Single Sign on

hcl-bot · November 26, 2007, 12:23pm

Hi All,

I was wondering if it is possible to create a Single Sign on cookie from a Lotusscript agent. I’m working with a Lotusscript system that has it’s own authentication mechanism, so using Domino authentication (Basic, etc.) is not possible.

Thanks,

Ryan

hcl-bot · November 27, 2007, 10:37am

Subject: Single Sign on

Why would you want to do this? Domino does this very well out of the box, so why would you build new functionality for it?

/Peter

hcl-bot · November 27, 2007, 11:08am

Subject: RE: Single Sign on

I’m not sure of the motivation of the developers when creating a separate authentication mechanism. Even so, if it isn’t too difficult (or impossible), I would like to implement SSO using what is currently available. - Thanks, Ryan

hcl-bot · November 27, 2007, 3:09pm

Subject: RE: Single Sign on

Hmmm… if the developer’s motivation was to avoid using Domino’s built-in authentication in order to try and sneak around IBM’s licensing model for authenticated users, then I’d say you’d be best advised not to follow in their footsteps.

I suppose there could be other motivations, of course, but that’s the potential one that first comes to mind.

hcl-bot · November 27, 2007, 3:52pm

Subject: RE: Single Sign on

Hmmm, I looked up the license to clarify this, here’s what I found…

Q. When do I need a client access license?

A. A client access license (or per user charge if you are using per user licensing) is required for access to Lotus Domino capabilities that require authentication, except for Web browser access to Lotus Domino Utility Server or Lotus Domino Utility Server Express software.

…so I don’t think this would be “sneaking” as you put it. It seems that if a person doesn’t use the Domino authentication capabilities (as in this case), they don’t have to pay for the licensing. Corollary to this statement, administering single sign on would require the license issue be resolved.

Back to the original question, assuming the licensing issue is resolved, is it possible to build a single sign on cookie via a lotusscript agent or is it necessary to use the domino login mechanism?

hcl-bot · November 27, 2007, 4:10pm

Subject: RE: Single Sign on

Based on discussions I have had with IBM product managers, I think that IBM’s interpretion of the CAL requirement has been (in the past, at least) that writing your own code to provide personalization and access control features analogous to what Domino provides via its built-in authentication system is in fact a license issue. Perhaps that has changed, though, as the language you quoted does seem to be pretty specific about using the actual Domino services.

Be that as it may, you are quite right that if you want to issue SSO cookies, then it seems you will have to set up SSO on the Domino server and that does require setting up actual accounts and dealing with the license issue.

As to the actual question, it might be possible, but I believe your LotusScript will have to make some Notes API calls (e.g., SECTokenGenerate()).

-rich