Lotus Domino Administrator 8.5 Help - Configuring user name mapping in a Windows single sign-on for Web clients environment

SECURITY

Configuring user name mapping in a Windows single sign-on for Web clients environment
Web users that participate in Windows® single sign-on for Web clients have accounts in Active Directory. They usually have Person documents in the Lotus® Domino® Directory too. You configure user name mapping to enable a Domino server to reconcile user names found in both directories.

User name mapping achieves three goals. First, when a Domino server finds a user's LDAP distinguished name in Active Directory as well as the user's Notes distinguished name in the Domino directory, it enables the server to verify that the two names belong to that one user. To link the two names, the server verifies that the value of the user's mail attribute in the Active Directory user account is the same as the value of the Internet Address in the Person document.

Second, name mapping may be needed to determine a user's Lotus Notes distinguished name. In an SSO environment in which some servers do not use the Domino Directory but use Active Directory exclusively, a user's LTPA token contains the user's Active Directory distinguished name. For example, an IBM® WebSphere® server or IBM® Lotus® Quickr™ server might be configured to use Active Directory for the user repository. In this environment, LTPA tokens typically contain Web users' Active Directory distinguished names. Because ACLs on Domino databases usually refer to Web users' Notes distinguished names, you must map the Active Directory distinguished names in the LTPA tokens to the Notes distinguished names so that a Domino server can determine Web user access to its databases. This step is not necessary if LTPA tokens have been configured to contain users' Notes distinguished names (the default when Domino SSO keys are used) rather than SSO keys imported from WebSphere.

Finally, user name mapping specifies which directory to use to verify user passwords when Windows single sign-on is not available and Web users must initially log on when connecting to a server in the SSO domain. Windows single sign-on is not available to:

Web clients that connect over the Internet;
Web clients that connect over the intranet but are not set up for Windows single sign-on;
Web clients that connect over the intranet and are set up to use Windows single sign-on but are not logged on to the Active Directory domain;
Web clients that run on the Domino Web server computer.

Ways to configure name mapping

How you configure user name mapping depends on whether you manage users primarily through Active Directory or the Domino Directory. You should consider which directory is easier for you to modify and maintain. You can also minimize directory modifications if you use a separate IBM® authentication application to authenticate Internet users.

Configuring user name mapping when you manage Domino users through Active Directory

Access levels in the ACL

Troubleshooting Windows single sign-on for Web clients

Setting up Windows single sign-on for Web clients

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary