1.  Home
  2. MIDRANGE-L
  3. October 2005

RE: Single Signon

If your customer is using the Windows client, there's not much you can do
other than use the Windows synch stuff.

If your customer is using iNotes Access for Web, there is another option
that's not too bad. While there are several ways to spin this based on
customer requirements, it basically involves  building a DSAPI filter for
the domino server.  You can build it to either accept the windows ID/pwd
for authentication or add a SPNEGO (i.e. Kerberos) handshake (or LDAP, or
iSeries user profile/pwd....), and then in the DSAPI filter use EIM to map
from the windows ID provided or contained in the Kerberos ticket, to the
Domino Id associated with the same person.

The IBM Rochester CTC has worked on similar solutions for a few
customers...


Warning:  Philosophy follows...

Many times the customer's underlying and unstated objective is to reduce
the overall IT costs associated with managing the people that use IT
resources.  They assume that SSO does this by improving end-user
productivity and then consider SSO the objective.  This assumption causes
customers to further assume that they won't get enough payback if they
don't SSO enable everything for everyone.  These assumptions are invalid,
however, if the objective is to reduce the costs of managing the people
that use IT resources.

What makes the iSeries SSO enablement much more valuable is NOT the SSO
function -- SSO in and of itself just improves end-user productivity.  What
makes it much more valuable is the ability to eliminate passwords if you
choose.  Eliminating the password for even one userID significantly reduces
the cost of managing that userID.

"What's the point?" you might ask.  Customers will realize significant
savings in IT administrative overhead even if they can't SSO enable
everything!  If you can enable the standard windows-to-iSeries interfaces
for SSO AND by doing so be able to set at least some user's passwords to
*NONE -- even if they still have a domino ID and must still sign-in to
Notes -- the cost of managing the iSeries user profile will shrink to
something fairly close to $0 (see rationale below).

Rationale:  cost to manage a userID = ( (cost to create) + (cost to delete)
+ (cost to change)). Of this cost to change is the largest cost over the
lifetime and the attribute that changes more often than any other is the
password. Eliminate the password and you eliminate most of the cost of
managing the userID).

Also note that if the underlying goal for SSO in the first place is to
reduce overall IT costs (not just to increase end-user productivity), then
using SSO -- and eliminating the user profile password (i.e. password
*NONE) -- for all direct accesses between windows and iSeries and while
leaving the domino ID/pwd to manage will still result in a significant
decrease in the cost of managing those users.

Patrick Botz
Senior Technical Staff Member
Rochester CTC, eServer Security Architecture & Consulting
iSeries Security Architect
(507) 253-0917, T/L 553-0917
CTC Fax # 507-253-2070
email: botz@xxxxxxxxxx

For more information on CTC, visit our website at
http://www.ibm.com/eserver/services
http://www.ibm.com/servers/eserver/services


midrange-l-bounces@xxxxxxxxxxxx wrote on 10/12/2005 08:14:01 AM:

> Chad,
>
> Thanks for the information. They don't currently use Citrix or any other
> Terminal Services so this should not be an issue. I'll check this out.
>
> Mark
>
>
> Mark Walter
> Senior Programmer/Analyst
> Hainey Business Systems
> (717) 718-9601 x7148
> mwalter@xxxxxxxxxxx
> http://www.hbs-inc.com
>
> ChadB@xxxxxxxxxxxxxxxxxxxx
> Sent: Wednesday, October 12, 2005 9:03 AM
> To: Midrange Systems Technical Discussion
>
> As I understand it, the Domino/Notes piece would currently be achieved
> via the Notes/Windows password synchronization feature within the Notes
> Client.
> The problem that we had with it (which was serious enough that we
> scrapped the proposition of SSO at the current time...) was that the
> Notes/Windows password synch isn't functional in a Citrix environment at
> the current time.  This is a requested fix according to a source at IBM
> and an accomplished Domino consultant, but has no deadline or
> implementation date.
>

>
> Hello all,
>
> I have a client that wants to implement a Single Sign On solution for
> their enterprise. There environment exists of a couple of iSeries boxes,
> Windows Domains and Lotus Notes/Domino (Version 6.x) for email. The
> iSeries/Windows parts looks fairly straight forward via EIM, but not
> sure about the Domino/Notes part. Any ideas?
>
> Thanks,
>
> Mark
>
> Mark Walter
> Senior Programmer/Analyst
> Hainey Business Systems
> (717) 718-9601 x7148
> mwalter@xxxxxxxxxxx
> http://www.hbs-inc.com

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.