Limitations/Problems with SSO Although the implementation of SSO has been available in WebSphere and Domino for some time, it is an evolving effort. WebSphere and Domino functions are growing (e.g., Lotus Instant Messaging) and are being combined in more complex ways (e.g., WebSphere Portal Server), which sometimes result in problems with SSO function. In this section, we point out some of the limitations of the implementations and problem areas. -
SSO Across Domains . As mentioned previously, it is not possible to use SSO among servers that exist in different DNS domains. This is a limitation in the design of the cookie-based session sharing protocol implemented by Web browsers. Providing SSO across domains would require a more sophisticated "front-end security proxy" such as IBM's Tivoli Access Manager product. -
The Multiple Identities Problem . This problem occurs when the user registry established for SSO consists of both Domino and LDAP directories, and a single user is represented in both directories but has differing user names (DNs). Part of this problem is due to the WAS limitation of not supporting LDAP referrals on user name searches. (An LDAP referral is when the response to a user search query points to another directory.) Because of this limitation, the WAS user registry must consist of only a single LDAP directory. But since Domino requires users to be defined in the Domino directory for mail routing, we are forced to use the Domino directory extended by the LDAP directory and to have users defined in both directories. This problem also occurs in WebSphere Portal Server configurations, and we discuss it further in that context in the section on WPS later in this chapter. -
LTPA Token Issues . Because the LTPA token is used as the means for passing authenticated credentials, it must be generated in the same way by both WebSphere and Domino. There are sometimes problems where the encoding used for the name and text data is not the same, causing LTPA tokens to fail, especially when non-ASCII characters are part of the user names or text data. Also, the LTPA expiration times and keys must be carefully managed to avoid reuse or replay attacks involving the tokens. To avoid problems with tokens expiring too soon, the server's clocks and time zones must be synchronized across the domain in which SSO is to be used. For SSO, since open standards are used, namely LDAP and LTPA, there are no major differences in SSO function among the different operating system platforms supported by WebSphere and Domino. However, there may be quirks in the implementations arising from operating system differences. For example, different systems may encode text data in different ways, causing problems with interpreting LTPA tokens. |
