Lotus Domino uses LTPA as the authentication technology for single sign-on. LTPA involves creating a session cookie that can be used to achieve single sign-on across several servers.
LTPA can also be used in combination with a reverse proxy to authenticate users at the reverse proxy and then be able to forward the authenticated user to backend Lotus Domino servers. The reverse proxy will then have to send a LTPA session cookie along with the HTTP request to the Lotus Domino server. The Tivoli Access Manager Webseal reverse proxy can do just that and supports LTPA.
However, if you use a product that does not support LTPA, then you have to create the LTPA cookie yourself. Daniel Lehtihet has provided the details on how to create a LTPA session cookie in the Domino Experts forum – and Miha Vitorovič from NIL Data Communications has extended this to create a Java library with all the necessary code. In short, a LTPA session cookie consists of the following (with some SHA-1 and Base64 magic on top):
- LTPA token version
- Creation time
- Expiration time
- User name
- Domino server secret
I am currently on a project where we plan to use a F5 BIG-Ip application delivery controller to (among many things) authenticate and load balance HTTP requests against backend Lotus Domino servers. The solution will involve forwarding an authenticated user to the Lotus Domino server and this is where this post on creating your own LTPA session cookie comes into play. I plan to use the F5 iRules control language to create a LTPA session cookie when a user has been authenticated and then send this LTPA session cookie along with the HTTP requests to the Lotus Domino server.