Prerequisites and conditions for single signon

To take advantage of support for single signon between WebSphere Application Servers or between WebSphere Application Server - Express and Domino, applications must meet the following prerequisites and conditions:

• The URL for every request must contain the same DNS domain. For example, if the DNS domain is specified as mycompany.com, then single signon is effective for http://server1.mycompany.com/fred and http://server2.mycompany.com/bill.

• All servers must share the same user registry. This registry can be either a supported LDAP directory server or, if single signon is configured between two WebSphere application servers, a custom user registry. Domino does not support the use of custom registries, but you can use a Domino-supported registry as a custom registry within WebSphere Application Server - Express. For more information, see Custom registries.

  You can use a Domino Directory (configured for LDAP access) or other LDAP directory for the user registry. The LDAP directory product must be one that is supported by WebSphere Application Server - Express. Supported products include both Domino and all IBM SecureWay LDAP directory servers. Regardless of the choice to use an LDAP or custom registry, the single signon configuration is the same. The difference is in the configuration of the registry.

• All users must be defined in a single LDAP directory. Using LDAP referrals to connect more than one directory together is not supported. Using multiple Domino directory assistance documents to access multiple directories is not supported.

• Users must enable their browsers to accept HTTP cookies because the authentication information that is generated by the server is transported to the browser in a cookie. The cookie is then used to propagate the user's authentication information to other servers, exempting the user from entering the authentication information for every request to a different server.

• The Domino product must meet the following requirements:
  • Domino for iSeries 5.0.6a (or later) is supported.
  • Domino 5.0.5 (or later) for other platforms are supported.
  • A Lotus Notes 5.0.5 (or later) administrator client is required for configuring the Domino server for single signon.
  • You can share authentication information across multiple Domino domains.

  Note: The Domino 6.0 LDAP server is supported as a user registry for WebSphere Application Server - Express version 5.0.2 (or later). Therefore, single signon between a WebSphere application server and a Domino 6.0 server is only supported for WebSphere Application Server - Express version 5.0.2 (or later).

• The WebSphere Application Server products must meet the following requirements:
  • WebSphere Application Server Version 3.5 (or later) for all platforms is supported.
  • You can use any HTTP Web server that is supported by WebSphere Application Server.
  • You can share authentication information across multiple product administrative domains.
  • Basic authentication (user ID and password) using the basic and form-login mechanisms is supported.
  • By default WebSphere Application Server - Express does a case-sensitive comparison for authorization. This implies that the a user who is authenticated by Domino should match exactly the entry (including the base distinguished name) in the WebSphere Application Server authorization table. If case sensitivity should not be considered for the authorization, the Ignore Case property should be enabled in the LDAP user registry settings.