Andrew Pollack's Blog

Technology, Family, Entertainment, Politics, and Random Noise

Help me set the price for a new NCT Product -- NCT Auto Login for Domino will debut later this month

By Andrew Pollack on 07/14/2005 at 06:26 PM EDT

Your parent company has a website with a secure area for your customers and distributors. Its run by the parent company I.T. center in B.F.E. You've put together a private site in Domino that is specific to the products made by your division in Cool City. The parent company's IT guy reluctantly gives his blessing to the site mostly because it would cost him hundreds of thousands of dollars to do what you did in Domino in three days, but requires you to accept login information from them -- not prompt for another username.

This is something I've needed any number of times when dealing with complex web sites. The problem with most "Single Sign On" solutions is that they require you to fully participate in them on both sides, often to the exclusion of any other single sign on solutions. Sure, it works fine for internal sites with compatible servers -- like you maybe have some Websphere and some Domino, of if you're willing to play with the stack -- like running Domino with an IIS front end. The other problem with them, is they crash. Alot.

NCT Auto Login for Domino will be the answer to those questions, and does not require a DSAPI filter. All you need is single library added to the Domino program directory, and a LotusScript library is placed in any database and can be used to generate Domino LTPA Tokens matching the session based login schema you've defined for that server. You make a simple call within your LotusScript agent and get the token in whatever name you need.

In the case of the example above, the parent company creates a page, or a perl script, or whatever -- that generates a URL to your side which includes a 'token' on the url. That url points to an agent on your server which creates an LtpaToken, sets it in a cookie on the user's browser, and redirects the user to whatever page you want on your side -- where he will already be logged in. You could even have the agent be a generic redirector, including two parameters -- one for the user's name, and the other with the actual target url to point the user to once he's logged in to Domino.

Ready to integrate with other systems, out of the box

The product includes code and a fully documented schema for passing user information to and from remote sites in a secure manner. This is a schema similar to one that I have had in continuous use at customer sites for several years. It is tried and true, and has proven compatible with sites built on IIS, Apache, Websphere, BEA, and whatever Oracle's product is. You don't have to use this schema, but you'll want to. It defines the creation of a token which contains the user name and a timestamp in a packet encrypted with Blowfish -- an industry standard encryption algorithm. The product includes a well tested Blowfish implementation for LotusScript, and documented compatible examples for Java and Perl which can be given to your partner sites for their end. The schema clearly spells out how to include a timestamp so that the encrypted packet cannot be bookmarked or shared with others as it will become useless after a few minutes.

Simple and Stable -- No DSAPI Filter Needed

DSAPI filters are powerful things indeed. They are also very difficult to write (well) and maintain. Instead of a DSAPI filter, NCT Auto Login for Domino uses a simple LotusScript call when needed to the external library. This has a major advantage over the use of a DSAPI filter. Those filters are running all the time. They are active during every single page or image request, thousands of times during the session of a single user. NCT Auto Login is called only one time per session when its needed, then goes away. This is an advantage in stability and performance.

So how much should I sell it for?

A single license will cover operation on one server, which really means that Domino server and all the Domino and Websphere servers using the same LtpaToken. I wouldn't expect to sell more than one copy to most companies. The package includes the library and the script to call it, a full blown implementation ready to use out of the box, a full set of documentation ready to hand over to the other site administrators -- including samples in other languages, and a fully tested Blowfish implementation.

I'm thinking of selling it for $3500. What do you think?


There are  - loading -  comments....

My own thoughts on this are...By Richard Schwartz on 07/14/2005 at 08:41 PM EDT
Is that per server? Per processor? Per cluster? Per organization?
By nature, its per shared login environment--By Andrew Pollack on 07/14/2005 at 08:50 PM EDT
You only need one running on a single server to cover all the Domino and/or
Websphere servers that are using the same LtpaToken configuration.

I also never charge a second license for a failover server for any of my
products, so if you have two machines acting as failover for one another, you
still only need one copy of the product.
My own thoughts on this are...By Richard Schwartz on 07/14/2005 at 11:09 PM EDT
Then that's a very reasonable cost. Very reasonable. I can provide you a case
study on a custom DSAPI solution for one customer that cost far more.

-rich
Demo?By Greg Walrath on 07/26/2005 at 01:03 PM EDT
Will there be a demo version of this available? I've got dotNSF's solution, but
that's an IIS-side solution, and requires quite a bit of fiddling. Aside from a
custom DSAPI solution, it's all I could find.

Also, will this product work on Linux and/or zLinux?
Hi Greg, yes. Demo soon -- initially win32 onlyBy Andrew Pollack on 07/26/2005 at 01:09 PM EDT
I'll probably have a demo online within the week. Initially, it will be win32
only, though I'll consider a linux version as well depending on the number of
requests.

Keep in mind that a single win32 server could do the job and once the token is
created all the domino servers with the same sso configuration will accept it.
Thanks.By Greg Walrath on 07/26/2005 at 01:21 PM EDT
"Keep in mind that a single win32 server could do the job and once the token is
created all the domino servers with the same sso configuration will accept it."

Yeah, but I may end up with all my public access servers on Linux, so that may
not help.

Thanks.
The cool thing, is you may not need to expose the box.By Andrew Pollack on 07/26/2005 at 01:35 PM EDT
The un-hidden part of the code, will be where you take the token string and
assign it to the cookie on the browser. You could pre-create tokens, you could
call out with java or lotusscript to another server to get a token, and lots of
other options.
Quick QuestionBy Ben Rose on 07/29/2005 at 03:01 AM EDT
I'm not a web developer and never pretended to me so I'm going to ask a basic
question for the sake of the audience :O)

Am I right in thinking that this product would enable our Windows authenticated
IIS based intranet to have an iNotes webmail link that didn't require people to
authenticate with the Domino server after the redirection?

So, effectively, all Domino web applications accessed via the intranet would be
SSO?

Cheers,

Ben

Site Links

Useful Links



Other Recent Stories...

  1. 01/26/2023Better Running VirtualBox or VMWARE Virtual Machines on Windows 10+ Forgive me, Reader, for I have sinned. I has been nearly 3 years since my last blog entry. The truth is, I haven't had much to say that was worthy of more than a basic social media post -- until today. For my current work, I was assigned a new laptop. It's a real powerhouse machine with 14 processor cores and 64 gigs of ram. It should be perfect for running my development environment in a virtual machine, but it wasn't. VirtualBox was barely starting, and no matter how many features I turned off, it could ...... 
  2. 04/04/2020How many Ventilators for the price of those tanks the Pentagon didn't even want?This goes WAY beyond Trump or Obama. This is decades of poor planning and poor use of funds. Certainly it should have been addressed in the Trump, Obama, Bush, Clinton, Bush, and Reagan administrations -- all of which were well aware of the implications of a pandemic. I want a military prepared to help us, not just hurt other people. As an American I expect that with the ridiculous funding of our military might, we are prepared for damn near everything. Not just killing people and breaking things, but ...... 
  3. 01/28/2020Copyright Troll WarningThere's a copyright troll firm that has automated reverse-image searches and goes around looking for any posted images that they can make a quick copyright claim on. This is not quite a scam because it's technically legal, but it's run very much like a scam. This company works with a few "clients" that have vast repositories of copyrighted images. The trolls do a reverse web search on those images looking for hits. When they find one on a site that looks like someone they can scare, they work it like ...... 
  4. 03/26/2019Undestanding how OAUTH scopes will bring the concept of APPS to your Domino server 
  5. 02/05/2019Toro Yard Equipment - Not really a premium brand as far as I am concerned 
  6. 10/08/2018Will you be at the NYC Launch Event for HCL Domino v10 -- Find me! 
  7. 09/04/2018With two big projects on hold, I suddenly find myself very available for new short and long term projects.  
  8. 07/13/2018Who is HCL and why is it a good thing that they are now the ones behind Notes and Domino? 
  9. 03/21/2018Domino Apps on IOS is a Game Changer. Quit holding back. 
  10. 02/15/2018Andrew’s Proposed Gun Laws 
Click here for more articles.....


pen icon Comment Entry
Subject
Your Name
Homepage
*Your Email
* Your email address is required, but not displayed.
 
Your thoughts....
 
Remember Me  

Please wait while your document is saved.