cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO from Portal to Lotus - with different attribute than the sap id

Former Member

on ‎03-27-2007 1:17 PM

0 Kudos

Hi,

We have the following setup:

1. Domino server with email ids as user ids e.g. firstname.lastname@company.com

2. Portal with user ids e.g. firstnamel1234

3. Portal user store is an LDAP directory and has the email ids of all users

4. Domino directory doesn't have portal ids

Since, the portal sends the portal id in the Logon Ticket, the portal id needs to be added as a user id in the domino user directory.

We have almost 8,000 users in Domino, so it would be cumbersome to add all their portal ids in Domino. We also do not wish to user the user mapping iview for some reasons.

Is there a way to establish SSO in the current scenario, i.e. without updating portal ids in the Domino directory?

Any help would be greatly appreciated.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

MichaelSambeth
Advisor
Advisor
‎03-27-2007 4:49 PM
0 Kudos

Hello Amey,

a straight forward approach would be to use the email as portal logon id so that the email is written to the SAP logon ticket (which then would be processed by domino).

from a security point of view, the source system (portal) actually should not write something else to the logon ticket as that what the user has entered. Even though you may implement a custom JAAS login module for the portal (which e.g. does that) it remains a custom solution.

one option that may also fit is that you can use a custom notesview for the user lookup of the sap ticketverfifier. That view, e.g. could be populated with the AD records (which carry both the email and the portal id).

does this help?

Regards

Michael

Show replies
Show replies
Former Member
‎03-28-2007 7:46 AM
0 Kudos

Hello Michael,

I've read a lot of your posts and they've been very helpful for me to understand and implement integration scenarios between Lotus and EP.

Using email ids for portal logon cannot be used, again because there are already 10,000 users using the portal.

If I write a custom JAAS login module, the portal will write the email id to the SAP Logon ticket. However, there are other SAP applications like R/3, CRM, SRM which are already using the ticket to SSO with the portal.

Finally, I feel the third solution would be feasible in this scenario. It would be great if you could throw some light on writing a custom notesview. I also have a Java program ready which can query the AD and retrieve the email id for a given portal user, if that helps.

Thank you,

Amey

MichaelSambeth
Advisor
Advisor
‎03-30-2007 2:26 PM
0 Kudos

Hello Amey,

please use the parameter "mySAPView" in notes.ini to make the SAP Ticketverifier use a notesview other than the standard view for user lookup (the standard view used in "$Users".

So e.g. assign "mySAPView=($DSAPI) in notes.ini.

A good point to start is to perform a copy of the $users view and to start modifying it.

The population of the view (im my example $DSAPI) has to be performed separately, e.g. via an agent that pulls the values from AD. You may also thing of using the directory assistance feature to make AD accessible from Domino. But I'm not a expert in that question.

Regards

Michael

Former Member
‎04-06-2007 9:17 AM
0 Kudos

Hi Michael,

I wrote a Java program that updates the Domino Ldap directory with the portal id of the respective users.

Since the Domino Ldap attribute CN is multivalued, the program adds the portal id in the Domino Ldap for the respective user.

Issue resolved.

Thanks a lot for your help.

Amey

Former Member
‎04-28-2007 3:49 PM
0 Kudos

Hi Amey,

we had the same problem.

The solution is: Add the portal-user-ID as alias to the Notes-User.

Best regards

Oliver Prodinger

Ask a Question