This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Naomi Minhipitheroni
Jun 23, 2015, 8:16 PM
34 Posts
topic has been resolvedResolved

LtpaToken and SAML

  • Category: Domino Server
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator,Developer,End User
  • Tags:
  • Replies: 7

A customer has multiple Domino servers. One server has a website document and is set up to do SAML Session authentication and use a Web SSO Configuration document named LtpaToken.

This is for example mail01.domain.com.

Another server is using a dedicated website document, Session authentication using Multiple Servers (SSO), and is using the same Web Configuration document (LtpaToken).

This is mail02.domain.com.

The LtpaToken document is setup for .domain.com and Participating Servers are mail01 and mail02.

Users are authenticating on the first server using SAML, so far everything is fine. The mail archive however is located on the second server, and when the users connect to the second server a logon window shows up although the server is in the same domain.

When looking ate the LtpaToken cookie it shows the hostname mail01.domain.com and not .domain.com. When manipulating this cookie the user can access both servers without logon window.

On our server (Linux, not using SAML) the LtpaToken is configured the same way, but the hostname in the cookie is .domain.com, that is what we want for our customer.

Can we configure the hostname/domainname used in the LtpaToken somewhere?

 

~Nita Zengerolitnivu
Jun 24, 2015, 6:05 AM
15 Posts
LtpaToken and SAML

Hi Marcel,

 

do you also have an IdP generated for mail02.domain.com ?? I would think, this is necessary for SAML authentication.

~Naomi Minhipitheroni
Jun 25, 2015, 9:13 AM
34 Posts
IdP

The second server (mail02) is not using SAML. The server should use the LtpaToken since it's listed in Participating Servers.

Customer has set up the IdP for the second server. But this doesn't work.

Therefore the question if the host/domain name for the LtpaToken cookie can be configured.

~Fritz Ekfoobergflar
Jun 25, 2015, 1:23 PM
202 Posts
The ltpa domain is set in the web config or internet site document
It should be set to .Domain.com

~Naomi Minhipitheroni
Jun 25, 2015, 1:53 PM
34 Posts
Where?

Yes, it should be set to domain.com. And in the Web Configuration document (LtpaToken) it is set to .domain.com.

But the cookie set shows host mail01.domain.com that is what we try to change to domain.com.

~Fritz Ekfoobergflar
Jun 25, 2015, 3:07 PM
202 Posts
No it should have the period in front
so it should be .domain.com

In the server documents are they all set to use Multiple Servers (SSO)?  Are all the servers listed as participating servers in Web SSO Config document?

~Naomi Minhipitheroni
Jun 26, 2015, 8:00 AM
34 Posts
Yes

The answer is both yes.

SSO is set in the Website configuration documents, and 'Load Internet configurations from Server\Internet Sites documents'  is Enabled.

 

~Naomi Minhipitheroni
Jun 26, 2015, 7:34 PM
34 Posts
Proxy

Today I was at the customers site. Domino and the IBM HTTP Reverse Proxy where fine, but they forgot to mention an extra Microsoft Proxy. The MS proxy caused the cookie to set the hostname. When connecting without the MS Proxy, direct connection to the IBM HTTP server the cookie was set to the domain and all things worked fine.

Embarrassing....

 


This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal