I have my Websphere portal server set up for SSO with our Domino LDAP. Everything worked fine until the department controlling the LDAP server started implementing “idle session timeout” for their server. Once they did that, they were unable to import the LTPA token from my Websphere Application server because Websphere doesn’t work with “idle session timeout”. Now our users can log into the portal with their Notes userid, but they are not logged into their webmail or sametime. I have opened a PMR with IBM and their is an SPR for this matter, but IBM has closed the SPR thinking it’s not worth fixing because we seem to be the only customers that want this functionality. I’m wondering if this is true. There must be some other customers out there that want users to log into the portal and see their mail,sametime and other Lotus products along with whatever other applications they have set up for their portal. Please respond to this posting to let me, and more importantly, IBM know that these 2 products should work together. Their solution is to set up a reverse proxy server. How many servers do they expect us to have just to make their products more collaborative?
Subject: Hi…
Have you tried using ID vault? It will not be a true SSO but users won’t have to put the user and pasword again.
Another thing, if you log in into the portal, and then switch to a database in your Domino (Like names.nsf) what happens exactly? Do you get some error message?
And I am assuming that the SPR was declined because you might be the only one using idle time out and SSO, which seems odd. I’ve set up SSO between Portal and Domino several times.
Subject: SSO with Domino & Websphere Portal
I guess I didn’t state my case very well. When a user logs into the portal, they are using their Notes user name and password contained in the Domino LDAP names.nsf. So when they go to a Domino portlet, they are already logged in. The problem is they cannot be logged into Domino webmail or sametime without the WAS LTPA token key in the Domino server doc. We can’t use the vault because we have thousands of users across the country. We need to stay in sync with the Domino LDAP.
Subject: I see.
Then you don’t have the keys in the SSO document.
Now, could you please make the test of logging in to the Portal and then switching to the names.nsf like in my previous post?
If you get a message like “user ABC,DEF cannot login” or something like that, please let me know which is the message.
Thanks
Subject: SSO with Domino & WebSphere Portal
I can log into the Portal with my Notes username and password. I am authenticating with our Domino LDAP. All of the Domino portlets are available to me except my e-mail portlet. I have to log into that portlet separately. In the past, the department that controls the Domino LDAP server imported the LTPA keys from my WAS server. They won’t do that now because they want to implement “Idle Session Timeout” and the portal ignores that setting. IBM’s fix for that is to set up another server to be used as a reverse proxy server instead of making Domino & Portal work together.
Subject: LTPA approach needs uniformity, or a reverse proxy to bridge things together
Single signon using LTPA technology depends on a uniform approach across the components.
If the idle session feature is required for some applications, the Domino LTPA format supports that. However, the WebSphere portal does not support the Domino LTPA format, which is the crux of the problem for your environment.
Portal must use WebSphere format LTPA, but unfortunately WebSphere format does not support the idle session timeout feature, due to technical limitations of the WebSphere LTPA format itself. There isn’t an easy way to add idle session timeout if WebSphere LTPA keys are in use. A customization using the LtpaToken2 format could be possible if all components can accept LtpaToken2, which is not always the case. However there isn’t any readily available solution without introducing customization or additional components.
Unless you want to pursue a customized solution for your environment, I agree with the assessment that you need to introduce IBM Tivoli Access Manager WebSEAL reverse proxy, or other additional component to bring your diverse environment together to provide both idle session timeout and SSO across components.
Jane Marcus, IBM