1. CONFIGURING A SINGLE SIGN ON
EXPERIENCE FORYOUR NOTES CLIENTS
Gabriella Davis
gabriella@turtlepartnership.com
The Turtle Partnership
2. BACKGROUND
Hopefully you saw my presentation yesterday ?
we talked about the difference between Single Sign On options
Today we are going to look at the technical components to get
your Notes, iNotes and Traveler clients logging with minimal fuss
3. WHO AM I?
Gab Davis
Administrator, Problem Solver, Stubborn Fixer of Things
Working with IBM technologies and all the things surrounding
and integrating with those
Based in London, about half the time
4. SOME HOWTO’S….
(FROM EASY TO HARD)
Notes Shared Logon
Configure LDAP Authentication
Configure Kerberos / SPNEGO / IWA for single sign on
Configure SAML
6. WHAT DOES IT DO?
Removes the password from your Notes ID
No password - no problem
!
Isn’t that a huge security problem?
7. NOTES SHARED LOGON
EXAMPLE
1 2 3 4 5
USER
LAUNCHES
NOTES & IS
PROMPTED
FOR THE
VAULTED ID
PASSWORD
NOTES
DOWNLOADS
THE VAULTED
ID TO THE
FILE SYSTEM
EVERY TIME
THE USER LOGS
INTO NOTES
FROM THAT
MACHINE, THE
ID WITH NO
PASSWORD IS
DECRYPTED
FOR USE
NOTES
REMOVES THE
ID’S PASSWORD
& ENCRYPTS
THE ID WITH
THE USER’S
WINDOWS
CREDENTIALS
STEPS
USER LOGS
INTO
WINDOWS
8. WHAT DOES IT NEED?
IDVault
Simple authentication, no smartcards, dual passwords, retina
scans etc
Windows OS
9. HOW DO I SET IT UP?
Start with an IDVault (you know how to do that right?)
There’s no client side configuration at all
Use the security policy to enable Notes Shared Logon
11. MACHINE SPECIFIC FORMULA
@GetMachineInfo([Keyword];”text string where required”)
IsLaptop boolean return True if machine is a laptop, otherwise false
IsDesktop boolean return True if machine is NOT a laptop, otherwise false
IsMultiUser boolean return True if machine has Notes client installed as Multi-User, otherwise false
HasDesigner boolean return True if machine has Designer client installed, otherwise false
HasAdmin boolean return True if machine has Admin client installed, otherwise false
IsStandard boolean return True if machine is running Standard Notes client, otherwise false
http://www-01.ibm.com/support/docview.wss?uid=swg21501673
12. WHAT DOESN’T IT DO
No password sync from Notes to Domino HTTP
No Citrix
No USB data
No Roaming profiles (well you can roam if you don’t roam)
more. http://bit.ly/1t50Adx
14. WHAT DOES IT DO?
It’s not SSO but it can be single password
No password synchronisation
Login to any HTTP services including Traveler using an LDAP
password (such as AD)
Remove Domino HTTP Password entirely if you want
Works from anywhere, any device
15. LDAP AUTHENTICATION
EXAMPLE
1 2 3 4 5
DOMINO
CHECK IF THE
PASSWORD
MATCHES THE
HTTP
PASSWORD
IN THE
PERSON
DOCUMENT
ON FAILURE TO
MATCH
DOMINO
FORWARDS THE
CREDENTIALS
TO THE LDAP
SERVER
SPECIFIED IN
DIRECTORY
ASSISTANCE
DOMINO USES
THE
CREDENTIALS
IT WAS SENT TO
GRANT THE
USER ACCESS
TO THE
SERVICE /
APPLICATION
THE LDAP
SERVER
VERIFIES THE
CREDENTIALS
AND PASSES
BACK TO
DOMINO THE
UNIQUE USER ID
THAT IT
VALIDATED
STEPS
USER TRIES
TO LOG INTO
INOTES USING
THEIR LDAP
(AD)
PASSWORD
16. WHAT DOES IT NEED?
A LDAP server
A directory assistance document wherever you want to authenticate
for Traveler this would just be on the Traveler server
MSSO
An attribute in LDAP that contains the user’s hierarchical name
Keeping the attribute in sync…(TDI will do that easily)
17. HOW DO I SET IT UP?
LDAP
attribute containing
Notes DN
Filter
LDAP search to
restrict
19. WHAT DOES IT DO?
Uses the token generated by Active Directory to authenticate
Domino access
Using MSSO Domino generates its own token for onwards
authentication on other platforms
20. SPNEGO EXAMPLE FOR
DOMINO
1 2 3 4 5
ACTIVE
DIRECTORY
GENERATES
SPNEGO
TOKEN
USER TRIES
TO ACCESS
DOMINO
WEBSITE
BROWSER
SENDS
SPNEGO
TOKEN TO
DOMINO
ALONG WITH
USER NAME
DOMINO
CONTACTS
ACTIVE
DIRECTORY
TO VALIDATE
TOKEN AND
RETRIEVE THE
USER’S NAME
STEPS
USER LOGS
INTO
WINDOWS
21. WHAT DOES IT NEED?
An Active Directory domain for the user to login to
SSO or MSSO
A kerberos name mapped in the Domino person document
A windows client (3rd party support for other OS)
An IE browser (3rd party support for other browsers)
22. HOW DO I SET IT UP?
• Ensure the clocks on the AD and Domino servers are in sync
(use the same time server..)
• Run Domino using a specific service account not local system
• Enable Active Directory in Directory Assistance
!
AD
domain. Must match
the LDAP tab
23. HOW DO I SET IT UP?
OR if you don’t want to use Directory Assistance then
Set notes.ini on the Domino server
WIDE_SEARCH_FOR_KERBEROS_NAMES=1
manually set in each person document
On the Administration tab of each person document add the
user’s Kerberos name in the format
name (case sensitive) + domain (must be in caps)
24. HOW DO I SET IT UP?
Create a SPN (service principal name) in Active Directory representing
every Domino hostname your user’s will access
The SPN authorisation account should match the account running
Domino
To get a SPN command run the program “domspnego” and give the
output to your AD administrator
setspn -a http://[hostname] [account]
Create multiple SPNs for multiple servers or hostnames
25. IN SUMMARY
Enable SSO in Domino
Enable AD Directory Assistance with single sign on for Windows
(IWA - Internet Web Authentication)
Full Text Index Domino directory
Run domspnego to generate setspn output
Run setspn on Active Directory domain controller
27. WHAT DOES IT DO?
One single authentication challenge for access to multiple systems
Including a vaulted Notes ID
Identity Provider initial authentication can use many methods
from passwords, multiple passwords, custom forms, smart cards
and more
Supports multiple client and server operating systems
No passwords to compromise or intercept
28. SAML EXAMPLE
28
1 2 3 4 5
USER
ATTEMPTS TO
LOG IN TO A
WEBSITE
USER IS
REDIRECTED
TO IDENTITY
PROVIDER
IDENTITY PROVIDER
REQUESTS
AUTHENTICATION OR
(IF USER IS LOGGED
IN) RETURNS
CREDENTIALS
USER IS
REDIRECTED
BACK TO
ORIGINAL SITE
WITH SAML
ASSERTION
ATTACHED
ORIGINAL SITE
USES ITS SAML
SERVICE PROVIDER
TO CONFIRM SAML
ASSERTION AND
GRANT ACCESS
STEPS
29. DEFINITIONS
IdP - Identity Provider (SSO)
ADFS (Active Directory Federation Services in Windows 2008 and Windows
2012)
SAML 2.0 only
can be combined with SPNEGO
Enhances Integrated Windows Authentication (IWA)
TFIM (Tivoli Federated Identity Manager)
SAML 1.1 and 2.0
30. DEFINITIONS
SP - Service Provider
IBM Domino (web federated login)
IBM WebSphere
IBM Notes (requires IDVault) (notes federated login)
31. MORE DEFINITIONS
IdP (Identity Providers) use HTTP or SOAP to communicate to
SP (Service Providers) via XML based assertions
Assertions have three roles
Authentication
Authorisation
Retrieving Attributes
32. WHAT DOES IT NEED?
An Identity Provider - currently IBM support ADFS and TFIM
Other IdPs may work but aren’t officially support so check
with IBM first
IDVault configured for federated logins
A partnership between the IDVault server and the Identity
Provider
An SSL certificate generated by a well known authority
33. WHAT DOES IT NEED?
An attribute in your Identity Provider that matches a unique user
identity in Domino
An IdP Catalog in Domino (idpcat.nsf)
At least one IdP configuration document to be used by your
Domino server(s)
A security policy that can be applied to your federating users
34. WHERE DO WE START?
You’ll need to install ADFS 2.0 if using Active Directory
You’ll need to have an IIS server with a SSL certificate
You’ll need an IDVault
You’ll need a security policy in Domino
You’ll need an idpcat database based on the template idpcat.ntf
39. DOMINOTO ADFS
Creating a certificate to give to ADFS containing information
about your Domino server
Multiple servers / URLs mean multiple documents
40. DOMINOTO ADFS CERTIFICATE
When the “create certificate” button is clicked a new certificate
is saved in the document and an idp.xml file for ADFS created
52. MORE…
The browser has to recognise the certificate being used by ADFS
ADFS has to recognise the certificate used by Domino
Domino has to recognise the certificate used by ADFS
Basically everything needs to talk to each other and be happy
there’s not man in the middle intrusion
53. SUMMARY
If you’re not using SPNEGO then you should , it’s very simple to set up
SAML is where single sign on needs to be
There are plenty of 3rd party tools and services that will help with any
“uniqueness” in your environment (want SPNEGO but have Linux or Mac
machines for instance)
Don’t just think about Domino and its services, think about everything your
business uses and will be using
IBM is slow to support new Identity Providers and to support SAML in their
products (Connections, Sametime etc) so if in doubt, start with a PMR
54. HOWTO FIND ME
Twitter, blogs, Instagram, Facebook and more
gabriella@turtlepartnership.com
GabriellaDavis (skype)
http://turtleblog.info
gabturtle on twitter and elsewhere