OpenWGA 7.5 - OpenWGA Concepts and Features
Authentication » Special featuresSingle-Signon with Lotus Domino websites
If Websites based on Lotus Domino databases are published via OpenWGA as well as via Dominos own HTTP task they can use the Single-Signon-Feature of Lotus Domino. That way a login that is done on one website will automatically be used on the other one. This is only possible when using authentication type "Domino directory" on the OpenWGA side.
What is to be considered using Single-Singon with Lotus Domino:
A login done on the side of Lotus Domino has a validity time that is not under control of OpenWGA. After this validity time the login is invalid and OpenWGA will not be able to use it, since it never got the real username/password combination but only a session token that is invalid now.
This is why this SSO login is not recommended when doing authoring or other data-modifying tasks on OpenWGA. In that case you should always login on the OpenWGA side first.
A login done on the side of Lotus Domino has a validity time that is not under control of OpenWGA. After this validity time the login is invalid and OpenWGA will not be able to use it, since it never got the real username/password combination but only a session token that is invalid now.
This is why this SSO login is not recommended when doing authoring or other data-modifying tasks on OpenWGA. In that case you should always login on the OpenWGA side first.
Prerequisites
The OpenWGA site and the Lotus Domino site must be reachable on the same DNS name, more precisely on the same second level domain. This is because the SSO functionality is accomplished via a browser cookie holding a session token.
Example: If OpenWGA is reachable on the DNS "wga.mysite.de" you could provide the Lotus Domino site on "domino.mysite.de", but not via "www.myothersite.de"
- The host name of the Lotus Domino server must be configured on the "server document" in the Domino directory database, under tab "Internet protocols" -> sub tab "HTTP" -> Field "Host name(s)"
- The OpenWGA sites must be in a domain using the authentication type "Domino directory", using the Domino server that also hosts the Lotus Domino websites.
- You will need to configure your Lotus Domino server to used session based authentication for the web in the process of enabling SSO. Make sure your Lotus Domino websites on this server - not only the ones that will use SSO - work well with this kind of authentication.
Configuring the Lotus Domino server for SSO
- Open the Domino directory database on the server via Lotus Notes
- Create an SSO configuration document with Action "Create Web..." available when opening the server document. Call the configuration "LtpaToken". Enter the DNS name by which the Domino website will be reachable
- Go to tab "Internet Protocols/Domino Web Engine" on the server documnet and change the field "Session Authentication" to "Multiple Server (SSO)".
- In the now appearing field "Web SSO Configuration" choose the previously created SSO config document "LtpaToken"
Configuring OpenWGA for SSO with Lotus Domino
- Open the OpenWGA Admin client and enable the "Expert mode" with the checkbox to the top right
- On the domain that hosts the OpenWGA domino websites configure the following
- Add option "Single Sign-On with Domino Websites" and enable it
- On the OpenWGA application that should do SSO configure the following
- Add publishing option "SSO Session Cookie" and set it to value "LtpaToken"
- Add publishing option "SSO Session Cookie Domain" and set it to the shared part of OpenWGA and Lotus Domino DNS names, including the point after the third level domain. So if you publish on "wga.mysite.de" and "domino.mysite.de" you should enter ".mysite.de".
- After a restart of Lotus Domino and the OpenWGA server SSO should be up and running