Random thoughts from an unusual company

Tricking SSO With Mixed Domino Servers

Gabriella Davis  11 June 2009 12:28:20
My biggest problem with configuring SSO on Domino is the requirement that all Domino servers involved use the same method for web configuration.  That means that they all need to be set to use Internet Site documents, or all set not to (to use pre v6 web configuration).  This is exacerbated by the fact that Sametime and Quickr servers often can't use Internet Site documents and those are precisely the servers you want to include in your SSO setup.  However last night I was talking to Paul Mooney on Skype and we were both complaining about it for the umpteenth time when I suggested we test a hack I had been mulling over and hadn't got round to trying yet.  

The key is the SSO document which specifies the "Configuration Name" you use in the Server document or for your Internet Site.  The same document is used by both types of server configuration, but depending upon which type you chose, the server appears to look in either the Web Configuration view or the Internet Sites view for the list of SSO configurations it can use.  The only thing that makes an SSO document appear in one view vs the other is the presence or absence of an 'organization'.  If there's no organization listed the SSO document appears in the Web Configuration view and is used by Domino server set to use pre v6 Web Configuration.  If there's an organization then the SSO document appears in the Internet Sites view for use by servers set to use Internet Site documents (see below for what I mean)

Image:Tricking SSO With Mixed Domino Servers

So if you have 10 servers and 2 of them don't use Internet Site documents do the following
  1. Create your SSO document for your internet site and domain and enter your Organization.  Add all 10 servers to the document and save it
  2. Now copy and paste that document in names.nsf and edit the new copy to remove the Organization name and save it again with all 10 servers still there
That's it. Now essentially the same document appears in both views and can be used by both types of servers.  Paul tested it last night and confirmed it worked for him.  I'm sure there's an unexpected side effect somewhere but as of right now i'm classifying it as 'hack that does the job' :-)

1Rob McDonagh  11/06/2009 13:59:23  Tricking SSO With Mixed Domino Servers

Niiiiiiiiice! Righteous hack!

2Andy Dennis  11/06/2009 14:29:37  Tricking SSO With Mixed Domino Servers

Good Call Gab! Well done to you and Paul.!

3Keith Brooks  12/06/2009 03:15:12  Tricking SSO With Mixed Domino Servers

Very Nice.

4Jacob Andersen  12/06/2009 13:02:05  Tricking SSO With Mixed Domino Servers

We have been running with this setup for a couple of years now and it works perfectly.

You actually only need to list the servers that match the type of SSO document. In your example that would be 2 servers on the non-internet site web SSO configuration and 8 on the internet site web SSO configuration.

5Eric Wilson  20/11/2009 00:12:20  Clearly, you come by your reputation honestly!

It hadn't occurred to me to simply copy over the SSO doc and remove the org! Good thinking Gab!