Skip to main content link. Accesskey S
  • Help
  • HCL Logo
  • HCL Notes and Domino Application Development wiki
  • THIS WIKI IS READ-ONLY. Individual names altered for privacy purposes.
  • HCL Forums and Blogs
  • Home
  • Product Documentation
  • Community Articles
  • Learning Center
  • API Documentation
Search
Community Articles > Developing Applications > Authorizing Notes Client User to Web Applications via Ltpa Tokens
  • Share Show Menu▼
  • Subscribe Show Menu▼

Recent articles by this author

Do's and Do Not's for XPages Scoped Variables

Scoped variables should be used in caution in XPages applications. We will mention about some usages in scope variables that are not advised.

Authorizing Notes Client User to Web Applications via Ltpa Tokens

Normally, if you are using hybrid application scheme (that is your users are accessing both notes apps and web apps), they need to login to Domino Web server each time they try accessing a web application. Some companies have problems with password syncronization between Notes password and ...
Community articleAuthorizing Notes Client User to Web Applications via Ltpa Tokens
Added by ~Ben Kifanamaroni | Edited by ~Ben Kifanamaroni on June 9, 2011 | Version 6
  • Actions Show Menu▼
expanded Abstract
collapsed Abstract
Normally, if you are using hybrid application scheme (that is your users are accessing both notes apps and web apps), they need to login to Domino Web server each time they try accessing a web application. Some companies have problems with password syncronization between Notes password and Internet password and this results in a serious headache! This article is based on my blog entry about a simple solution.
Tags: XPages, Authentication, LtpaToken, SSO, Notes Client, Web Applications
ShowTable of Contents
HideTable of Contents
  • 1 The Problem
  • 2 The Purpose
  • 3 Method
    • 3.1 Architecture
    • 3.2 Redirector Agent
    • 3.3 Token Generation
    • 3.4 Launch a web app by Lotusscript
  • 4 Warnings, Compatibility and Bugs
  • 5 Security
  • 6 Credits
  

The Problem

Normally, if you are using hybrid application scheme (that is your users are accessing both notes apps and web apps), they need to login to Domino Web server each time they try accessing a web application. Considering some companies have problems with password syncronization between Notes password and Internet password and this results in a serious headache! 

By the version 8.5.x, we have SSO with Active directory (SPNEGO). This is a solution. But here are two problems: You need to upgrade your server, configure SPNEGO and only Internet Explorer and certain Firefox versions will be able to use SPNEGO. In addition, some companies have multiple AD domains which makes SPNEGO implementation very difficult.
 

The Purpose

 

What may be the purpose of such a tool? One use may be your home page for Lotus Notes users. You may have a portal-like application, listing different applications that user may access. Some applications listed here may be web applications. You may have additional interfaces using XPages for your Notes applications (e.g. reporting) etc. 

Method

 
First, I strongly suggest reading these articles to understand LtpaToken-based SSO: 
 
  • Domino Authentication Optionsexternal link
  • Session-based Authentionexternal link

Architecture

 
 
 Implementation architecture
 

Redirector Agent

 
We first develop a redirector agent for general purposes. We may use a web agent (lotusscript) for this. I used an XPage for simplicity. It basically takes two parameters. 'token' parameter takes the hashed LTPAToken string and 'url' parameter is used for target url. Let's see what it does: 

<?xml version="1.0" encoding="UTF-8"?> 
<xp:view xmlns:xp="http://www.ibm.com/xsp/core"> 


      <xp:this.beforePageLoad><![CDATA[#{javascript:try { 


response=facesContext.getExternalContext().getResponse(); 
token=paramValues.get("token").toString(); 
rUrl=paramValues.get("url").toString(); 


response.setHeader("Set-Cookie", "LtpaToken=" + token + "; domain=.somedomain.com; path=/"); 
facesContext.getExternalContext().redirect(rUrl) 


} catch(e) { 
      _dump(e); 
} 
}]]></xp:this.beforePageLoad> 


</xp:view>

Here, be careful about the domain parameter at the cookie setting. We may lookup this from the server but there is no need to create a lookup cost, so type in manually... 
 

Token Generation

 
 
Now, suppose we have a Notes-based application and we need to send the user to a web application on the same server without login. We need a token to accomplish authentication. I developed an agent to generate a valid token.

We need to create a session token for this implementation. We will use "session.getSessionToken()" method for this. Unfortunately it is not provided in Lotusscript classes. So we will be using a Java agent for this. The code is here: 


public void NotesMain() { 


      try { 
              Session session = getSession(); 
              AgentContext agentContext = session.getAgentContext(); 
        
              Database db=session.getCurrentDatabase(); 


              Document doc=agentContext.getDocumentContext(); 
        
              String token=session.getSessionToken(db.getServer()); 
        
              try { 
                      String token=session.getSessionToken(db.getServer()); 
                      doc.replaceItemValue("token", token); 
              } catch(Exception e) { 
                      e.printStackTrace(); 
                      doc.replaceItemValue("ErrorLog", e.toString()); 
              }           
        
      } catch(Exception e) { 
              e.printStackTrace(); 
      } 
}

We need to pass the token we created back to the caller. So we are using a NotesDocument here. If anything goes wrong, we will return an error message back. 
 

Launch a web app by Lotusscript

 
Now let's look at how we are using: 


      Dim session As New NotesSession 
      Dim ws As New NotesUIWorkspace         
      Dim dbcurrent As NotesDatabase 
      Dim agent As NotesAgent 
      Dim doc As NotesDocument 
      
      Set dbcurrent=session.currentDatabase 
      Set agent=dbcurrent.getAgent("TestAuth") 
      Set doc=New NotesDocument(dbcurrent) 
      
      Call agent.RunWithDocumentContext(doc) 
      
      webServer="https://server.somedomain.com" 
      redirector="/test/redirect.nsf/redirect.xsp" 
      target="/names.nsf" 
      
      targetUrl=webServer+redirector+"?token="+URLEncode(doc.token(0))+"&url="+URLEncode(target)
      
      If doc.ErrorLog(0)="" Then 
              Call ws.urlopen(targetUrl)                 
      Else 
              Msgbox doc.ErrorLog(0)         
      End If

Here '/test/redirect.nsf/redirect.xsp' is the xpages URI we created before. 'TestAuth' is the name of the Java agent. We are using URLEncode method here to submit the token properly. Otherwise, when token contains a "+" sign, it will be converted to space in the redirector.
 

Function URLEncode(url) As String
	Dim result, tUrl As String
		
	'Replace double quotes first...
	result=Evaluate({@URLEncode("Domino"; '"')})
	tUrl=Replace(url, {"}, result(0))
	
	result=Evaluate({@URLEncode("Domino"; "}+tUrl+{")})
	
	URLEncode=result(0)
End Function
 
 
This code can be placed inside a form for testing. You can modify this to use it on anywhere. For example a common method can be created inside a script library. 
 

Warnings, Compatibility and Bugs

 
Now, before finishing, this code will not be running properly :) We should include some warnings... 
  
First of all, no need to say that: You have to use it on multi-server SSO and your configuration should be working properly. This will work in 8.5.2. If you are using 8.5.1, 'RunWithDocumentContext' method does not exist. Alternatively you should use a real document (not an in-memory one) and pass it to the agent with NoteID. Remember you should delete the temporary document after you're done. 

Another warning is about the bug. There are important bugs in this 'getSessionToken' method. 

1. If you are using Internet Site Documents, getSessionToken does not look up those. I have a workaround here, just duplicate your 'Web SSO Configuration' document and clear 'Organization' field on the second one. It seems crazy, but it works! It's important to duplicate it. Creating a second one from scratch will not work because it should contain the same keys... 

2. This one is funnier. Your Web SSO configuration document should be named as LtpaToken... Yes you heard it. Using any other name will fail, because it looks up with this name :) 

If you don't care these two bugs, you will end up with an error message: "Single Sign-On configuration is invalid" at the java agent. 

One word for performance. This java agent is an expensive thing for Notes client. So if you are willing to use multiple times in a short period, you may use a caching algorithm.
 

Security

 
 
getSessionToken() method provides a valid session token for the user who executes. So the authenticated user will be the user who signed into the Notes Client.
 
This method has a security problem with sniffers. Token is being loaded into the browser session cookies. Normally session cookies are safe with SSL connections. However, we are submitting the cookie to the redirector with GET request which is not encrypted even in SSL connections. We may have two alternatives:
 
- Token should be sent to the redirector with POST request and SSL connection. I couldn't find a method for Lotusscript. 
- Second alternative may be to encrypt this with a temporary key that is created by the sending user. 
 

Credits

 
I blogged about this method in LotusNotusexternal link (also available in Turkishexternal link). I inspired the method from Tim Tripconyexternal link.

  • Actions Show Menu▼


expanded Attachments (1)
collapsed Attachments (1)
Edit the article to add or modify attachments.
File TypeSizeFile NameCreated OnDelete file
image/x-png 20 KB arch.png 6/9/11, 7:33 AM
expanded Versions (6)
collapsed Versions (6)
Version Comparison     
VersionDateChanged by              Summary of changes
This version (6)Jun 9, 2011, 7:34:41 AM~Ben Kifanamaroni  Minor change
5Jun 8, 2011, 2:28:40 PM~Karl Quetjumitherikle  
4Jun 8, 2011, 2:27:08 PM~Karl Quetjumitherikle  
3Jun 8, 2011, 2:24:44 PM~Karl Quetjumitherikle  
2Jun 8, 2011, 2:23:44 PM~Karl Quetjumitherikle  
1Jun 8, 2011, 1:51:05 PM~Karl Quetjumitherikle  
expanded Comments (0)
collapsed Comments (0)
Copy and paste this wiki markup to link to this article from another article in this wiki.
Go ElsewhereStay ConnectedAbout
  • HCL Software
  • HCL Digital Solutions community
  • HCL Software support
  • BlogsDigital Solutions blog
  • Community LinkHCL Software forums and blogs
  • About HCL
  • Privacy
  • Accessibility