Several steps I didn't take, according to Zero To Hero Integration Guide
- Editing Wimconfig in order to exernalName instead of uniqueName for userUniqueIdMapping
- importing SSL certificate from Websphere
WIM
By the way, what is WIM ? (from What's new in version 6.1? ) :
WebSphere Application Server V6.1 also includes WebSphere Identity Manager (WIM) (also included in WebSphere Portal, which provides basic identity, profile, and user information that can be used by JAAS). Figure 8 illustrates the WIM framework.
So it in linked to authentication.
The wimconfig.xml procedure is explained (because I have to always know why I do what I do!) : here at Kenio blog
Here is the paragraph I'm referring to :
Please note - if you make subsequent changes to the Global Security Federated Repository area using the ISC - Step 3 may need to be redone as changes may be lost.
What this does -
Step 1.) Insures that the username in the LTPA token created from Domino map to an existing repository in WAS - If there is no match, you get the "user not in defined realm" error in the logs.
Step 2.) Insures that Domino Flat groups can be found for policies
Step 3.) Insures that the username in the LTPA token that WAS generates is resolvable by the Sametime Community Server. In general, Domino does not validate the usernames contained within the LTPA token, it grants the user "default" level access to the database based on the validity of the token.
That seems important! However from that source : http://www-01.ibm.com/support/docview.wss?uid=swg1PM33575 it seems that it is included in 8.0.0.5 having externalName or uniqueName is both fine.
Path of wimconfig.xml : C:\IBM\WebSphere\AppServer\profiles\Dmgr01\config\cells\connectionsCell01\wim\config
However
Wiki : Troubleshooting
In Connections Wiki documentation, they also provide with an action to take on wimconfig file for troubleshooting SSO in the context of using flat group in Domino LDAP.
I applied, and that didn't make any change.
SSO D'bugging
From this Interesting document about SSO in the ICS world (sametime in that case)
D'buggin – It's more an art than science -
● Process of elimination – where is the problem originating?
─ Confirm that basic authentication (username/password) works first
─ Confirm with basic browser based tests before attacking Sametime itself
─ From a browser
– access http://<domino>/names.nsf then go directly to http://<was>/stmeetings
– access http://<was>/stmeetings (login) then go directly to http://<domino>/names.nsf
─ Do both tests – what does this tell you?
– First test – Domino created the LTPA token, Second test WAS created it
– If both tests pass – then continue on to Sametime issues
– If both tests fail – 99% of the time, the LTPA keys are not in synch
– If test(s) fail in one direction only – keys are in synch, but something else is off
– Most common reason for failing from Domino to WAS is “user not in defined realm”
And this point also to "ExternalName" and "UniqueName" modification.
Also (Step 3 = Modifying wimconfig.xml) :
Please note: If you make subsequent changes to the Global Security Federated Repository area using the Integrated Solutions Console (ISC), then Step 3 might need to be redone as changes may be lost.This is really unfortunate, to have to redo wimconfig modification each time federated repository are changed.
However, I have already ExternalName, so this must be ok.
Getting information
Another source is this paper. What is good about this one, is that, even though this is Websphere portal and not application server, it goes in the direction of getting more information. Debugging by checking parameters is ok at the beginning. But when you checked all the basics, and if you are going in-depth for the first time, my opinion is that you have to know how to get information. I cannot go blind for long.
In fact, this paper is part of a serie on SSO which can be useful if you are interested to have more knowledge on ibm LTPAToken SSO.
Which LTPA
Specifically in my environment, I have :- several domino in the same domain, SSO ok.
- Connections, SSO works only one way
- Sametime System Console with Proxy Server, SSO ok with domino, and one way with Connections
So basically, Connections side is not OK.
However, is it possible that by adding SSO for Sametime System Console, I erased the LTPA Token for Connections ? How is it possible to check which LTPA Token is in place in domino ?
I reimported the LTPA key from Connections to Domino (restart task HTTP) and Sametime, and now SSO works.
Note: when testing Connections SSO, do not use https://connections.server.com/homepage/login
The "login" at the end puts you at the login page even though SSO will log you if you access https://connections.server.com/homepage
No comments:
Post a Comment