I had a ping earlier today from a co-worker asking about Single Sign On for Lotus Connections with the Windows Desktop. That means that a user logs on to their Windows machine, opens a browser and then goes to Lotus Connections and... VOILÁ! They are automatically logged on!
How can this be done? We use a technology referred to as SPNEGO (Simple and Protected
GSS-API Negotiation). In the old WebSphere v5 days, you had to purchase TAM/WebSEAL because it had the add-on that could parse the SPNEGO token (similar to the more commonly known LTPA token) and automatically sign you on.
Well, WebSphere v6.1 already includes this SPNEGO parser/connector/plug-in out-of-the-box, for free! Therefore, all you need to do is configure it and off you go! Here's how it works:
So another tidbit you can use to up the value of Lotus Connections (or any other application that runs on top of WebSphere v6.1) -- free SSO with the Windows Desktop! (though I would still recommend some services to configure this...)
Hi Luis,
ReplyDeleteCurrently I am also diving into the whole SPNEGO concept.
Got it working on Connections, but what is your experience when you want to use LC outside the Domain.
Without any adjustments I will either get a white screen, or a loginbox without any style elements.
Got it working after a long time with several IHS rewrite rules. ( You can specify an escape SPNEGO parameter in the WAS config
com.ibm.ws.security.spnego.SPN1.filter=request-url!=noSPNEGO
)
Don't know if you got a better/easier solution for this one?
Greetz,
Marco Ensing
There were a couple of iFixes that were in the IBM page a while ago. They are no longer there, and I think you have to request them directly to support. If you open a PMR, they'll get you the iFixes. There's one iFix for each module: homepage, profiles, blogs, etc.
ReplyDeleteHi Luis,
ReplyDeleteThanks for your reply,
Allready got my hands on those SPNEGO ifixes. Think I have to raise an PMR for this one, and ask what the possibilitie are with Connections and SPNEGO.
( this if you want to use an SPNEGO enabled Connections env. outside the Domain )
Greetings,
Marco
@Marco, Ah... I missed the part about using it outside of the domain. Yes, definitely raise a PMR on that subject. If you can, keep us posted on the resolution.
ReplyDelete