SECURITY


Configuring user name mapping in the SSO LTPA token
The LTPA token that is created to authenticate users for single sign-on includes the name of the user who has been authenticated. When IBM® Lotus® Domino® creates an LTPA token, it places the Domino distinguished name in the token by default. If a Websphere server obtains the token from a user trying to access the server, the Websphere server must be able to recognize this name format. If it does not, the token is ignored, single sign-on fails, and the user is prompted to log in again.

This situation typically occurs in end-user configurations in which there are multiple directories used by various servers participating in SSO, and consequently a user may have multiple identities. For example, a user may be known in a Websphere LDAP directory as "uid=jdoe,cn=sales,dc=acme, dc=com," but in a Domino directory the same user is "John P Doe/Sales/Acme." If Websphere receives an LTPA token containing a user name like "John P Doe/Sales/Acme," it attempts to find this user in the Websphere directory and when it can't, rejects the token.

Domino administrators can now map the user name that appears in a Domino-created LTPA token to the name expected by WebSphere, to ensure that the name is recognized in a mixed Domino and Websphere environment where Domino and WebSphere do not share the same directory.

Note In a mixed-release Domino environment, user name mapping in the LTPA token only works if the token is generated by a Domino 7.0 or later server. If the user name value that is used in the LTPA token is also added as a secondary value in the fullname field of the Person record in pre-Domino 7.0 servers (for the purposes of aliasing, for example), users will also be able to access databases on Domino 6.02 and higher servers, as well as Websphere servers.

How you specify the user name to be used in the LTPA token depends on the directory configuration used in your single sign-on environment:

As LDAP directory fields and Domino directory fields generally do not have a one-to-one correspondence, the use of Directory Assistance documents for name mapping allows allows LDAP administrators to specify which LDAP field should be used as the equivalent of the LTPA User Name field.

Note Any name mapping configuration in Directory Assistance documents will be ignored if the mapping feature is not enabled in the SSO configuration document.

To configure user name mapping in a Domino Directory environment

In this environment, there are Domino SSO users who have Person records in the Domino directory.

1. Enable name mapping for the LTPA token. In the Web SSO Configuration document that defines your SSO environment, select Enabled for the "Map names in LTPA token" option.

2. In the user Person document, click Administration. Under "Client Information," enter the user name DN that is expected by WebSphere in the "LTPA user name" field. Typically, this will be the user's LDAP distinguished name (DN). Be sure to separate the name components with slashes.

Although the name is entered into the LTPA user name field in Domino format, Domino transforms the configured LTPA user name into the appropriate LDAP format expected by Websphere before placing it into the Domino-created LTPA token.
To configure user name mapping in a corporate LDAP directory environment (a mixed Domino and LDAP directory environment)

In this environment, some or all Domino users do not have Person records in the Domino directory. Instead, these Domino users have records in an external LDAP directory that is accessible to Domino through Directory Assistance.

1. Enable name mapping for the LTPA token. In the Web SSO Configuration document that defines your SSO environment, select Enabled for the "Map names in LTPA token" option.

2. Open the Directory Assistance document for the LDAP Directory. In the SSO Configuration section, enter an LDAP attribute that should be used as the name in an SSO token created for this user. This attribute will be used in the LTPA token when the LTPA_UserNm field is requested. It is important to ensure that the selected field contains the user name that WebSphere expects. Options for this field include:

If Directory Assistance is configured such that a search on a particular user finds a match in both the Domino Directory and in an LDAP directory, Domino requires consistency between a Domino Person record and an LDAP record. Domino takes extra steps to determine that there are matching values for the Internet email address located in both directories. To accomplish this, DA searches for the user's LDAP "mail" attribute. This value must match the information found in the Domino Person record field "internetaddress."
Attribute in LDAP Directory Attribute in Domino Directory
mail: Jbond@secret.spies.cominternetaddress: Jbond@secret.spies.com
In order for SSO to succeed, you must ensure that the value of the Domino attribute 'Internet address' matches the value of the LDAP attribute 'mail.'

Other considerations

Related topics