Prerequisites and conditions for single signon

To take advantage of support for single signon between WebSphere Application Server - Express servers or between WebSphere Application Server - Express and Domino, applications must meet the following prerequisites and conditions:

• The URL for every request must contain the same DNS domain. For example, if the DNS domain is specified as mycompany.com, then single signon is effective for http://server1.mycompany.com/fred and http://server2.mycompany.com/bill.

• All servers must share the same user registry. This registry can be either a supported LDAP directory server or, if single signon is configured between two WebSphere application servers, a custom user registry. Domino does not support the use of custom registries, but you can use a Domino-supported registry as a custom registry within WebSphere Application Server - Express. For more information, see Custom registries.

  You can use a Domino Directory (configured for LDAP access) or other LDAP directory for the user registry. The LDAP directory product must be one that is supported by WebSphere Application Server - Express. Supported products include both Domino and all IBM SecureWay LDAP directory servers. Regardless of the choice to use an LDAP or custom registry, the single signon configuration is the same. The difference is in the configuration of the registry.

• All users must be defined in a single LDAP directory. Using LDAP referrals to connect more than one directory together is not supported. Using multiple Domino directory assistance documents to access multiple directories is not supported.

• Users must enable their browsers to accept HTTP cookies because the authentication information that is generated by the server is transported to the browser in a cookie. The cookie is then used to propagate the user's authentication information to other servers, exempting the user from entering the authentication information for every request to a different server.

• The Domino product must meet the following requirements:
  • Domino for iSeries 5.0.6a (or later, including version 6) is supported.
  • Domino 5.0.5 (or later, including version 6) for other platforms are supported.
  • A Lotus Notes 5.0.5 (or later) administrator client is required for configuring the Domino server for single signon.
  • You can share authentication information across multiple Domino domains.

• The WebSphere Application Server products must meet the following requirements:
  • WebSphere Application Server Version 3.5 (or later) for all platforms is supported.
  • You can use any HTTP Web server that is supported by WebSphere Application Server.
  • You can share authentication information across multiple product administrative domains.
  • Basic authentication (user ID and password) using the basic and form-login mechanisms is supported.
  • By default WebSphere Application Server - Express does a case-sensitive comparison for authorization. This implies that the a user who is authenticated by Domino should match exactly the entry (including the base distinguished name) in the WebSphere Application Server authorization table. If case sensitivity should not be considered for the authorization, the Ignore Case property should be enabled in the LDAP user registry settings.

• If you are using single signon between a WebSphere Application Server - Express Version 5 server (either 5.0 or 5.1) and a WebSphere Application Server Version 4 application server, you must specify an LDAP server port number in the administrative console. By default, the default LDAP port number for WebSphere Application Server - Express Version 5 is 0, but for WebSphere Application Server Version 4, it is not 0. Set the LDAP port numbers for both servers to the same value. In the Version 5 administrative console, set the LDAP port number on the LDAP settings page: click Security --> User registries --> LDAP.