Manage Learn to apply best practices and optimize your operations.

Secure and seamless integration of iNotes, Sametime and Quickr

Use these instructions to set up a seamless and secure integration of iNotes, Quickr and Sametime. Doing so allows users to sign onto any of the three servers and navigate to the others without logging in again.

This tip will outline how to configure SSL and SSO on a Domino server so that when a user logs into their iNotes client, they're also automatically and securely logged into Sametime and Quickr. I highly recommend reviewing how to configure SSL in your Notes/Domino environment with a separate CA first, as this article will examine how to use a working SSL certificate and SSO to perform the aforementioned process.

Get SSL working first

Once you have your SSL certificate and get it merged correctly, use the following steps to configure your server to use the certificate for secure HTTP/HTTPS communication.

Note: These steps assume that this is for a single site and that you're not using Internet Site documents. It also assumes that either an unlimited subdomain was acquired for all servers or that individual SSL certificates were purchased for each server involved in this setup.

  1. Copy the KYR and STH file for the SSL certificate to the DATA directory on the server.
  2. Open the server document for the server that SSL will be enabled on and edit the document.
  3. Go to the Ports tab, then the Internet Ports sub-tab.
  4. At the top (SSL key file name) specify the full name (not full path) of the KYR file you copied to the Domino server.
  5. Specify any other SSL settings you want for this SSL configuration, then click Save & Close.

For the new SSL configuration to work, you must restart the HTTP task on your server. Once you've restarted the HTTP task, test it by connecting to a database using an HTTPS URL.

Configure SSO for this and other servers in your domain

There are three main steps to configuring SSO on a server:

  1. Configure server(s) to manage HTTP from Internet Site documents

    To configure a server to use the Internet Site documents is as easy as editing the Server Document. On the Basics tab there is a field called Load Internet configuration from Server\Internet Site documents. Set that field to Enabled.

    Note: When configuring your server, there are a few things you should be aware of. When you make this change, go to the Ports > Internet Ports tab; you'll notice the Web sub tab. Many of the settings are no longer hidden, as they're no longer driven off of the Server document, but now need to have an Internet Site document configured to handle them. Also, go to Internet Protocols -> HTTP; you'll notice something similar -- missing options. The Internet Protocols > Domino Web Engine tab also now has hidden fields .

    To summarize, making this change will impact the server's HTTP configuration where the change is made. That's where the Internet Site documents come in.

  2. Establish an SSO Site Document for your Domino domain

    First you need to configure a special Internet Site document for the SSO configuration, as it will be used by each of the other Internet Site documents for SSO. In order to create this document, use the Create Web SSO Configuration action button in the Internet Sites view of your Domino Directory. There's only one page that needs to be filled out on this document for it to work.

    The following recommendations are based on the idea that you'll be using Domino as the Authentication Authority:









    Domino Organization Unit of names

    DNS Domain

    Null (will change after org is entered

    Proper DNS Domain (

    Map names in Lpta Tokens



    Require SSL Protected communication (HTTPS)


    If everything is secured, access is Enabled.

    Restrict use of the SSO Token to HTTP/HTTPS


    If all communications to this server that require authentication require HTTP/HTTPS, choose Enabled

    Domino server names


    Select any servers using the SSO feature, the three servers in this example -- your iNotes, Sametime and Quickr servers.

    Windows single-sign on integration (if available)



    Expiration (minutes)


    This is for the life of the token, not inactivity. Make it for as long as a user is likely to work for a day (600 minutes or so). Then use the next two settings for inactivity settings.

    Idle session timeout


    Check Enabled -- this way if a user is inactive during the above setting for the following setting of minutes it will end the token and the user will have to login again.

    Minimum Timeout (minutes) -- only shows if Idle Session Timeout is checked as Enabled


    Whatever idle timeout you want. A common setting seems to be 60 minutes.

  3. Create Internet Site documents for the servers and configure them to use SSO for authentication

    Thus far we've configured all the involved servers to use Internet Site documents for their configuration. We've also created our SSO configuration document for this domain, so that these servers can share log-in credentials. This final step is the most critical. We need to ensure that each of the Internet Site documents are configured for SSO.

    First, create Web Site Internet Site document(s) for the iNotes, Sametime and Quickr servers. Add them from the Web navigator/outline in the Domino Directory, then select the Internet Sites sub navigator/outline.

    Configure the following HTTP/HTTPS communications-related items with your Domino server:

    • Mapping rules
    • File system compression settings
    • Domino Web Engine settings removed from the server document
    • HTTP/HTTPS security settings that were removed from the server document

    These documents need to be created for each server involved in SSO. You may need one for the iNotes server, one for the Sametime server and one for the Quickr server.

Basics tab




Descriptive name for this site


Whatever you want to identify it. I used IM Server, iNotes Server and Quickr Server.



The same organization name you put for the SSO document in the previous step.

Use this website to handle requests


Leave as No unless this is the "default" Site document for your entire Domino environment.

Host names or addresses mapped to this site


Use the FQDN and/or the IP Address(es) for this server.

Domino servers that host this site


You can set a limited list of servers or leave * for all Domino servers in your domain.

Configuration tab

Make sure the settings are appropriate for the server you're configuring the Internet Site document for. These fields are normally on the Server document, under the Internet Protocols tab, on the HTTP sub tab. Remember that the areas become hidden once you configure a server to use the Internet Site documents.

Domino Web Engine tab

The settings on this tab were originally found on the Server document under the Internet Protocols tab and the Domino Web Engine sub tab. For the sake of this discussion, only the top four fields are important. This is where we tell the server using this Internet Site document to use SSO for cross server authentication.




Session Authentication


Multiple Servers (SSO)

Web SSO Configuration


LptaToken (unless you named it something else in an earlier step, then whatever you named the token)

Force Login on SSL


Depends on your needs, if hosting Anonymous as well as Authenticated apps probably best to leave as No. If all apps Authenticated and SSL configured, Yes might be the best choice as it would force all SSL communications to require a Login.

When overriding session authentication, generate session cookie


Leave as Yes.

Security tab

These settings were originally found on the Server document under the Ports tab, then the Internet Ports sub tab. For the sake of this discussion, there are settings here pertaining to SSL. Make certain that the appropriate SSL file is pointed to the Key file name field under the SSL Options section. In the section above SSL Options, in the SSL Authentication section, you'll want to also make sure that the appropriate settings for SSL authentication have been set.

About the author: Michael "Mike" Kinder is a senior application developer and administrator with over 15+ years experience in the Lotus Notes/Domino environment, including work with BlackBerry, Barracuda, Sametime, Quickr, and integration with other systems. He is hard at work on the e-Mail Assistant. Mike can be reached at [email protected].

Dig Deeper on Domino Web Access (iNotes)

  • Favorite iSeries cheat sheets

    Here you'll find a collection of valuable cheat sheets gathered from across the iSeries/ community. These cheat ...