Saturday, January 20, 2007

SnTT - Setting up Sametime and Notes client SSO

The Problem: Too Many Passwords

A couple of years ago we implemented Sametime and have been using the Limited Use entitlement to get free corporate instant message. It works great, but my users have always had to enter their Internet password into the Sametime box to log in.

  • When they changed their password in Notes it wasn't reflected on the Sametime server immediately. They would try their new password here, and it wouldn't work.

  • If the password didn't work some users would delete the user name that was already in there and put in their Windows user name. Don't ask me why, they're users. :-P

  • That wouldn't work and by the time they tried every combination of username and password they could think of they were frustrated and calling Notes all kinds of names.

  • When the mail and Sametime servers finally do replicate the passwords are in sync, but then old password no longer works and users are even more confused.

  • There was also the odd situation where sometimes the new password wouldn't work for Sametime, even after it was replicated! I had to go into the names.nsf on the Sametime server and manually update the Internet password for the user to get it to work.

The Solution: SSO To The Rescue

The solution is to use Single Sign-On (SSO) between the Notes client and Sametime. That way all a user has to do is log into Notes and they're automatically authenticated with Sametime. I have been trying to get this to work for the past couple of years. I went through the Administrator help, I read forum posts, and every time I eventually run out of time and have to move on, leaving my SSO configuration broken.

After recently spending the better part of a week dealing with this insanity again, I finally got SSO working with the guidance of an extremely helpful but counter-intuitive post from Scot Haberman in the Sametime forum. The heart of my problem: Sametime doesn't recognize Domino Internet Site documents, but that's the only configuration Administrator help shows you. I'm sure this is documented somewhere but I never found it until I finally searched through the Sametime forum.

Below are Scot's instructions written out step by step with expanded discussion. All the descriptions and labels shown here are from Domino Administrator 7.0.2. Be aware that I do use Internet Sites for everything except Sametime and the following screenshots will show some of those documents.

I will be up front and tell you that I don't fully understand why this works. If you try to follow the Domino Administrator help on setting up SSO it's a lot more complicated than what is listed here. I also don't know if this works for Sametime integration with DWA.

Part 1 - Configuring the SSO documents

  1. Open Domino Administrator, click the Configuration tab, expand the Web section, and click the Internet Sites entry
  2. Delete any documents for your Sametime server and any documents listed as Web SSO Configuration: LtpaToken.
  3. Click the Web Server Configurations entry on the left, in the Web section
  4. Look for a category labeled * - Web SSO Configurations -. It will be at the top of the view and you may have to scroll UP to find it.


  5. If there is no such document you will have to create a new document. There are two ways to do this. Either go back to the Internet Sites section and click the Create Web SSO Configuration view action


    or open an existing Web Server Configuration document (they're created automatically), click the Create Web action, and select SSO Configuration.



  6. Complete the configuration as follows:

    The Configuration Name must be LtpaToken
    The Organization must be blank.
    Only list the Sametime server.

  7. When finished, click the Keys action and select Create Domino SSO Key.

  8. Save and close the Web SSO Configuration.
  9. From the view, copy the document you just created to the clipboard and paste it back into the same view. You will have two copies of the same document.
  10. Edit the pasted document, adding the Organization you used in the Internet Site documents for your other servers (mine is WMBIRD).

  11. The document will disappear from the Web Server Configurations view and be displayed in the Internet Sites view instead.

Part 2 - Using the SSO Configuration

  1. Edit the Server document for your Sametime server and go to the Internet Protocols > Domino Web Engine tab. Change it as follows:


    Change Session authentication to Multiple Servers (SSO)
    Change Web SSO Configuration to LtpaToken

  2. Stop and reload the HTTP task on the Sametime server
  3. From your Notes client, click File > Preferences > User Preferences, then select the Instant Messaging section, and check the box for Log into instant messaging using single sign-on (SSO)

Wrapup

That's all there is to it. Now you should be able to log into Sametime from your Notes client without entering a password.

,
Posted by at
Labels:

7 comments:

  1. Charles RobinsonSat Jan 20, 06:47:00 PM

    No commercial spam allowed, especially from anonymous people.

    ReplyDelete
  2. AnonymousSun Jan 21, 06:38:00 PM

    I've just successfully enabled Sametime SSO login in Notes 7 client without having to create Internet site document and without having "Multiple Servers (SSO)" in "Session Authentication" field. The Sametime/Domino server is 6.5 and has 1 Web SSO document (named "LTPAToken") without any value in the Organization field. "Session authentication" field in the server document is set to "Single server".
    I am sure that I am logged in to Sametime thru SSO because if I disable Sametime SSO login in client preferences, I am prompted for password.
    I guess your company just felt into disfavour with Sametime Gods for running MSN Messenger on 2 workstations :)

    ReplyDelete
  3. Charles RobinsonSun Jan 21, 10:12:00 PM

    Andrei, that's interesting. I'm running Sametime 7.0 Limited Use, so maybe something is different in that version. I think part of the configuration will allow users to log in via DWA, which unfortunately isn't possible using Sametime Limited Use. I could probably delete the Internet Site document and it would work just fine. I honestly didn't try the Single Server session authentication, but thinking about what I'm doing that would probably work, too.

    It looks like there are some tweaks I can do, thanks for sharing. :-)

    ReplyDelete
  4. CraigWed Jan 13, 12:05:00 AM

    You know. It's 2 years later. Sametime 8.02 and Sametime 8.5.1 (CLASSIC meetings).

    Same
    damn
    thing.

    ReplyDelete
  5. Charles RobinsonWed Jan 13, 08:57:00 AM

    Craig, do you mean it's incredibly convoluted and nearly impossible for a mere mortal to understand? I haven't installed Sametime in a couple of years so I don't know.

    ReplyDelete
  6. CraigWed Jan 13, 09:23:00 AM

    In a word, yes. In two, HELL yes. And that's a relevant word in this context.

    I'm not even going to touch on the full, new, WAS-based sametime meeting serverS. Mr. Tyler has done an excellent job on his blog about that.

    www.iminstant.com

    ReplyDelete
  7. dbFri Mar 01, 02:30:00 AM

    Is it possible to Enable SSO on Sametime using openAM?

    ReplyDelete

Subscribe to: Post Comments (Atom)