SlideShare una empresa de Scribd logo

A Technical Guide To Deploying Single Sign On

Gabriella Davis
Gabriella Davis

How to configure and deploy Single Sign On Tecnologies

Tecnología
1 de 54
Descargar para leer sin conexión
CONFIGURING A SINGLE SIGN ON EXPERIENCE FORYOUR NOTES CLIENTS Gabriella Davis gabriella@turtlepartnership.com The Turtle Partnership
BACKGROUND Hopefully you saw my presentation yesterday ? we talked about the difference between Single Sign On options Today we are going to look at the technical components to get your Notes, iNotes and Traveler clients logging with minimal fuss
WHO AM I? Gab Davis Administrator, Problem Solver, Stubborn Fixer of Things Working with IBM technologies and all the things surrounding and integrating with those Based in London, about half the time
SOME HOWTO’S…. (FROM EASY TO HARD) Notes Shared Logon Configure LDAP Authentication Configure Kerberos / SPNEGO / IWA for single sign on Configure SAML
NOTES SHARED LOGON
WHAT DOES IT DO? Removes the password from your Notes ID No password - no problem ! Isn’t that a huge security problem?
NOTES SHARED LOGON EXAMPLE 1 2 3 4 5 USER LAUNCHES NOTES & IS PROMPTED FOR THE VAULTED ID PASSWORD NOTES DOWNLOADS THE VAULTED ID TO THE FILE SYSTEM EVERY TIME THE USER LOGS INTO NOTES FROM THAT MACHINE, THE ID WITH NO PASSWORD IS DECRYPTED FOR USE NOTES REMOVES THE ID’S PASSWORD & ENCRYPTS THE ID WITH THE USER’S WINDOWS CREDENTIALS STEPS USER LOGS INTO WINDOWS
WHAT DOES IT NEED? IDVault Simple authentication, no smartcards, dual passwords, retina scans etc Windows OS
HOW DO I SET IT UP? Start with an IDVault (you know how to do that right?) There’s no client side configuration at all Use the security policy to enable Notes Shared Logon
Machine formula to restrict NSL to secured machines
MACHINE SPECIFIC FORMULA @GetMachineInfo([Keyword];”text string where required”) IsLaptop boolean return True if machine is a laptop, otherwise false IsDesktop boolean return True if machine is NOT a laptop, otherwise false
 IsMultiUser boolean return True if machine has Notes client installed as Multi-User, otherwise false HasDesigner boolean return True if machine has Designer client installed, otherwise false HasAdmin boolean return True if machine has Admin client installed, otherwise false IsStandard boolean return True if machine is running Standard Notes client, otherwise false
 
 http://www-01.ibm.com/support/docview.wss?uid=swg21501673
WHAT DOESN’T IT DO No password sync from Notes to Domino HTTP No Citrix No USB data No Roaming profiles (well you can roam if you don’t roam) more. http://bit.ly/1t50Adx
LDAP AUTHENTICATION
WHAT DOES IT DO? It’s not SSO but it can be single password No password synchronisation Login to any HTTP services including Traveler using an LDAP password (such as AD) Remove Domino HTTP Password entirely if you want Works from anywhere, any device
LDAP AUTHENTICATION EXAMPLE 1 2 3 4 5 DOMINO CHECK IF THE PASSWORD MATCHES THE HTTP PASSWORD IN THE PERSON DOCUMENT ON FAILURE TO MATCH DOMINO FORWARDS THE CREDENTIALS TO THE LDAP SERVER SPECIFIED IN DIRECTORY ASSISTANCE DOMINO USES THE CREDENTIALS IT WAS SENT TO GRANT THE USER ACCESS TO THE SERVICE / APPLICATION THE LDAP SERVER VERIFIES THE CREDENTIALS AND PASSES BACK TO DOMINO THE UNIQUE USER ID THAT IT VALIDATED STEPS USER TRIES TO LOG INTO INOTES USING THEIR LDAP (AD) PASSWORD
WHAT DOES IT NEED? A LDAP server A directory assistance document wherever you want to authenticate for Traveler this would just be on the Traveler server MSSO An attribute in LDAP that contains the user’s hierarchical name Keeping the attribute in sync…(TDI will do that easily)
HOW DO I SET IT UP? LDAP attribute containing Notes DN Filter LDAP search to restrict
KERBEROS / SPNEGO / IWA
WHAT DOES IT DO? Uses the token generated by Active Directory to authenticate Domino access Using MSSO Domino generates its own token for onwards authentication on other platforms
SPNEGO EXAMPLE FOR DOMINO 1 2 3 4 5 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME DOMINO CONTACTS ACTIVE DIRECTORY TO VALIDATE TOKEN AND RETRIEVE THE USER’S NAME STEPS USER LOGS INTO WINDOWS
WHAT DOES IT NEED? An Active Directory domain for the user to login to SSO or MSSO A kerberos name mapped in the Domino person document A windows client (3rd party support for other OS) An IE browser (3rd party support for other browsers)
HOW DO I SET IT UP? • Ensure the clocks on the AD and Domino servers are in sync (use the same time server..) • Run Domino using a specific service account not local system • Enable Active Directory in Directory Assistance ! AD domain. Must match the LDAP tab
HOW DO I SET IT UP? OR if you don’t want to use Directory Assistance then Set notes.ini on the Domino server WIDE_SEARCH_FOR_KERBEROS_NAMES=1 manually set in each person document On the Administration tab of each person document add the user’s Kerberos name in the format name (case sensitive) + domain (must be in caps)
HOW DO I SET IT UP? Create a SPN (service principal name) in Active Directory representing every Domino hostname your user’s will access The SPN authorisation account should match the account running Domino To get a SPN command run the program “domspnego” and give the output to your AD administrator setspn -a http://[hostname] [account] Create multiple SPNs for multiple servers or hostnames
IN SUMMARY Enable SSO in Domino Enable AD Directory Assistance with single sign on for Windows (IWA - Internet Web Authentication) Full Text Index Domino directory Run domspnego to generate setspn output Run setspn on Active Directory domain controller
SAML & NOTES
WHAT DOES IT DO? One single authentication challenge for access to multiple systems Including a vaulted Notes ID Identity Provider initial authentication can use many methods from passwords, multiple passwords, custom forms, smart cards and more Supports multiple client and server operating systems No passwords to compromise or intercept
SAML EXAMPLE 28 1 2 3 4 5 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED ORIGINAL SITE USES ITS SAML SERVICE PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS STEPS
DEFINITIONS IdP - Identity Provider (SSO) ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012) SAML 2.0 only can be combined with SPNEGO Enhances Integrated Windows Authentication (IWA) TFIM (Tivoli Federated Identity Manager) SAML 1.1 and 2.0
DEFINITIONS SP - Service Provider IBM Domino (web federated login) IBM WebSphere IBM Notes (requires IDVault) (notes federated login)
MORE DEFINITIONS IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
 Assertions have three roles Authentication Authorisation Retrieving Attributes
WHAT DOES IT NEED? An Identity Provider - currently IBM support ADFS and TFIM Other IdPs may work but aren’t officially support so check with IBM first IDVault configured for federated logins A partnership between the IDVault server and the Identity Provider An SSL certificate generated by a well known authority
WHAT DOES IT NEED? An attribute in your Identity Provider that matches a unique user identity in Domino An IdP Catalog in Domino (idpcat.nsf) At least one IdP configuration document to be used by your Domino server(s) A security policy that can be applied to your federating users
WHERE DO WE START? You’ll need to install ADFS 2.0 if using Active Directory You’ll need to have an IIS server with a SSL certificate You’ll need an IDVault You’ll need a security policy in Domino You’ll need an idpcat database based on the template idpcat.ntf
SIMPLE RIGHT? ! ……YOU’LL NEEDTIME AND PATIENCE
FROM ADFSTO DOMINO Browse to https://<adfshostname>/FederationMetadata/2007-06/ FederationMetadata.xml and save the file
DOMINO IDP CONFIGURATION Create the configuration document in your idpcat.nsf database Import the XML
 file you just saved
 from ADFS
ENABLE CLIENT SETTINGS The FederationMetadata.xml is attached from your previous step
DOMINOTO ADFS Creating a certificate to give to ADFS containing information about your Domino server Multiple servers / URLs mean multiple documents
DOMINOTO ADFS CERTIFICATE When the “create certificate” button is clicked a new certificate is saved in the document and an idp.xml file for ADFS created
ADFSTRUSTING DOMINO ADFS needs to know about each Domino server / URL and you use the Idp.xml for that
ADD RELYING PARTYTRUST
BROWSETOTHE IDP.XML
ADDING RELYING PARTY
MAPPING ADFS NAMESTO DOMINO
MAPPING MUST BE UNIQUE
DOMINO SECURITY POLICY Enabled Federated Login under Password Management
CONFIGURETHE IDVAULT
MORE… The browser has to recognise the certificate being used by ADFS ADFS has to recognise the certificate used by Domino Domino has to recognise the certificate used by ADFS Basically everything needs to talk to each other and be happy there’s not man in the middle intrusion
SUMMARY If you’re not using SPNEGO then you should , it’s very simple to set up SAML is where single sign on needs to be There are plenty of 3rd party tools and services that will help with any “uniqueness” in your environment (want SPNEGO but have Linux or Mac machines for instance) Don’t just think about Domino and its services, think about everything your business uses and will be using IBM is slow to support new Identity Providers and to support SAML in their products (Connections, Sametime etc) so if in doubt, start with a PMR
HOWTO FIND ME Twitter, blogs, Instagram, Facebook and more gabriella@turtlepartnership.com GabriellaDavis (skype) http://turtleblog.info gabturtle on twitter and elsewhere

Recomendados

HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview
hemantnaik
 
Improving notes addressing experience with recent contacts
Improving notes addressing experience with recent contactsImproving notes addressing experience with recent contacts
Improving notes addressing experience with recent contacts
Vinayak Tavargeri
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365
Dylan Redfield
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino Adminblast
Gabriella Davis
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
Gabriella Davis
 
Linux05 DHCP Server
Linux05 DHCP ServerLinux05 DHCP Server
Linux05 DHCP Server
Jainul Musani
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
panagenda
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
Sam Bowne
 

Recomendados

HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview HCL Domino V12 Key Security Features Overview
HCL Domino V12 Key Security Features Overview
hemantnaik
 
Improving notes addressing experience with recent contacts
Improving notes addressing experience with recent contactsImproving notes addressing experience with recent contacts
Improving notes addressing experience with recent contacts
Vinayak Tavargeri
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365
Dylan Redfield
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino Adminblast
Gabriella Davis
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
Gabriella Davis
 
Linux05 DHCP Server
Linux05 DHCP ServerLinux05 DHCP Server
Linux05 DHCP Server
Jainul Musani
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
panagenda
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
Sam Bowne
 
From frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationFrom frustration to fascination: dissecting Replication
From frustration to fascination: dissecting Replication
Benedek Menesi
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
Gabriella Davis
 
Mail server
Mail serverMail server
Mail server
Jazib Amjad
 
HCL Domino V12 - TOTP
HCL Domino V12 - TOTPHCL Domino V12 - TOTP
HCL Domino V12 - TOTP
Ales Lichtenberg
 
Installing and configuring a dhcp on windows server 2016 step by step
Installing and configuring a dhcp on windows server 2016 step by stepInstalling and configuring a dhcp on windows server 2016 step by step
Installing and configuring a dhcp on windows server 2016 step by step
Ahmed Abdelwahed
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configuration
Gabriella Davis
 
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxGreat new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Darren Duke
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
Howard Greenberg
 
active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services
202066
 
What is SSO? An introduction to Single Sign On
What is SSO? An introduction to Single Sign OnWhat is SSO? An introduction to Single Sign On
What is SSO? An introduction to Single Sign On
Riddhi Sood
 
RNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientRNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes Client
Christoph Adler
 
Dns ppt
Dns pptDns ppt
Dns ppt
Mauood Hamidi
 
LDAP
LDAPLDAP
LDAP
Khemnath Chauhan
 
SSL intro
SSL introSSL intro
SSL intro
Three Lee
 
Single sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancySingle sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancy
Devam Shah
 
Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....
DNUG e.V.
 
Domain Name System DNS
Domain Name System DNSDomain Name System DNS
Domain Name System DNS
Akshay Tiwari
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
Gabriella Davis
 
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
BCC - Solutions for IBM Collaboration Software
 
Important tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingImportant tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routing
jayeshpar2006
 
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
Gabriella Davis
 
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
We4IT Group
 

Más contenido relacionado

La actualidad más candente

From frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationFrom frustration to fascination: dissecting Replication
From frustration to fascination: dissecting Replication
Benedek Menesi
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
Howard Greenberg
 
active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services
202066
 
RNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientRNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes Client
Christoph Adler
 

La actualidad más candente (20)

From frustration to fascination: dissecting Replication
From frustration to fascination: dissecting ReplicationFrom frustration to fascination: dissecting Replication
From frustration to fascination: dissecting Replication
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
 
Mail server
Mail serverMail server
Mail server
 
HCL Domino V12 - TOTP
HCL Domino V12 - TOTPHCL Domino V12 - TOTP
HCL Domino V12 - TOTP
 
Installing and configuring a dhcp on windows server 2016 step by step
Installing and configuring a dhcp on windows server 2016 step by stepInstalling and configuring a dhcp on windows server 2016 step by step
Installing and configuring a dhcp on windows server 2016 step by step
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configuration
 
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxGreat new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
 
active-directory-domain-services
active-directory-domain-servicesactive-directory-domain-services
active-directory-domain-services
 
What is SSO? An introduction to Single Sign On
What is SSO? An introduction to Single Sign OnWhat is SSO? An introduction to Single Sign On
What is SSO? An introduction to Single Sign On
 
RNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes ClientRNUG - Dirty Secrets of the Notes Client
RNUG - Dirty Secrets of the Notes Client
 
Dns ppt
Dns pptDns ppt
Dns ppt
 
LDAP
LDAPLDAP
LDAP
 
SSL intro
SSL introSSL intro
SSL intro
 
Single sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancySingle sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancy
 
Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....Real life challenges and configurations when implementing HCL Sametime v12.0....
Real life challenges and configurations when implementing HCL Sametime v12.0....
 
Domain Name System DNS
Domain Name System DNSDomain Name System DNS
Domain Name System DNS
 
Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
 
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
Deep Dive AdminP Process - Admin and Infrastructure Track at UKLUG 2012
 
Important tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routingImportant tips on Router and SMTP mail routing
Important tips on Router and SMTP mail routing
 

Destacado

New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
We4IT Group
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 Certificates
Gabriella Davis
 
What's New in IdP 9.0 Behavioral Biometrics and more…
What's New in IdP 9.0 Behavioral Biometrics and more…What's New in IdP 9.0 Behavioral Biometrics and more…
What's New in IdP 9.0 Behavioral Biometrics and more…
SecureAuth
 
Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017
Gabriella Davis
 

Destacado (19)

Simplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAMLSimplifying The S's: Single Sign-On, SPNEGO and SAML
Simplifying The S's: Single Sign-On, SPNEGO and SAML
 
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections Administrator
 
ISBG The 3 S's a guide to single sign on
ISBG The 3 S's a guide to single sign onISBG The 3 S's a guide to single sign on
ISBG The 3 S's a guide to single sign on
 
Fixing Domino Server Sickness
Fixing Domino Server SicknessFixing Domino Server Sickness
Fixing Domino Server Sickness
 
Installing & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOSInstalling & Configuring IBM Domino 9 on CentOS
Installing & Configuring IBM Domino 9 on CentOS
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile Experience
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The Front
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 Certificates
 
Upgrading to Sametime 9.0.1
Upgrading to Sametime 9.0.1Upgrading to Sametime 9.0.1
Upgrading to Sametime 9.0.1
 
The Future of Mobile Application Security
The Future of Mobile Application SecurityThe Future of Mobile Application Security
The Future of Mobile Application Security
 
SecureAuth & 451 Research Webinar: Connected Security - A Holistic Approach t...
SecureAuth & 451 Research Webinar: Connected Security - A Holistic Approach t...SecureAuth & 451 Research Webinar: Connected Security - A Holistic Approach t...
SecureAuth & 451 Research Webinar: Connected Security - A Holistic Approach t...
 
A Guide To Sametime 9.0.1 Audio & Video
A Guide To Sametime 9.0.1 Audio & VideoA Guide To Sametime 9.0.1 Audio & Video
A Guide To Sametime 9.0.1 Audio & Video
 
What's New in IdP 9.0 Behavioral Biometrics and more…
What's New in IdP 9.0 Behavioral Biometrics and more…What's New in IdP 9.0 Behavioral Biometrics and more…
What's New in IdP 9.0 Behavioral Biometrics and more…
 
What to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access ControlWhat to Expect in 2016: Top 5 Predictions for Security and Access Control
What to Expect in 2016: Top 5 Predictions for Security and Access Control
 
Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017Benefits and Risks of a Single Identity - IBM Connect 2017
Benefits and Risks of a Single Identity - IBM Connect 2017
 
RMLL 2013 - The SAML Protocol: Single Sign On for skilled people
RMLL 2013 - The SAML Protocol: Single Sign On for skilled peopleRMLL 2013 - The SAML Protocol: Single Sign On for skilled people
RMLL 2013 - The SAML Protocol: Single Sign On for skilled people
 

Similar a A Technical Guide To Deploying Single Sign On

2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
Huy Pham
 
Deploying DAOS and ID Vault
Deploying DAOS and ID VaultDeploying DAOS and ID Vault
Deploying DAOS and ID Vault
Luis Guirigay
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSO
kurtvm
 

Similar a A Technical Guide To Deploying Single Sign On (20)

IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Wfl
WflWfl
Wfl
 
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...
 
Azure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD DeploymentAzure Global Bootcamp 2017 Azure AD Deployment
Azure Global Bootcamp 2017 Azure AD Deployment
 
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
 
Open Mic "Notes Federated Login"
Open Mic "Notes Federated Login"Open Mic "Notes Federated Login"
Open Mic "Notes Federated Login"
 
Deploying DAOS and ID Vault
Deploying DAOS and ID VaultDeploying DAOS and ID Vault
Deploying DAOS and ID Vault
 
Domino security
Domino securityDomino security
Domino security
 
Developing and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloudDeveloping and deploying Identity-enabled applications for the cloud
Developing and deploying Identity-enabled applications for the cloud
 
Domino Fitness. Time for a Health Check
Domino Fitness. Time for a Health CheckDomino Fitness. Time for a Health Check
Domino Fitness. Time for a Health Check
 
Federation
FederationFederation
Federation
 
Single Sign On using ADFS.pptx
Single Sign On using ADFS.pptxSingle Sign On using ADFS.pptx
Single Sign On using ADFS.pptx
 
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC GroupUnderstanding Office 365’s Identity Solutions: Deep Dive - EPC Group
Understanding Office 365’s Identity Solutions: Deep Dive - EPC Group
 
70 346 Managing office 365 identities
70 346 Managing office 365 identities70 346 Managing office 365 identities
70 346 Managing office 365 identities
 
Office 365 MCSA TechEd
Office 365 MCSA TechEdOffice 365 MCSA TechEd
Office 365 MCSA TechEd
 
Federation
FederationFederation
Federation
 
O365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to followO365con14 - moving from on-premises to online, the road to follow
O365con14 - moving from on-premises to online, the road to follow
 
Extending Oracle SSO
Extending Oracle SSOExtending Oracle SSO
Extending Oracle SSO
 
DNUG HCL Domino 11 First Look
DNUG HCL Domino 11 First LookDNUG HCL Domino 11 First Look
DNUG HCL Domino 11 First Look
 

Más de Gabriella Davis

× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
Gabriella Davis
 
Embracing iot in the enterprise
Embracing iot in the enterpriseEmbracing iot in the enterprise
Embracing iot in the enterprise
Gabriella Davis
 

Más de Gabriella Davis (20)

A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On Premises
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin Tips
 
Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10
 
An Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for DockerAn Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for Docker
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
 
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
 
An introduction to configuring Domino for Docker
An introduction to configuring Domino for DockerAn introduction to configuring Domino for Docker
An introduction to configuring Domino for Docker
 
How To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & DiscoveryHow To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & Discovery
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
 
Brand Yourself
Brand YourselfBrand Yourself
Brand Yourself
 
Home Working
Home WorkingHome Working
Home Working
 
A Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsA Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration Solutions
 
The Imposter Syndrome
The Imposter SyndromeThe Imposter Syndrome
The Imposter Syndrome
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-Premises
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To Docker
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To Docker
 
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the CloudSetting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
 
Embracing iot in the enterprise
Embracing iot in the enterpriseEmbracing iot in the enterprise
Embracing iot in the enterprise
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 

Último (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 

A Technical Guide To Deploying Single Sign On

  • 1. CONFIGURING A SINGLE SIGN ON EXPERIENCE FORYOUR NOTES CLIENTS Gabriella Davis gabriella@turtlepartnership.com The Turtle Partnership
  • 2. BACKGROUND Hopefully you saw my presentation yesterday ? we talked about the difference between Single Sign On options Today we are going to look at the technical components to get your Notes, iNotes and Traveler clients logging with minimal fuss
  • 3. WHO AM I? Gab Davis Administrator, Problem Solver, Stubborn Fixer of Things Working with IBM technologies and all the things surrounding and integrating with those Based in London, about half the time
  • 4. SOME HOWTO’S…. (FROM EASY TO HARD) Notes Shared Logon Configure LDAP Authentication Configure Kerberos / SPNEGO / IWA for single sign on Configure SAML
  • 6. WHAT DOES IT DO? Removes the password from your Notes ID No password - no problem ! Isn’t that a huge security problem?
  • 7. NOTES SHARED LOGON EXAMPLE 1 2 3 4 5 USER LAUNCHES NOTES & IS PROMPTED FOR THE VAULTED ID PASSWORD NOTES DOWNLOADS THE VAULTED ID TO THE FILE SYSTEM EVERY TIME THE USER LOGS INTO NOTES FROM THAT MACHINE, THE ID WITH NO PASSWORD IS DECRYPTED FOR USE NOTES REMOVES THE ID’S PASSWORD & ENCRYPTS THE ID WITH THE USER’S WINDOWS CREDENTIALS STEPS USER LOGS INTO WINDOWS
  • 8. WHAT DOES IT NEED? IDVault Simple authentication, no smartcards, dual passwords, retina scans etc Windows OS
  • 9. HOW DO I SET IT UP? Start with an IDVault (you know how to do that right?) There’s no client side configuration at all Use the security policy to enable Notes Shared Logon
  • 10. Machine formula to restrict NSL to secured machines
  • 11. MACHINE SPECIFIC FORMULA @GetMachineInfo([Keyword];”text string where required”) IsLaptop boolean return True if machine is a laptop, otherwise false IsDesktop boolean return True if machine is NOT a laptop, otherwise false
 IsMultiUser boolean return True if machine has Notes client installed as Multi-User, otherwise false HasDesigner boolean return True if machine has Designer client installed, otherwise false HasAdmin boolean return True if machine has Admin client installed, otherwise false IsStandard boolean return True if machine is running Standard Notes client, otherwise false
 
 http://www-01.ibm.com/support/docview.wss?uid=swg21501673
  • 12. WHAT DOESN’T IT DO No password sync from Notes to Domino HTTP No Citrix No USB data No Roaming profiles (well you can roam if you don’t roam) more. http://bit.ly/1t50Adx
  • 14. WHAT DOES IT DO? It’s not SSO but it can be single password No password synchronisation Login to any HTTP services including Traveler using an LDAP password (such as AD) Remove Domino HTTP Password entirely if you want Works from anywhere, any device
  • 15. LDAP AUTHENTICATION EXAMPLE 1 2 3 4 5 DOMINO CHECK IF THE PASSWORD MATCHES THE HTTP PASSWORD IN THE PERSON DOCUMENT ON FAILURE TO MATCH DOMINO FORWARDS THE CREDENTIALS TO THE LDAP SERVER SPECIFIED IN DIRECTORY ASSISTANCE DOMINO USES THE CREDENTIALS IT WAS SENT TO GRANT THE USER ACCESS TO THE SERVICE / APPLICATION THE LDAP SERVER VERIFIES THE CREDENTIALS AND PASSES BACK TO DOMINO THE UNIQUE USER ID THAT IT VALIDATED STEPS USER TRIES TO LOG INTO INOTES USING THEIR LDAP (AD) PASSWORD
  • 16. WHAT DOES IT NEED? A LDAP server A directory assistance document wherever you want to authenticate for Traveler this would just be on the Traveler server MSSO An attribute in LDAP that contains the user’s hierarchical name Keeping the attribute in sync…(TDI will do that easily)
  • 17. HOW DO I SET IT UP? LDAP attribute containing Notes DN Filter LDAP search to restrict
  • 19. WHAT DOES IT DO? Uses the token generated by Active Directory to authenticate Domino access Using MSSO Domino generates its own token for onwards authentication on other platforms
  • 20. SPNEGO EXAMPLE FOR DOMINO 1 2 3 4 5 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME DOMINO CONTACTS ACTIVE DIRECTORY TO VALIDATE TOKEN AND RETRIEVE THE USER’S NAME STEPS USER LOGS INTO WINDOWS
  • 21. WHAT DOES IT NEED? An Active Directory domain for the user to login to SSO or MSSO A kerberos name mapped in the Domino person document A windows client (3rd party support for other OS) An IE browser (3rd party support for other browsers)
  • 22. HOW DO I SET IT UP? • Ensure the clocks on the AD and Domino servers are in sync (use the same time server..) • Run Domino using a specific service account not local system • Enable Active Directory in Directory Assistance ! AD domain. Must match the LDAP tab
  • 23. HOW DO I SET IT UP? OR if you don’t want to use Directory Assistance then Set notes.ini on the Domino server WIDE_SEARCH_FOR_KERBEROS_NAMES=1 manually set in each person document On the Administration tab of each person document add the user’s Kerberos name in the format name (case sensitive) + domain (must be in caps)
  • 24. HOW DO I SET IT UP? Create a SPN (service principal name) in Active Directory representing every Domino hostname your user’s will access The SPN authorisation account should match the account running Domino To get a SPN command run the program “domspnego” and give the output to your AD administrator setspn -a http://[hostname] [account] Create multiple SPNs for multiple servers or hostnames
  • 25. IN SUMMARY Enable SSO in Domino Enable AD Directory Assistance with single sign on for Windows (IWA - Internet Web Authentication) Full Text Index Domino directory Run domspnego to generate setspn output Run setspn on Active Directory domain controller
  • 27. WHAT DOES IT DO? One single authentication challenge for access to multiple systems Including a vaulted Notes ID Identity Provider initial authentication can use many methods from passwords, multiple passwords, custom forms, smart cards and more Supports multiple client and server operating systems No passwords to compromise or intercept
  • 28. SAML EXAMPLE 28 1 2 3 4 5 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED ORIGINAL SITE USES ITS SAML SERVICE PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS STEPS
  • 29. DEFINITIONS IdP - Identity Provider (SSO) ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012) SAML 2.0 only can be combined with SPNEGO Enhances Integrated Windows Authentication (IWA) TFIM (Tivoli Federated Identity Manager) SAML 1.1 and 2.0
  • 30. DEFINITIONS SP - Service Provider IBM Domino (web federated login) IBM WebSphere IBM Notes (requires IDVault) (notes federated login)
  • 31. MORE DEFINITIONS IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
 Assertions have three roles Authentication Authorisation Retrieving Attributes
  • 32. WHAT DOES IT NEED? An Identity Provider - currently IBM support ADFS and TFIM Other IdPs may work but aren’t officially support so check with IBM first IDVault configured for federated logins A partnership between the IDVault server and the Identity Provider An SSL certificate generated by a well known authority
  • 33. WHAT DOES IT NEED? An attribute in your Identity Provider that matches a unique user identity in Domino An IdP Catalog in Domino (idpcat.nsf) At least one IdP configuration document to be used by your Domino server(s) A security policy that can be applied to your federating users
  • 34. WHERE DO WE START? You’ll need to install ADFS 2.0 if using Active Directory You’ll need to have an IIS server with a SSL certificate You’ll need an IDVault You’ll need a security policy in Domino You’ll need an idpcat database based on the template idpcat.ntf
  • 36. FROM ADFSTO DOMINO Browse to https://<adfshostname>/FederationMetadata/2007-06/ FederationMetadata.xml and save the file
  • 37. DOMINO IDP CONFIGURATION Create the configuration document in your idpcat.nsf database Import the XML
 file you just saved
 from ADFS
  • 38. ENABLE CLIENT SETTINGS The FederationMetadata.xml is attached from your previous step
  • 39. DOMINOTO ADFS Creating a certificate to give to ADFS containing information about your Domino server Multiple servers / URLs mean multiple documents
  • 40. DOMINOTO ADFS CERTIFICATE When the “create certificate” button is clicked a new certificate is saved in the document and an idp.xml file for ADFS created
  • 41. ADFSTRUSTING DOMINO ADFS needs to know about each Domino server / URL and you use the Idp.xml for that
  • 43.
  • 45.
  • 46.
  • 49. MAPPING MUST BE UNIQUE
  • 50. DOMINO SECURITY POLICY Enabled Federated Login under Password Management
  • 52. MORE… The browser has to recognise the certificate being used by ADFS ADFS has to recognise the certificate used by Domino Domino has to recognise the certificate used by ADFS Basically everything needs to talk to each other and be happy there’s not man in the middle intrusion
  • 53. SUMMARY If you’re not using SPNEGO then you should , it’s very simple to set up SAML is where single sign on needs to be There are plenty of 3rd party tools and services that will help with any “uniqueness” in your environment (want SPNEGO but have Linux or Mac machines for instance) Don’t just think about Domino and its services, think about everything your business uses and will be using IBM is slow to support new Identity Providers and to support SAML in their products (Connections, Sametime etc) so if in doubt, start with a PMR
  • 54. HOWTO FIND ME Twitter, blogs, Instagram, Facebook and more gabriella@turtlepartnership.com GabriellaDavis (skype) http://turtleblog.info gabturtle on twitter and elsewhere