Usability considerations lead to the requirement of easier login processes. If multiple servers are used, this leads to the use of single sign-on techniques. Today’s IT environments are increasingly heterogeneous systems. To implement SSO in such environments, a central instance and a user directory authentication is required. In the best case, users log on to this one central instance once and are authenticated to all individual systems of the IT landscape thereafter. The Lotus Domino Directory is however little suitable for running the central authentication of such landscapes. Nowadays central authentication systems use the Active Directory technology from Microsoft or other LDAP directories. In order to ensure smooth interaction of heterogeneous IT environments, further technologies such as Apache Central Authentication Service (CAS) and a reverse proxy server are often used too. In such a case, the reverse proxy is connected to the corporate Active Directory and authenticates users against the information stored in the MSAD.
Single Sign On with IBM Domino Directory?
This is where the RPAuth extension for the Lotus Domino Server comes in to play. By using RPAuth, the HTTP-Authentication of a Domino Server can be transferred to a trusted instance. Domino gets enabled to process the additional user data contained by the HTTP Requests from such reverse proxies. HTTP requests are eventually processed in the context of an authenticated Domino user. Further user authentication is not necessary anymore, authentication is performed only once at a central point. User help desk efforts can occur only at a single place, simplifying the analysis of causes and eventually the total cost.
IBM Domino and CAS?
HTTP requests are then forwarded by the central server to individual applications on other systems after being enriched with additional user information. The so requested web server can then use this information to execute the HTTP request in the context of the given user. Such a construct allows the user to perceive the entire complex and heterogenous IT Landscape as a single system. Lotus Domino has, however, neither an interface to the Apache CAS technology, nor can it handle the additional user identity information of a reverse proxy by default. Users who want to access their Domino mail file (iNotes) using such a corporate access point are challenged for username and password for a second time. Such an additional authentication is not only annoying for the individual user, it can also easily lead to making mistakes. the fact of different username and / or password can confuse the individual user and may eventually lead to mistakes. As a result, it leads to time loss and ultimately to an effort at the User Help Desk with accordingly measurable costs. If user names and passwords are identical, system acceptance issues are normally seen. The resulting costs to this are difficult to measure.
RPAuth offers a solution
RPAuth relies on the Domino Web server API (DSAPI). Incoming HTTP(S) requests are first checked for their origin. If the incoming request comes from a trusted source, it will be checked for user data of an existing authentication. If such data is also included in the request, it will be used for identifying the corresponding Domino user. Is a unique Domino user found in the Domino Directory, the request will first be set into the context of that user and then handed over to Domino for further processing. Domino then sends an authentication cookie with its response to the user. As this cookie will be sent to the domino server upon subsequent requests, no further examination of this users HTTP traffic is required and RPAuth does not need to take action anymore.
The lookup of users is done using the information stored in the Domino Directory. Depending on the security settings of the server either all or exactly specified name combinations are used. In this way, RPAuth can be flexibly adapted to the security and configuration needs of a company. If a user still can not be found, functionality reverts to the usual Username/Password challenge. RPAuth can easily be used in a mixed mode: First, HTTP requests not rooting from a trusted proxy host are handled as usual. If a request however comes from a trusted host, but are enriched with insufficient user information, the usual authentication mechanisms apply as well.
The installation of RPAuth is quite simple. It takes only three steps, which can be carried out in a few minutes. No change to the Domino directory is required. Administrators may leverage the comprehensive and configurable log information. The amount of information output can be varied in several levels. Configuration of several sub functionality can be easily done using the Domino configuration file. Thus maintaining and configuring the RPAuth filter is easily manageable for a Domino Administrator. RPAuth is written in C. During development, special attention was put on performance. Therefore RPAuth integrates seamlessly into the configuration options of the Domino server and there is no measurable loss of performance. Furthermore we have put attention to cross platform Compatibility and so RPAuth is easily portable to the different platforms, Lotus Domino runs on. RPAuth is currently available for Windows 32 and 64 bit. Versions for other operating systems can be created on request.