SECURITY
This situation typically occurs in end-user configurations in which there are multiple directories used by various servers participating in SSO, and consequently a user may have multiple identities. For example, a user may be known in a Websphere LDAP directory as "uid=jdoe,cn=sales,dc=acme, dc=com," but in a Domino directory the same user is "John P Doe/Sales/Acme." If Websphere receives an LTPA token containing a user name like "John P Doe/Sales/Acme," it attempts to find this user in the Websphere directory and when it can't, rejects the token.
Domino administrators can now map the user name that appears in a Domino-created LTPA token to the name expected by WebSphere, to ensure that the name is recognized in a mixed Domino and Websphere environment where Domino and WebSphere do not share the same directory.
Note In a mixed-release Domino environment, user name mapping in the LTPA token only works if the token is generated by a Domino 7.0 or later server. If the user name value that is used in the LTPA token is also added as a secondary value in the fullname field of the Person record in pre-Domino 7.0 servers (for the purposes of aliasing, for example), users will also be able to access databases on Domino 6.02 and higher servers, as well as Websphere servers.
How you specify the user name to be used in the LTPA token depends on the directory configuration used in your single sign-on environment:
Note Any name mapping configuration in Directory Assistance documents will be ignored if the mapping feature is not enabled in the SSO configuration document.
To configure user name mapping in a Domino Directory environment
In this environment, there are Domino SSO users who have Person records in the Domino directory.
1. Enable name mapping for the LTPA token. In the Web SSO Configuration document that defines your SSO environment, select Enabled for the "Map names in LTPA token" option.
2. In the user Person document, click Administration. Under "Client Information," enter the user name DN that is expected by WebSphere in the "LTPA user name" field. Typically, this will be the user's LDAP distinguished name (DN). Be sure to separate the name components with slashes.
uid=jdoe,cn=sales,dc=acme, dc=com
enter the value as follows:
uid=jdoe/cn=sales/dc=acme/dc=com
In this environment, some or all Domino users do not have Person records in the Domino directory. Instead, these Domino users have records in an external LDAP directory that is accessible to Domino through Directory Assistance.
2. Open the Directory Assistance document for the LDAP Directory. In the SSO Configuration section, enter an LDAP attribute that should be used as the name in an SSO token created for this user. This attribute will be used in the LTPA token when the LTPA_UserNm field is requested. It is important to ensure that the selected field contains the user name that WebSphere expects. Options for this field include:
Other considerations