Andrew Pollack's Blog

Technology, Family, Entertainment, Politics, and Random Noise

Help me set the price for a new NCT Product -- NCT Auto Login for Domino will debut later this month

By Andrew Pollack on 07/14/2005 at 06:26 PM EDT

Your parent company has a website with a secure area for your customers and distributors. Its run by the parent company I.T. center in B.F.E. You've put together a private site in Domino that is specific to the products made by your division in Cool City. The parent company's IT guy reluctantly gives his blessing to the site mostly because it would cost him hundreds of thousands of dollars to do what you did in Domino in three days, but requires you to accept login information from them -- not prompt for another username.

This is something I've needed any number of times when dealing with complex web sites. The problem with most "Single Sign On" solutions is that they require you to fully participate in them on both sides, often to the exclusion of any other single sign on solutions. Sure, it works fine for internal sites with compatible servers -- like you maybe have some Websphere and some Domino, of if you're willing to play with the stack -- like running Domino with an IIS front end. The other problem with them, is they crash. Alot.

NCT Auto Login for Domino will be the answer to those questions, and does not require a DSAPI filter. All you need is single library added to the Domino program directory, and a LotusScript library is placed in any database and can be used to generate Domino LTPA Tokens matching the session based login schema you've defined for that server. You make a simple call within your LotusScript agent and get the token in whatever name you need.

In the case of the example above, the parent company creates a page, or a perl script, or whatever -- that generates a URL to your side which includes a 'token' on the url. That url points to an agent on your server which creates an LtpaToken, sets it in a cookie on the user's browser, and redirects the user to whatever page you want on your side -- where he will already be logged in. You could even have the agent be a generic redirector, including two parameters -- one for the user's name, and the other with the actual target url to point the user to once he's logged in to Domino.

Ready to integrate with other systems, out of the box

The product includes code and a fully documented schema for passing user information to and from remote sites in a secure manner. This is a schema similar to one that I have had in continuous use at customer sites for several years. It is tried and true, and has proven compatible with sites built on IIS, Apache, Websphere, BEA, and whatever Oracle's product is. You don't have to use this schema, but you'll want to. It defines the creation of a token which contains the user name and a timestamp in a packet encrypted with Blowfish -- an industry standard encryption algorithm. The product includes a well tested Blowfish implementation for LotusScript, and documented compatible examples for Java and Perl which can be given to your partner sites for their end. The schema clearly spells out how to include a timestamp so that the encrypted packet cannot be bookmarked or shared with others as it will become useless after a few minutes.

Simple and Stable -- No DSAPI Filter Needed

DSAPI filters are powerful things indeed. They are also very difficult to write (well) and maintain. Instead of a DSAPI filter, NCT Auto Login for Domino uses a simple LotusScript call when needed to the external library. This has a major advantage over the use of a DSAPI filter. Those filters are running all the time. They are active during every single page or image request, thousands of times during the session of a single user. NCT Auto Login is called only one time per session when its needed, then goes away. This is an advantage in stability and performance.

So how much should I sell it for?

A single license will cover operation on one server, which really means that Domino server and all the Domino and Websphere servers using the same LtpaToken. I wouldn't expect to sell more than one copy to most companies. The package includes the library and the script to call it, a full blown implementation ready to use out of the box, a full set of documentation ready to hand over to the other site administrators -- including samples in other languages, and a fully tested Blowfish implementation.

I'm thinking of selling it for $3500. What do you think?


There are  - loading -  comments....

My own thoughts on this are...By Richard Schwartz on 07/14/2005 at 08:41 PM EDT
Is that per server? Per processor? Per cluster? Per organization?
By nature, its per shared login environment--By Andrew Pollack on 07/14/2005 at 08:50 PM EDT
You only need one running on a single server to cover all the Domino and/or
Websphere servers that are using the same LtpaToken configuration.

I also never charge a second license for a failover server for any of my
products, so if you have two machines acting as failover for one another, you
still only need one copy of the product.
My own thoughts on this are...By Richard Schwartz on 07/14/2005 at 11:09 PM EDT
Then that's a very reasonable cost. Very reasonable. I can provide you a case
study on a custom DSAPI solution for one customer that cost far more.

-rich
Demo?By Greg Walrath on 07/26/2005 at 01:03 PM EDT
Will there be a demo version of this available? I've got dotNSF's solution, but
that's an IIS-side solution, and requires quite a bit of fiddling. Aside from a
custom DSAPI solution, it's all I could find.

Also, will this product work on Linux and/or zLinux?
Hi Greg, yes. Demo soon -- initially win32 onlyBy Andrew Pollack on 07/26/2005 at 01:09 PM EDT
I'll probably have a demo online within the week. Initially, it will be win32
only, though I'll consider a linux version as well depending on the number of
requests.

Keep in mind that a single win32 server could do the job and once the token is
created all the domino servers with the same sso configuration will accept it.
Thanks.By Greg Walrath on 07/26/2005 at 01:21 PM EDT
"Keep in mind that a single win32 server could do the job and once the token is
created all the domino servers with the same sso configuration will accept it."

Yeah, but I may end up with all my public access servers on Linux, so that may
not help.

Thanks.
The cool thing, is you may not need to expose the box.By Andrew Pollack on 07/26/2005 at 01:35 PM EDT
The un-hidden part of the code, will be where you take the token string and
assign it to the cookie on the browser. You could pre-create tokens, you could
call out with java or lotusscript to another server to get a token, and lots of
other options.
Quick QuestionBy Ben Rose on 07/29/2005 at 03:01 AM EDT
I'm not a web developer and never pretended to me so I'm going to ask a basic
question for the sake of the audience :O)

Am I right in thinking that this product would enable our Windows authenticated
IIS based intranet to have an iNotes webmail link that didn't require people to
authenticate with the Domino server after the redirection?

So, effectively, all Domino web applications accessed via the intranet would be
SSO?

Cheers,

Ben


Other Recent Stories...

  1. 03/26/2019Undestanding how OAUTH scopes will bring the concept of APPS to your Domino serverWhile a full description of OATH is way beyond what I can do in this quick blog entry, I wanted to talk a bit about how "SCOPES" interact with the already rich authorization model used by Domino. Thanks to the fantastic work by John Curtis and his team, the node.js integration with Domino is going to be getting a rich security model. What we know is that a user's authorizations will be respected through the node.js application to the Domino server -- including reader names, ACLs, Roles, and so on. The way ...... 
  2. 02/05/2019Toro Yard Equipment - Not really a premium brand as far as I am concernedDear Toro Customer Service, I arm writing about the following machine: Toro Power Max 1120 OXEModel:38654S/N:31000#### Specifically, bearing part #:63-3450 This is the part ($15 online / $25 at the local dealer) that caused me to raise my objections on-line. This piece of garbage is supposed to be a bearing. It carries the shaft which drives both stages of the auger. The shaft passes through the bearing (which is what bearings do) after the auger drive pulley as the shaft goes through the back (engine ...... 
  3. 10/08/2018Will you be at the NYC Launch Event for HCL Domino v10 -- Find me!Come find me in NYC on Wednesday at the Launch Event if you're there. I really do want to talk to ...... 
  4. 09/04/2018With two big projects on hold, I suddenly find myself very available for new short and long term projects.  
  5. 07/13/2018Who is HCL and why is it a good thing that they are now the ones behind Notes and Domino? 
  6. 03/21/2018Domino Apps on IOS is a Game Changer. Quit holding back. 
  7. 02/15/2018Andrew’s Proposed Gun Laws 
  8. 05/05/2016Is the growing social-sourced economy the modern back door into socialism? 
  9. 04/20/2016Want to be whitelisted? Here are some sensible rules for web site advertising 
  10. 12/30/2015Fantastic new series on Syfy called “The Expanse” – for people who love traditional science fiction 
Click here for more articles.....


pen icon Comment Entry
Subject
Your Name
Homepage
*Your Email
* Your email address is required, but not displayed.
 
Your thoughts....
 
Remember Me  

Please wait while your document is saved.