SSO-enabling Sametime with Netegrity Siteminder

SSO-enabling Sametime with Netegrity Siteminder

Tip submitted by
Raj Balasubramanian
and Stan Logan

Level: Intermediate
Works with: Sametime 2.5
Updated: 03-Mar-2002

If your organization uses Netegrity Siteminder and Sametime, you can configure the two servers to use Siteminder for single sign-on (SSO) authentication. This tip describes one method to do just that. It works for Sametime 2.5 and Netegrity Siteminder 4.51.

Before we begin, here are a few important points to note:

Integration of Sametime 2.5 and Netegrity Siteminder is not supported by IBM Lotus software.
In addition, if you implement SSO-enablement with Siteminder, the files located under the Sametime directory are unprotected. The Admin servlet remains protected by the Admin ID and password.
The following Sametime features were tested following the implementation: Java Connect client, STLink applications, and Meeting Services.
On Domino, the Siteminder Web agent is implemented as a DSAPI filter to provide single sign-on. If Sametime applications—chat, meeting, and STLinks applications—are accessed through the Domino Web server (HTTP), you can leverage Siteminder SSO for authentication.
The Sametime Connect client cannot use Siteminder SSO because there is no HTTP access for authentication or communication. (The program is loaded locally on a client machine and all communications occur on port 1533, by default). To leverage Siteminder SSO, additional development effort—changing Sametime authentication mechanism on server or changing the Connect client code base—is required.

Enabling SSO with Siteminder requires these procedures:

Configuring the Person document in the Domino Directory
Modifying the Siteminder Web agent
Configuring Siteminder Policy Server settings

Configuring the Person document
Follow these steps for configuring the Person document in the Domino Directory. These steps apply to the Sametime Admins and are needed to work the Sametime Admin servlet.

In the Domino Directory, open the Sametime Admin Person document.
In the User Name field, enter the UID that the Sametime Admin needs to log into Siteminder. The UID is same login ID used to log into Siteminder.
If you use a separate LDAP directory for Siteminder, make sure that the password listed in the Person document is the same one listed in the LDAP directory.
Save and close the Person document.
In the Notes client, open the Sametime Configuration database (STCONFIG.NSF).
Choose File - Database - Access Control.
Make sure that the Sametime Admin canonical name appears in the ACL of the database. If not, add the name, then click OK.
Return to the Domino Directory, and open the Server document for which you are configuring SSO.
Select the Internet Protocols - HTTP tab, and in the DSAPI filter file names field, enter the name and full path of the Siteminder Web agent: <Netegrity installation path>\dominowebagent.dll.

Refer to the Netegrity Siteminder Installation Guide and Siteminder Agent Guide for more information on installing the Web agent.

Modifying the Web agent
Using a text editor (such as Notepad) edit the badurlchars parameter in the Webagent.Conf file by removing the '//' character:

badurlchars="./, /., /*, *., ~, \, %00-%1f,%7f-%ff"

Next, add these new parameters to the file:

dominouseheaderforlogin="HTTP_NOTESDN"
forcefqhosts="NO"
forcecookiedomain="YES"
csschecking="NO"

HTTP_NOTESDN is a custom header sent in response by the Policy Server to the Domino server's Web agent. The Web agent uses the header to set the Domino authenticated user.

Configuring the Siteminder Policy Server settings
You want your Siteminder settings, as they apply to Sametime, to do the following:

Protect the entire Sametime server (everything under Domino\Data directory).
Do not protect Sametime file resources (/sametime/) and admin configuration (servlet/auth/scs).
Protect the Admin servlet resource (/servlet/auth/admin) using Basic authentication realm.

All responses to the Web agent on the Sametime server have the NotesDN attribute in the header, which is referenced in the Web agent configuration file, to determine the Domino authenticated user.

Configure these settings in the Siteminder Policy Server settings:

Realm Name: Sametime Server Root
Resource Filter: /
Protection: Protected
Auth Scheme: ABC Dev Auth Scheme
Associated Rule: Sametime Server Root protection rule
Rule Resource: *

Nested Realm under Sametime Server Root
Realm Name: Sametime Files
Resource: sametime/
Protection: Unprotected
Auth Scheme: ABC Dev Auth Scheme

Realm Name: Sametime Admin Config
Resource: servlet/auth/scs
Protection: Unprotected
Auth Scheme: ABC Dev Auth Scheme

Realm Name: Sametime Admin Page
Resource: servlet/auth/admin
Protection: Protected
Auth Scheme: Basic
Associated Rule: Sametime Admin Page Rule
Rule Resource: *

Only the Sametime Admin Page and Sametime Server Root are added to the Policies with set Responses. There are no rules or policies for Sametime Admin Config and Sametime Files realms.

The next time you sign into Domino Web site or application, you'll have access to Sametime servers that are SSO-enabled.

SUBMIT YOUR TIPS!

We encourage you to send us your tips (You can also click the "Would you like to submit a tip?" graphic below.) Your tips can be anything you've discovered about any Lotus product. The most important thing is that your tip be interesting, useful, or handy. And be sure to include complete information about how your tip works. For ideas, take a look at our tip archives. If we publish your tip, we'll send you the IBM Redbooks Lotus Collection on CD.