The Codex of Business Writing Software for Real-World Solutions 2.pptx
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What you NEED to know!
1. ID304 Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What you NEED to know! Jay Boyd | Lotus Connections Team Lead | IBM Luis Benitez | Social Software Product Manager | IBM
65. Test with a browser - - feeds that require authentication should prompt for Basic Auth, never TAM Form Authentication ** double check your configuration settings with the Connections 3 Documentation **
79. On 1 st request browser gets back a 401, Headers indicate “Authorization: Negotiate”
80. If capable, Client & Server agree on protocol and on every subsequent request the client infrastructure generates a new security token that is included in the header
119. [2010-12-21 07:34:31] CLFWY0242W: The synchronize command found that active member Benjamin Button [current external id: LDAP_ID , application id LC_ID ] could not be matched via external id, but could be matched via login or email to external id NEW_LDAP_ID . The member was not updated since this action was disabled by the command.
120. Review the information from HR systems about the user identified by external id NEW_LDAP_ID and determine if this entry matches Benjamin Button or if the person has left the company.
141. V3 Single Sign On: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Configuring_single_signon_lc3
142. All about security in v3: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Security_lc3
143. Configuring Siteminder with Lotus Connections 3.0: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Scenario_3_Setting_up_SiteMinder_Single_Sign-On_(SSO)_with_Lotus_Connections_3.0
144.
145. Configuring IBM TAM with Lotus Connections 2.5: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Configuring_IBM_Tivoli_Access_Manager_SSO_for_IBM_Lotus_Connections_2.5
Lotus Connections supports the Internet Content Adaptation Protocol (ICAP) and its applications use this protocol to communicate with virus detection products. Ensure that the virus detection product used in your enterprise supports the ICAP 1.0 protocol. Lotus Connections is certified to work with Symantec AntiVirus Scan Engine 5.1 and McAfee web Security Appliance (3400) and (3300). Lotus® Connections provides security measures, such as an active content filter and content upload limits, that you can use to mitigate the risk of malicious attacks. Because these security measures can also limit the flexibility of the applications, you, as the system administrator, must evaluate the security of your network and determine whether or not you need to implement them. Any software that displays user authored content can be vulnerable to cross-site scripting (XSS) attacks. Attackers can introduce JavaScript™ into their content that can, among other things, steal a user's session. Session stealing in a single sign-on (SSO) environment poses particular challenges because any vulnerability to XSS attacks can render the entire single sign-on domain vulnerable.
SPNEGO = Simple and Protected Negotiation Portlets don't support SSO via TAM/Siteminder/SPNEGO – they require LTPA
Import the LTPA key and password from TAM and Import into WebSphere and set the SSO domain name Do not use TAM components as a caching proxy, configuration complexity is very high Lotus Connections only supports WebSeal Transparent Junction configuration Configure TAM for URL rewriting in XML and Javascript content TAM configuration setting 'use-same-session = yes' is required
A TDI assembly line is made up of components (connectors, flow controls, loops, branches) that collect data from your source repositories and reformat it into the Profiles database. Supports two-way synchronization on LDAP attributes. Assembly line hooks are available for scripting and customization TDI should be used to initially populate Profiles and then frequently used to keep it in sync Connections release 3 allows you to mark a person as “inactive” when they aren't found in LDAP
SyncAllMembersByExtId() takes several parameters indicating how a mismatch can be resolved (either by a matching email address, login id or left for later manual resolution).
Use Batch commands, external ids are consistent across all applications. Investigate once, create batch script to update across all apps Returning users can be re-linked with their old data ProfilesService.swapUserAccessByUserId("oldUserId","newUserId")