Problem solve Get help with specific problems with your technologies, process and projects.

Trap a call to URL; pass log-in ID to Domino

We have a Windows 2000 box, running IIS 5x in the DMZ. Users sign in with a user ID and password that is defined as a local Windows user to a Web site -- https://xxxxx.xxxx.com. We want to take that ID (that belongs to a particular Windows group) and send it to a Domino backend application server -- using a different ID. It can be a Windows ID and/or a Domino ID.

We think we know how to trap a call to a particular URL and pass a logged in ID to Domino by using a plug-in that IBM provides that is loaded on the IIS server (WebSphere Application Server plug-in for Domino). The question is, can we change the login on the IIS box after the user logs in to another ID and passes to the Domino HTTP server? The proxy/single sign-on (SSO) method that we think we can use is the one I mentioned above (IBM plug-in).

There may also be a method defined by IBM/Lotus called DSAPI (Domino Web Server API). We believe the DSAPI allows us to change the user like we want, but we don't have a lot of C expertise.

I found most of what I know regarding proxy, SSO, etc., in the Lotus Security Handbook. I have searched the IBM, Microsoft and Domino third party Web sites for information and haven?t found anything yet.

Can you offer any advice?

That's correct, you can trap a call to a particular URL and pass a logged in ID to Domino. The WebSphere plug-in for Domino is written as a Domino Server API (DSAPI) plug-in, which is a documented interface for intercepting URL requests. IIS has a similar plug-in concept called ISAPI which can be used similarly to intercept URLs.

Regarding changing the login on the IIS box after the user logs in to another ID and passes to the Domino HTTP server -- this seems like a question that is best suited for a Microsoft oriented message board. It has to be possible, but I'm not sure about what the overall negative consequences of doing so might be.

I am assuming that you're referring to the Lightweight Third-Party Authentication (LTPA) mechanism that IBM provides for SSO. You can indeed implement your own LTPA mechanism but this may result in an unsupported configuration from both IBM and Microsoft -- not a good place to be in.

I suggest running a Web search on "Writing DSAPI Filters", I found a number of resources that provide further information about how DSAPI works and how to create DSAPI filters.

Do you have comments on this Ask the Expert question and response? Let us know.

Dig Deeper on IBM WebSphere

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.




  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...