uninstallation and Troubleshooting,
Please refer the attached pdf from IBM. Integration guide from IBM
