sso works one way (domino -> portal) but not portal -> domino - Websphere

This is a discussion on sso works one way (domino -> portal) but not portal -> domino - Websphere ; Hi, My SSO is working if I log into the domino site (domino.company.com) then go to the portal site (portal.company.com), but if I start at portal then go to domino, it prompts me for a login. I get the ltpatoken ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: sso works one way (domino -> portal) but not portal -> domino

  1. sso works one way (domino -> portal) but not portal -> domino

    Hi,
    My SSO is working if I log into the domino site (domino.company.com) then go to the portal site (portal.company.com), but if I start at portal then go to domino, it prompts me for a login. I get the ltpatoken + jsessionid cookies when I first login to portal.
    Any ideas on why it isn't working?
    I am using Portal 6.1.0.19, federated LDAP to domino 7 server, and I followed the steps in the article http://www.ibm.com/developerworks/we...ortal-domino2/
    thanks, wing

  2. Re: sso works one way (domino -> portal) but not portal -> domino

    It sounds like there is a problem with Domino's configuration. Did you export the LTPA key from the Portal and import it into Domino's Web Doc? Can you show us the LTPA key file? Also check the realm between Portal and Domino.

    -FF

    The postings on this site are my own and do not necessarily represent the positions, strategies or opinions of IBM.

  3. Re: sso works one way (domino -> portal) but not portal -> domino

    Thanks for replying. I figured out that some users in domino don't have a uid (only cn). So when a user logs into the domino site, the LTPAToken has CN=user, etc., and when they go to the portal site, portal maps CN to uid, so the token works. If they go to the portal site first, the LTPAToken has uid=USER, etc., but then some users don't have uid in Domino, so they have to re-login at the domino site.

    I found this link: http://www.ibm.com/support/docview.w...id=swg21205905
    that has an agent that can copy all the cn values to the shortname (uid).

    So I guess all the domino users need to have shortnames? Or, could I have portal authenticate against cn instead of uid? If I did that, for the portal admin user, who's not in the domino directory, I would need to add a cn attribute?

  4. Re: sso works one way (domino -> portal) but not portal -> domino

    In Domino, user DNs are always of form "cn=user,o=someorg", they can't be "uid=user,o=someorg". "CN" is required for objectclasses like dominoPerson, groupOfNames, and groupOfUniqueNames. So CN should be always available.

    LTPA SSO really don't care what you used to log in. Since it normally requires the same LDAP on both servers, as long as they are the same DN, the user should be OK.

    I suspect what you described is not the reason of SSO failure.

    -FF

    The postings on this site are my own and do not necessarily represent the positions, strategies or opinions of IBM.

  5. Re: sso works one way (domino -> portal) but not portal -> domino

    portal) but not the other way. that means the problem is probably with the portal sso config?
    thanks for you help.

  6. Re: sso works one way (domino -> portal) but not portal -> domino

    Can you attach the following files?
    - /config/cells/ /security.xml
    - /config/cells//wim/config/wimconfig.xml
    - the LTPA key you imported into Domino
    - the LDIF of your domino user or the screenshot of the Basic tab of the Person Doc in Domino

    -FF

    The postings on this site are my own and do not necessarily represent the positions, strategies or opinions of IBM.

  7. Re: sso works one way (domino -> portal) but not portal -> domino

    attached is security.xml

  8. Re: sso works one way (domino -> portal) but not portal -> domino

    attached is wimconfig.xml, and here's what the ltpa key looks like:

    #IBM WebSphere Application Server key file
    #Wed Jun 24 16:04:27 HST 2009
    com.ibm.websphere.CreationDate=Wed Jun 24 16\:04\:27 HST 2009
    com.ibm.websphere.ltpa.version=1.0
    com.ibm.websphere.ltpa.3DESKey=xxxxxxx
    com.ibm.websphere.CreationHost=BLAHportal01
    com.ibm.websphere.ltpa.PrivateKey=xxxxxxx
    com.ibm.websphere.ltpa.Realm=defaultWIMFileBasedRe alm
    com.ibm.websphere.ltpa.PublicKey=xxxxxxxx

  9. Re: sso works one way (domino -> portal) but not portal -> domino

    not sure where to find the LDIF, and in our directory there's no "basic" tab.

    ok, it works if in domino I add the short name "cn=BLAH" for user BLAH. I know the domino directory we are using has a custom setup. looks like DN is just the straight username, not cn=username, etc. so, is there a way to work around it? or I guess we will have to add cn=username for every user??

  10. Re: sso works one way (domino -> portal) but not portal -> domino

    Domino groups should not have the suffix, by default. In your wimconfig.xml, I see you have set "o=abc" as the base entry and search base for groups. My suggestion is to make them both null, like


    cn
    and

    groupOfNames


    Notice that I also changed the login property from uid to cn, such that you can log in with CN on portal.

    By the way, you should be able to open a Person Document in the Notes client and see the "Basics" tab. This is the panel where we can see CN and UserID/Short Name.
    -FF

    The postings on this site are my own and do not necessarily represent the positions, strategies or opinions of IBM.

+ Reply to Thread