Single Sign on Solution for Sametime, Domino and Websphere
| In Websphere Global Security for the Domino Federated Repository - 1.)Setting - Distinguished name of a base entry that uniquely identifies this set of entries in the realm - to match the Domino org - generally, o=org. 2.)Setting - "Distinguished name of a base entry in this repository " to blank (empty) 3.) Edit the dmgr's wimconfig.xml file under the profile_root/config/cells/cell_name/wim/config directory as follows (this example changes the mapping to "externalName"); From: { config:uniqueUserIdMapping propertyForInput="uniqueName" propertyForOutput="uniqueName"/} To: {config:uniqueUserIdMapping propertyForInput="externalName" propertyForOutput="externalName"/} And then synchronize and restart the nodes and deployment manager. Please note - if you make subsequent changes to the Global Security Federated Repository area using the ISC - Step 3 may need to be redone as changes may be lost. What this does - Step 1.) Insures that the username in the LTPA token created from Domino map to an existing repository in WAS - If there is no match, you get the "user not in defined realm" error in the logs. Step 2.) Insures that Domino Flat groups can be found for policies Step 3.) Insures that the username in the LTPA token that WAS generates is resolvable by the Sametime Community Server. In general, Domino does not validate the usernames contained within the LTPA token, it grants the user "default" level access to the database based on the validity of the token. |
August 30th, 2011
1Comentários
1. Martin Schmidt | 08/03/2012 15:17:50
You saved my live!!
I looked everywhere and did not find the answer.
Many thanks for posting this fix to get SSO and Groups working between Domino and Websphere.
This setting is also useful for IBM Connections.