SSO from Share Point application to the IBM Lotus Domino server

0
votes

I need to use the .Net token (or FedAuth cookie) to get in Domino credential from Active directory

The same need is describe in: Lotus Notes and c# SSO.

Internet users are loged in a Share Point application and have to open a form in Domino.

My Domino Server is configured Assistant Directory, the users are managed in Active Directory and not in names.nsf. This works good. I can make a POST to log automatically a user of the AD.

But Share Point don't have the user password! Ideally it would be cool to POST the cookie... or run an agent that will inquire in back end the Active directory with the cookie to verify it. Is there a way to do this?

My Domino is 8.53 so I can't use SAML (if someone did this with Domino 9.0 I will be pleased to know :-).

2
sharepoint-2010active-directorysingle-sign-onlotus-domino
Do you need SSO between Sharepoint and Domino (Server-to-Server) or between a Windows User and Domino (Client-to-Server)?Michael Ruhnau
Client to server: the client is connecting to Sharepoint using his browser, he isn't in the same windows domain (internet user). "a button" in the Sharepoint application should redirect him to a specific URL in Domino. This url required to be logged in Domino.Emmanuel Gleizer

2 Answers

0
votes

There is a SSO using SPNEGO which can be setup on windows-based Domino servers.

More information about it can be found in the Domino Administration help (steps are very well documentd) and here: Wiki: Deploying Windows single sign-on for Web clients (SPNEGO) in an existing Domino environment

Basically the steps to enable this are (details in notes admin help and the linked document):

  1. Set an SPN on your windows server (to allow this server to pass Kerberos tickets to the AD)
  2. Enable SSO on the Internet Site / Server doc
  3. In the SSO Configuration: add all servers you will need SSO and enable windows-based SSO
  4. Add a name mapping to your Person docs (Kerberos Principal Name Field) and set notes.ini entry WIDE_SEARCH_FOR_KERBEROS_NAMES=1 on your domino server to include this field in the namelookup
  5. Configure browser: IE: trusted sites (add your host names), Firefox: add domino host to network.negotiate-auth.trusted-uris

Hope that helps - Michael

0
votes

You could generate your own Domino Ltpa token (cookie) from sharepoint upon login. So long as the domains are set up ok, the browser should pass this to the Domino server and automatically log them in.

Feel free to contact me directly if you need specific help.