290 Enterprise Business Portals with IBM Tivoli Access Manager
Since there is not a comparable plug-in available for Domino as there is for
WebSphere Application Server and Access Manager, the access control
database in Domino is left in place. Access Manager handles the coarse-grained
decisions on the Is this user allowed to contact the Domino server? level.
In other respects, this solution fully utilizes the existing security architecture. No
additional components or services need to be installed.
11.5 Implementation architecture
As all employee mail is located on Domino servers, the Lotus Domino Mail
Server is the logical way to allow Web-based access to e-mail for employees.
The Access Manager base architecture, created for the WebSphere Application
Server integration, can handle the business needs and security implications of
opening Lotus Domino for Web-based access without the need for further
customization. For Lotus Domino integration, the following things need to be
Providing single sign-on
There are two different approaches to provide a single sign-on solution, which
are discussed in 11.5.1, “Global sign-on (GSO) approach” on page 290, and
11.5.2, “Dummy password approach” on page 294. For this project, the
dummy password method was selected, due to easier maintenance and
better performance implications.
Delegating access control
As stated in the requirements, Lotus Domino has its own access control lists
already in place and there remains the need to manage them for Notes
client-based access. Therefore, Access Manager should be configured to
only pass on requests from users allowed to access Domino, with more
fine-grained control residing on the Domino server.
11.5.1 Global sign-on (GSO) approach
This approach uses the global sign-on feature of Access Manager to allow a
mapping of user names and passwords between Access Manager WebSEAL
and back-end servers.
In this section we discuss the implications of the GSO method particular to this
scenario. To get a broader and more detailed understanding on the GSO
method, see the
Tivoli Access Manager for e-Business WebSEAL
Administration Guide Version 3.9,
GC23-4682, and Chapter 5, “Authentication
and delegation with Access Manager” on page 97.