Single Sign on Solution for Sametime, Domino and Websphere

In Websphere Global Security

for the Domino Federated Repository -

1.)Setting - Distinguished name of a base entry that uniquely identifies this set of entries in the realm  - to match the Domino org  - generally, o=org.

2.)Setting - "Distinguished name of a base entry in this repository " to blank (empty)

3.) Edit the dmgr's wimconfig.xml file under the profile_root/config/cells/cell_name/wim/config directory as follows (this example changes the mapping to "externalName");

From:

{ config:uniqueUserIdMapping propertyForInput="uniqueName" propertyForOutput="uniqueName"/}  
 
To:  
 
{config:uniqueUserIdMapping propertyForInput="externalName" propertyForOutput="externalName"/}

And then synchronize and restart the nodes and deployment manager.

Please note - if you make subsequent changes to the Global Security Federated Repository area using the ISC - Step 3 may need to be redone as changes may be lost.

What this does -

Step 1.) Insures that the username in the LTPA token created from Domino map to an existing repository in WAS - If there is no match, you get the "user not in defined realm" error in the logs.

Step 2.) Insures that Domino Flat groups can be found for policies

Step 3.) Insures that the username in the  LTPA token that WAS generates is resolvable by the Sametime Community Server. In general, Domino does not validate the usernames contained within the LTPA token, it grants the user "default" level access to the database based on the validity of the token.