JMP105 JumpStart: Single Sign-on (SAML) Administration Basics

Transcription

1 JMP105 JumpStart: Single Sign-on (SAML) Administration Basics Jane Marcus Senior software engineer, IBM 2014 IBM Corporation

2 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 2

3 Single sign-on (SSO) environment Browser IBM Notes IBM Sametime IBM Smartcloud IBM Connections IBM inotes mail facebook Services on-premises, cloud services, third party services. User doesn't want multiple password prompts. 3

4 Fewer password prompts. Fewer passwords in general. We need single sign-on (SSO) because: High administrative cost for managing passwords. Users can't remember a lot of passwords. Password prompts are annoying. Many different passwords leads to lower security. If we use cryptographic mechanisms instead of passwords, we can improve security and minimize cost. 4

5 Security Assertion Markup Language (SAML) SSO public standard from OASIS One SSO approach for countless different products! Many implementations available from IBM and third party providers Including open source implementations Many organizations currently use SAML for web SSO. 5

6 How is SSO possible across third party applications? User's identity is represented in a signed XML assertion. Public standard provides specification for assertion format. User may be known to applications across domains and across corporations. Usually the SAML assertion contains user's address. A service receives the user's identity assertion. The assertion must pass cryptographic verification. The service doesn't need the user's password to know who the user is. (Optional, but recommended) the SAML assertion is encrypted. Private unique identity information could be included in a SAML assertion. 6

7 Eliminate or minimize password prompting with Notes/ Domino 9.x SAML features. Web user SAML authentication when accessing Domino 9.x web URLs SAML authentication for accessing inotes 9.x secure mail Feature name: Web federated login Notes 9.x user SAML authentication at Notes startup Feature name: Notes federated login Notes plugins and accounts using SAML for accessing web URLs, including IBM Smartcloud 7

8 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 8

9 SAML Federated Identity architecture SAML Identity Provider (IdP) Server creating the SAML assertion Directory Service Provider (SP), for example, Domino 9.x Server processing the SAML assertion Clients used for accessing services Browser Notes 9.x (standard) with embedded browser 9

10 SAML Identity Provider (IdP) authenticates the user and creates the user's SAML assertion IdP Directory Knows about user names, passwords. Might be able to authenticate the user via Integrated Windows Authentication (SPNEGO/Kerberos), or alternate non-password method. Prepares credentials (SAML identity assertion) for the user IdP authenticated user x at time y Notes/Domino 9.x is integrated with these IdPs Microsoft ADFS 2.0 integrated with Active Directory IBM Tivoli Federated Identity Manager (TFIM, IBM Security Identity Manager) Ø Other IdPs are not supported, but might work. 10

11 Federated identity using SAML assertions Why is it a good thing for security? Minimized use of password (only handled by IdP, if required). Authenticate once to IdP. The IdP may remember the user. SSO is achieved if applications use the same IdP, or... SSO is achieved if authentication at the IdP is transparent to the user. Customers can use/control their own on-premises IdP. Less user data redundancy. Goal: password info is unavailable to crackers wanting to launch an offline password guessing attack Directory Browser 11

12 SAML Assertion Security Overview User's identity is represented in a signed XML assertion. Standards based Internet certificates and keys are used. Where did this assertion come from? Has it been tampered with? PKI-based signature: Server creating the assertion has certificate with private key, public key pair: Ø Server creating the assertion signs it using its private key. Ø Server processing assertion validates signature using the trusted signer's public key. Information privacy: PKI-based encryption Server processing the assertion has certificate with private key, public key pair: Ø Server creating the assertion encrypts with processing server's public key. Ø Processing server decrypts assertion using its private key. 12

13 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 13

14 Domino 8.5x web server authentication In Domino 8.5x, user browses to a Domino URL User is challenged for user name and password. Domino handles password verification. The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again. The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again. 14

15 Domino 8.5x Windows single sign-on for Web clients User browses to a Domino URL, and is not challenged for username and password. For Intranet access only. Domino server is required to be on Windows platform only. The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again. 15

16 Domino 9.x web server SAML authentication Domino server can be on any supported platform. SSO options for the Internet and Intranet The SAML IdP takes responsibility to authenticate the user. Best SSO interoperability with third party applications. 16

17 Domino 9.x web server SAML authentication: no password The SAML IdP may be able to authenticate the user with non-password method Integrated Windows Authentication (SPNEGO/Kerberos) for the Intranet. The user starts browsing Domino URL without any prompting. The user does not need any Domino HTTP password. The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again. 17

18 Domino 9.x web server SAML authentication: password at IdP The user browses to a Domino URL: The user does not need any Domino HTTP password. The SAML IdP takes responsibility to authenticate the user. SAML IdP's login web page prompts for password. ü The SAML IdP verifies the user's password. IdP remembers the user so that additional prompts not needed. The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again. 18

19 Domino web server authentication using SAML Web Browser SAML IdP Domino 19

20 Domino web server authentication using SAML Web Browser SAML IdP Domino User browses to URL at Service Provider (SP) SP redirects browser to SAML Identity Provider (IdP) 20

21 Domino web server authentication using SAML Web Browser SAML IdP Domino User browses to URL at Service Provider (SP) SP redirects browser to SAML Identity Provider (IdP) User authenticates to IdP IdP returns SAML assertion 21

22 Domino web server authentication using SAML Web Browser SAML IdP Domino User browses to URL at Service Provider (SP) SP redirects browser to SAML Identity Provider (IdP) User authenticates to IdP IdP returns SAML assertion POST containing the SAML assertion to the SP SP returns a session cookie to the client 22

23 Domino web server authentication using SAML Web Browser SAML IdP Domino User browses to URL at Service Provider (SP) SP redirects browser to SAML Identity Provider (IdP) User authenticates to IdP IdP returns SAML assertion POST containing the SAML assertion to the SP SP returns a session cookie to the client Browser sends session cookie with user request for URL 23

24 Web client: Third party browser application Web Browser SAML IdP Domino facebook If a third party application is configured to trust the same SAML IdP, the authenticated user achieves SSO. 24

25 SAML deployment overview Deploy a SAML IdP on-premises (We have cookbooks to assist you). Customers desiring an all-ibm solution will use IBM TFIM. For customers with large Windows deployment, Microsoft ADFS with Active Directory may be a common choice. 25

26 SAML deployment overview Deploy a SAML IdP on-premises Customers desiring an all-ibm solution will use IBM TFIM. For customers with large Windows deployment, we expect Microsoft ADFS with Active Directory may be a common choice. Configure Domino idpcat.nsf 26

27 Domino IdP catalog (idpcat.nsf) Use idpcat.ntf template. Database must be called idpcat.nsf Special database containing trusted identity providers and their certificates. 27

28 SAML deployment overview Deploy a SAML IdP on-premises Customers desiring an all-ibm solution will use IBM TFIM. For customers with large Windows deployment, we expect Microsoft ADFS with Active Directory may be a common choice. Configure Domino idpcat.nsf Import IdP information into the idpcat.nsf, so that Domino trusts the IdP. Idpcat contains the IdP's login URL and the IdP's certificate. Export Domino information to bring to the IdP. 28

29 SAML deployment overview Deploy a SAML IdP on-premises Customers desiring an all-ibm solution will use IBM TFIM. For customers with large Windows deployment, we expect Microsoft ADFS with Active Directory may be a common choice. Configure Domino idpcat.nsf Import IdP information into the idpcat.nsf, so that Domino trusts the IdP. Idpcat contains the IdP's login URL and the IdP's certificate. Export Domino information to bring to the IdP. Configure the IdP to know about Domino. Configure a partnership between the IdP and Domino, including Domino URL to send SAML assertion. 29

30 SAML deployment overview Deploy a SAML IdP on-premises Customers desiring an all-ibm solution will use IBM TFIM. For customers with large Windows deployment, we expect Microsoft ADFS with Active Directory may be a common choice. Configure Domino idpcat.nsf Import IdP information into the idpcat.nsf, so that Domino trusts the IdP. Idpcat contains the IdP's login URL and the IdP's certificate. Export Domino information to bring to the IdP. Configure the IdP to know about Domino. Configure a partnership between the IdP and Domino, including Domino URL to send SAML assertion. Enable SAML authentication in the Domino web server. 30

31 Domino web server configured for SAML authentication Internet site document or server document specifies SAML Also specify the type of session cookie to be used Single server session cookie (default, see below) Web SSO Configuration: LTPA session cookie, if needed to facilitate SSO with other IBM applications 31

32 IdP administrator decisions IdP administrator Manages the SAML federation (at ADFS or TFIM IdP). 32

33 SAML 2.0 vs SAML 1.1 federation SAML 2.0 and 1.1 assertions have different formats. New SAML deployments typically use SAML 2.0. SAML 2.0 supports encrypted assertions. Consider the applications for which SSO is needed. Domino supports SAML 2.0 and SAML 1.1 IBM SmartCloud supports SAML 2.0 and SAML

34 Configure SSL for the IdP IdP operations require an SSL connection. IdP can use either a CA-signed or a self-signed SSL certificate. A self-signed certificate requires a specific keyusage setting, including "keycertsign" and "crlsign". Creating a self-signed certificate for an ADFS IdP has a special procedure documented in IBM technote #

35 Configure SSL for the IdP IdP operations require an SSL connection. IdP can use either a CA-signed or a self-signed SSL certificate. A self-signed certificate requires a specific keyusage setting, including "keycertsign" and "crlsign". Creating a self-signed certificate for an ADFS IdP has a special procedure documented in IBM technote # Trust setup for Domino, if participating in SSL connection to IdP: Export a copy of the Internet SSL certificate from your IdP federation (ADFS or TFIM). Import the SSL certificate into Domino Directory. Cross-certify the SSL certificate. 35

36 Review: authentication using SAML (part one) Web Browser SAML IdP Domino User browses to URL at Service Provider (SP) SP redirects browser to SAML Identity Provider (IdP) User authenticates to IdP IdP returns SAML assertion 36

37 IdP login setup IdP administrator Manages the SAML federation (at ADFS or TFIM IdP). Decides how users will authenticate to the IdP: IWA (Kerberos) for Intranet transparent login. Password for Internet. Possible to configure non-password authentication method. 37

38 IdP directory user records IdP administrator Manages the SAML federation (at ADFS or TFIM IdP). Decides how users will authenticate to the IdP: Manages (or works with the manager of) the IdP's directory user records. The IdP's directory is an LDAP directory. All SAML users must have an assigned address. ü SAML assertion contains the user's address. 38

39 IdP partnership (relying party) configuration specifies how to find the user's address 39

40 IdP partnership with Domino IdP administrator Manages the SAML federation (at ADFS or TFIM IdP). Decides how users will authenticate to the IdP. Manages (or works with the manager of) the IdP's directory user records. Manages IdP partnerships with SAML service providers (Domino server). 40

41 Review: authentication using SAML (part two) Web Browser SAML IdP Domino User browses to URL at Service Provider (SP) SP redirects browser to SAML Identity Provider (IdP) User authenticates to IdP IdP returns SAML assertion POST containing the SAML assertion to the SP 41

42 SAML IdP is configured to know about Domino Domino URL to redirect to, with the user's SAML assertion: Domino Web server command: SAMLLogin When receiving this command, Domino knows that SAML is in progress. 42

43 IdP administrator sets up partnership with Domino IdP administrator Manages the SAML federation (at ADFS or TFIM IdP). Decides how users will authenticate to the IdP Manages (or works with the manager of) the IdP's directory user records. Manages IdP partnerships with SAML service providers (Domino server). Decides with Domino administrator whether SAML assertions must be encrypted. Ø Encrypted assertions require a Domino certificate. Ø Additional steps at IdP to configure use of encryption. 43

44 IdP metadata IdP administrator Manages the SAML federation (at ADFS or TFIM IdP). Decides how users will authenticate to the IdP Manages (or works with the manager of) the IdP's directory user records. Manages IdP partnerships with SAML service providers (Domino server). Decides with Domino administrator whether SAML assertions must be encrypted. Ø Encrypted assertions require a Domino certificate. Ø Additional steps at IdP to configure use of encryption. Provides Domino administrator with IdP metadata file for the federation. 44

45 Cooperating administrators: Domino setup to trust the IdP IdP administrator.. Domino administrator Creates and deploys the idpcat.nsf Decides whether to replicate the idpcat.nsf between Domino servers that share the same Domino directory. Ø Separate idpcat.nsf on each Domino SAML server Ø Or shared, replicated idpcat.nsf 45

46 Domino IdP catalog (idpcat.nsf) Prevent attacks by deploying a very restrictive ACL on idpcat. That's why this highly sensitive configuration isn't in the directory! If the idpcat.nsf with intact configuration is present on server: Server enforces SAML authentication configured in idpcat.nsf, even if Domino directory configuration does not specify use of SAML. 46

47 Domino Internet site for SAML Domino administrator Creates and deploys the idpcat.nsf Decides the security configuration per deployed Internet site. Example deployment: ü Internet Site for users who should not be authenticated by SAML.» URL ü Internet Site for users in Active directory who should be authenticated by ADFS IdP.» URL 47

48 Cooperating administrators: Domino administrator and multiple IdP administrators? Domino administrator Creates and deploys the idpcat.nsf Decides the security configuration per deployed Internet site. Example deployment: ü Internet Site for users who should not be authenticated by SAML. ü Internet Site for users in Active directory who should be authenticated by ADFS IdP. May want some servers/urls serviced by one IdP, and other servers/ URLs serviced by alternate IdP. 48

49 Which IdP will authenticate Domino Web users? Domino URL corresponds to a particular Internet site (or server config). Idpcat.nsf has a document for each Internet site (or server config) supporting SAML authentication. 49

50 Create SAML partnership between Domino and trusted IdP in an idpcat.nsf document Import IdP's information using the metadata file supplied by the IdP administrator. 50

51 Create SAML partnership between Domino and trusted IdP in an idpcat.nsf document Import IdP's information using the metadata file supplied by the IdP administrator. Domino Internet certificate required for SAML 2.0. You can use an existing certificate for Domino with SAML. Use Domino server console certmgmt command for SAML operations. Or you can create a new certificate. 51

52 Create SAML partnership between Domino and trusted IdP in an idpcat.nsf document Import IdP's information using the metadata file supplied by the IdP administrator. Domino Internet certificate required for SAML 2.0. You can use an existing certificate for Domino with SAML. Use Domino server console certmgmt command for SAML operations. Or you can create a new certificate. Domino Internet certificate required for encrypted assertions. You can use Domino s certificate for the SAML 2.0 partnership to also be used with SAML assertion encryption. 52

53 Creating SAML certificates with idpcat or Domino server console command Create a new Domino certificate using idpcat Certificate Management tab. Prerequisites for running the idpcat agents on Domino server: Administrator listed (or belongs to a group) in Full Access administrators in server document in Domino directory, Administrator listed (or belongs to a group) in Administrators in server document, Administrator listed (or belongs to a group) in Sign or run unrestricted methods and operations in server document. 53

54 Creating SAML certificates with idpcat or Domino server console command Create a new Domino certificate using idpcat Certificate Management tab. Prerequisites for running the idpcat agents on Domino server: Administrator listed (or belongs to a group) in Full Access administrators in server document in Domino directory, Administrator listed (or belongs to a group) in Administrators in server document, Administrator listed (or belongs to a group) in Sign or run unrestricted methods and operations in server document. Or create a new Domino certificate using certmgmt console command. Required if the server id file is password protected. 54

55 Creating SAML certificate Visit the idpcat document, Certificate Management tab. Create self-signed certificate, added to the Domino server id file. Once the cert is created, you will see its hash reported in the UI. 55

56 Typical errors creating a SAML certificate in idpcat.nsf idpcat document property "NotesError" is helpful to diagnose the most recent error: "You are not authorized to perform that function" Action: Check permissions in server document security tab. "Cannot accept internet certificate because the certificate is already in the ID file." Action: Use a different certifier name (company name)

57 Updating SAML certificate If you want to use a different certificate later, you must update the certificate public hash value: Server console certmgmt show all to research hash values Export to XML file, for configuring the partnership at the IdP. 57

58 Export XML: Export metadata to give to the IdP administrator SAML 2.0 partnerships at the IdP may require a Domino metadata file. Prerequisites for successful metadata file export: Create (or re-use existing) certificate, and Company name. Enter a Single logout URL (even if your IdP doesn t support one). Enter valid (partial) Domino URL for the Domino web server. Specify https if Domino is configured for SSL. 58

59 Must the Domino deployment include SSL (HTTPS)? At IdP, SSL is required. Used to protect any password challenge to the user during login. At a Domino SAML-enabled server, SSL is optional. TFIM IdP can either be configured to expect SSL at Domino URLs, or not. Microsoft ADFS IdP requires Domino server must be configured for SSL. 59

60 SSL at Domino is always recommended for security User's SAML assertion is sent by HTTP protocols. HTTPS is always recommended. If SSL is not used to encrypt the channels to Domino: Eavesdropper steals the identity assertion. Good for short period of time. Eavesdropper steals the session cookie. Good for an administrator configured period of time. 60

61 SSL deployment at Domino Domino administrator Creates and deploys the idpcat.nsf Decides the security configuration per deployed Internet site. May cooperate with multiple IdPs. Determines SSL deployment per Internet site. If multiple SSL-protected Internet sites are serviced on one Domino server: Ø Each site needs its own https URL. Ø Each site needs its own SSL keyring file. Ø Each site needs its own ip address. 61

62 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 62

63 Debug prerequisite Before turning on SAML authentication: Make sure SSL is deployed properly (if required). Make sure the Web server is functioning properly for session authentication. Single server session Or Multi-server session (LTPA) Test the session and SSO behavior across Domino URLs 63

64 Synchronize clocks! SAML assertions contain timestamps If the Domino server machine s time is behind the SAML IdP machine s time: SAML assertions received by Domino are invalid due to already being expired. Domino notes.ini SAML_NotOnOrAfterSkewInMinutes Ø Allows up to n extra minutes in the 'not after' timestamp check on the SAML assertion. Ø Positive integer (any minus sign will be ignored), with maximum of 10 minutes. If the Domino server machine s time is ahead of the SAML IdP machine s time: SAML assertions received by Domino are invalid due to specifying a future time. Domino notes.ini SAML_NotBeforeSkewInMinutes Ø Allows up to n extra minutes in the 'not before' timestamp check on the SAML assertion. Ø Positive integer (any minus sign will be ignored), with maximum of 10 minutes. 64

65 Debug assistance at the Domino server console: DEBUG_SAML DEBUG_SAML flags #define SAML_DEBUG_HTTP 0x0001 /* Debug output contains information from http side. */ #define SAML_DEBUG_PARSE 0x0002 /* Debug output contains SAML parse information. */ #define SAML_DEBUG_ERRORS 0x0004 /* Debug output only contains errors. */ #define SAML_DEBUG_DECODE_ASSERT 0x0008 /* Debug to dump decoded assertion. */ #define SAML_DEBUG_IDPCAT 0x0010 /* Debug to trace idpcat activity */ #define SAML_DEBUG_CERT 0x2000 /* Debug output for certificate management */ Example server console logging notes.ini setting: DEBUG_SAML = 31 65

66 Debug tips in addition to DEBUG_SAML Domino must resolve the name in the SAML assertion to the Domino name. Server ini: WEBAUTH_VERBOSE_TRACE=1 Test the Single sign-on service URL to make sure the IdP is functioning, independent of Domino. Is the user properly prompted by the IdP (if password prompt required)? If Integrated Windows Authentication (SPNEGO/Kerberos), use klist to see Kerberos ticket for the user to the SAML IdP. Use fiddler or firebug for network trace. Check the HTTP post with SAML assertion. 66

67 Viewing SAML Assertions For a SAML assertion saved to file: Open a text editor to view the SAML assertion file. Open a tool or web site that can do base 64 decoding, such as Ø From text editor, copy the base 64 encoded assertion. Ø Paste base 64 encoded assertion to the decoder tool, and decode. Open a new text editor window, copy the decoded assertion. Save to file, providing a file extension of.xml Open IE browser, enter the path to the.xml file 67

68 Seeing the SAML Assertion content outside of Domino IdP sends the SAML assertion to Domino in an HTTP POST If we view the source of the HTTP POST, it looks something like this. SAML response contains base 64 encoded SAML assertion. 68

69 Sample decoded SAML 2.0 encrypted assertion 69

70 Sample decoded SAML 1.1 assertion 70

71 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 71

72 inotes 8.5x secure mail Secure mail (encrypted or signed) requires the Notes id file. Prompt the user for the Notes id password (sometimes avoided when the user's inotes login password is the same as the Notes id password). User's notes id might be stored in the mailfile. Password needed to unlock the Notes id. User's notes id might be in the ID vault. Password needed to authenticate to ID vault to request id download. mail/jdoe.nsf inotes ID Files Browser ID vault 72

73 9.x Web federated login: Fewer password prompts, fewer passwords in general. inotes secure mail automates the download of Notes id file from id vault. inotes uses SAML authentication to ID vault to avoid Notes id password prompt. Notes id is stored in the vault, and not in the mailfile. Notes id is downloaded and stored in memory when being used. mail/jdoe.nsf inotes ID Files Browser Notes RPC to authenticate to ID vault using SAML 73

74 Web federated login user s id is in the ID vault If the Notes ID vault does not already exist: Vault administrator creates the vault. User s security policy provides the name of the user s ID vault Domino administrator manages the security policy. 74

75 User's policy configured for Web federated login 75

76 Notes NRPC channel to the Notes ID vault An ID vault server usually is not configured for HTTP(S). May be risky to open HTTP(S) port on the vault server. SAML protocols use HTTP (usually HTTPS) inotes will participate in SAML on behalf of the ID vault inotes communicates with the ID vault using Notes NRPC. NRPC encrypted channel protects communication with the vault instead of SSL. 76

77 Web federated login Web Browser SAML IdP inotes ID vault [Web server SAML authentication resulting in a session cookie] 77

78 Web federated login Web Browser SAML IdP inotes ID vault [Web server SAML authentication resulting in a session cookie] NRPC request for id download vault returns IdP URL 78

79 Which IdP will be used to authenticate users to vault? The Notes ID vault administrator decides whether SAML authentication to the vault is allowed. Edits the vault control document to name any approved idpcat configuration documents 79

80 On the ID vault server, idpcat.nsf contains a vault partnership For vault partnership, prepend vault. to the inotes server name. inotes server: domino1.us.renovations.com vault partnership name: vault.domino1.us.renovations.com The name given to the vault partnership need not be a valid DNS, but must look valid to the IdP. The IdP wants entries to look like DNS names with HTTPS URLs. IdP does NOT send anything directly to the vault server. Do NOT specify an ip address. 80

81 Web federated login Web Browser SAML IdP inotes ID vault [Web server SAML authentication resulting in a session cookie] NRPC request for id download vault returns IdP URL inotes redirects browser to SAML IdP 81

82 Web federated login Web Browser SAML IdP inotes ID vault [Web server SAML authentication resulting in a session cookie] NRPC request for id download vault returns IdP URL inotes redirects browser to SAML IdP User authenticates to IdP IdP returns SAML assertion 82

83 Metadata for the vault partnership is exported to bring to IdP Domino URL contains the URL of the inotes server Domino URL does NOT contain the partnership name vault.domino1.us.renovations.com Domino URL is a (partial) URL where the server will receive the SAML assertion inotes server receives the SAML assertion inotes server sends assertion to vault server over NRPC 83

84 At IdP, inotes URL configured for ID download inotes URL to redirect to with the user's SAML assertion: Domino Web server command: SAMLIDLogin When receiving this command, inotes knows that ID download from vault is in progress. NRPC to vault will be used to send assertion. 84

85 Web federated login Web Browser SAML IdP inotes ID vault [Web server SAML authentication resulting in a session cookie] NRPC request for id download vault returns IdP URL inotes redirects browser to SAML IdP User authenticates to IdP IdP returns SAML assertion POST containing SAML assertion sent to inotes 85

86 Web federated login Web Browser SAML IdP inotes ID vault [Web server SAML authentication resulting in a session cookie] NRPC request for id download inotes redirects browser to SAML IdP vault returns IdP URL User authenticates to IdP IdP returns SAML assertion POST containing SAML assertion sent to inotes Assertion sent via NRPC vault returns unlocked id file 86

87 9.x Web federated login requirements summary inotes server is configured for SAML authentication. Usually the session cookie will be LTPA (instead of single server session cookie) to achieve SSO with Sametime awareness. A SAML partnership with the IdP is set up on behalf of the ID vault. Setup required at the IdP. Idpcat document for the vault, and SAML certificate for SAML 2.0. Vault administrator configures the ID vault to allow SAML authentication. User's policy supports federated login User's id is stored in the ID vault. User's policy enables Web federated login. 87

88 Policy can require SAML-only authentication to ID vault l Download of id from vault could be done by: l SAML authentication. OR l (optional) Password last known to id vault 88

89 Idpcat.nsf deployment best practice Typically all vault server replicas will share the same idpcat.nsf. Typically all vault server replicas will share the same SAML Internet certificate. Desirable to have an encrypted assertion be decrypted by any vault server replica. 89

90 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 90

91 Common problem: only one partnership Web federated login ALWAYS requires 2 partnerships for the inotes server, declared at the IdP and in idpcat.nsf 1. inotes server SSO service URL includes SAMLLogin command 2. inotes server communicating with the ID vault vault. is prepended to the inotes DNS name SSO service URL includes SAMLIDLogin command 91

92 Other useful server ini settings in addition to DEBUG_SAML inotes and the ID vault server each needs to resolve the name in the SAML assertion to the Domino name. Server ini: WEBAUTH_VERBOSE_TRACE=1 Diagnosing vault transaction problems: Server ini: Secure_log = 2 Problem with in-memory id file Server ini: DEBUG_MMFILE=1 92

93 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 93

94 8.5x Notes Login User is challenged for the password of Notes ID file. 94

95 9.x Notes Federated Login Use SAML authentication to log in to Notes The SAML IdP authenticates the Notes user. IdP usually configured for Kerberos-based authentication to avoid password prompt for user. Directory Notes id is downloaded from ID vault, and stored in memory when being used. User is operating online. Works great with Notes on Citrix! ID Files Domino ID vault 95

96 Notes Federated Login: No password prompt User logs into Notes without entering Notes password SAML IdP is configured to use IWA (Kerberos) authentication on Windows. 96

97 Notes Federated Login: Form-based authentication User logs into Notes by providing username/password in SAML IdP's login page 97

98 Prerequisites Directory l Notes Client 9.x l Notes standard client l Not supported: Notes basic client l Domino Server 9.x l User ID must be stored in the Notes ID vault. ID Files ID vault Domino 98

99 Prerequisite: Users must remove old feature Notes client single logon l Notes single logon synchronizes Notes id password with the Windows password. l The policy to deploy Notes federated login will not be applied if Notes client single logon feature has been installed. l Client single logon is not supported with ID vault, and cannot coexist with Notes federated login. l Remove single logon. See full details in Domino wiki l Notes installation program, de-select the Client Single Logon Or l Use the Windows utility SC.exe 99

100 Notes federated login Standard Notes SAML IdP Domino ID vault Check user s policy, find the user s vault 100

101 Notes federated login Standard Notes SAML IdP Domino ID vault Check user s policy, find the user s vault NRPC request for id download 101

102 Notes federated login Standard Notes SAML IdP Domino ID vault Check user s policy, find the user s vault NRPC request for id download vault returns IdP URL 102

103 Notes federated login Standard Notes SAML IdP Domino ID vault Check user s policy, find the user s vault NRPC request for id download Notes embedded browser HTTP request to SAML IdP vault returns IdP URL 103

104 Notes federated login Standard Notes SAML IdP Domino ID vault Check user s policy, find the user s vault NRPC request for id download vault returns IdP URL Notes embedded browser HTTP request to SAML IdP User authenticates to IdP IdP returns SAML assertion 104

105 Notes federated login Standard Notes SAML IdP Domino ID vault Check user s policy, find the user s vault NRPC request for id download Notes embedded browser HTTP request to SAML IdP User authenticates to IdP IdP returns SAML assertion Extract assertion from IdP s response (DOM API) Send assertion via NRPC vault returns IdP URL 105

106 Notes federated login Standard Notes SAML IdP Domino ID vault Check user s policy, find the user s vault NRPC request for id download vault returns IdP URL Notes embedded browser HTTP request to SAML IdP User authenticates to IdP IdP returns SAML assertion Extract assertion from IdP s response (DOM API) Send assertion via NRPC vault returns unlocked id file 106

107 Not compatible, or only partially compatible with Notes Federated Login Smartcard protected ID Notes roaming user whose ID file is stored on the server in a roaming personal address book Notes on a USB device Notes user IDs with multiple passwords Server-based password checking for Notes users Domino 9.x servers will ignore password checking if configured in policy with federated login. 107

108 idpcat.nsf and the IdP configuration typically are similar to Web federated login, but fewer restrictions Follow vault. recommendation similar to Web federated login or It is possible for Notes federated login to re-use an existing partnership for Domino web server on the same host (shown below) 108

109 Client settings tab 109

110 Configuring the ID vault for Notes federated login The Notes ID vault administrator decides whether SAML authentication to the vault is allowed. Edits the vault control document to name any approved idpcat configuration documents 110

111 Security settings policy to apply Notes federated login configuration to users Be careful about the Domino administrator s login policy! 111

112 New user with Notes federated login: Provide an administrative deploy.nsf l New user starting for the first time l Notes.ini set up on the local machine, with the user s Notes name. 112

113 New user with Notes federated login: Provide an administrative deploy.nsf l l New user starting for the first time l Notes.ini set up on the local machine, with the user s Notes name. Administrator facilitates automated id file download from id vault: l deploy.nsf ensures required certificates are available: Ø Notes organization certifier certificate Ø Internet cross certificate to the SAML IdP s SSL certificate. l If deploy.nsf is available, no password prompting needed, unless required by the SAML IdP. 113

114 New user with roaming and Notes federated login Current required deployment order: 1. Enable roaming for the Notes user, and ensure roaming policy is applied. 2. Enable Notes Federated Login after roaming is in place. 114

115 Notes federated login in combination with Notes shared login supports offline usage (Windows only) Notes Shared Login for offline support. It will be the primary authentication method. Notes federated login feature used only if user's ID file is missing, or local copy is corrupted. 115

116 Roaming users with Notes shared login and Notes federated login: Provide an administrative deploy.nsf l Notes shared login user has his id file on his local machine. l Roaming user might move to new machine. l User security Copy ID to assist manually moving id file to new machine. OR l Download id file from id vault. l If deploy.nsf is available, no password prompting needed, unless required by the SAML IdP. l In deploy.nsf: Ø Notes organization certifier certificate Ø Internet cross certificate to the SAML IdP s SSL certificate. 116

117 Roaming users with Notes shared login and Notes federated login: Provide an administrative deploy.nsf l Notes shared login user has his id file on his local machine. l Roaming user might move to new machine. l User security Copy ID to assist manually moving id file to new machine. OR l Download id file from id vault. l If deploy.nsf is available, no password prompting needed, unless required by the SAML IdP. l In deploy.nsf: Ø Notes organization certifier certificate Ø Internet cross certificate to the SAML IdP s SSL certificate. If adding Notes roaming: 1. Enable roaming for the Notes user, and ensure roaming policy is applied. 2. Enable Notes federated login after roaming is in place. 117

118 In memory id, vs id file written to disk ID Files ID vault l Notes shared login l User s id is written to disk. l User s id is available for offline usage. l Id is downloaded from vault only if missing, or local copy is corrupted. l Notes federated login (NOT in combination with Notes shared login) l Id is always downloaded from vault. l User s ID is in memory only. 118

119 Tighten security after (Notes/Web) federated login deployment in a stable state. l l Download of id from vault could be done by: l SAML authentication. OR (optional) Password last known to id vault 119

120 Notes client can use SAML to authenticate with other services Directory l Account framework is leveraged in this scenario. IBM SmartCloud Sametime IBM SmartCloud Connections Embedded/external browser access to SmartCloud services Domino web resources Feeds 120

121 Federated login for services used in Notes sidebars and other embedded elements Domino directory, Policies->Accounts view. (Policy applied as desktop settings.) Create a SAML account for the SAML IdP. (Basics tab) Account server name: enter the DNS name of the IdP server, for example adfs01.us.renovations.com (Advanced tab) Authentication URL: enter the IdP s login URL, for example an ADFS login for IBM SmartCloud. apps.na.collabserv.com/sps/sp/saml/v2_0 121

122 Link accounts that are using the same SAML IdP For example: IBM SmartCloud Connections IBM SmartCloud Sametime chat Create a managed account for each service using the same IdP, and link to the SAML account. See Domino wiki for examples and full instructions. 122

123 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 123

124 Debug Tips Use server debugging similar to Web federated login Also, add Notes console logging with debug flags in client notes.ini: DEBUG_CONSOLE=1 DEBUG_CLOCK=32 DEBUG_OUTFILE=c:\temp\debugout.txt DEBUGGINGWCTENABLED= CONSOLE_LOG_ENABLED=1 DEBUG_DYNCONFIG=1 DEBUG_TRUST_MGMT=1 DEBUG_IDV_TRACE=1 DEBUG_ROAMING=4 DEBUG_BSAFE_IDFILE_LOCKED=8 STX9=2 124

125 Debug Tips Java logging with rcpinstall.properties com.ibm.rcp.internal.security.auth.samlsso.level=finest com.ibm.rcp.internal.security.auth.dialog.level=finest com.ibm.rcp.core.internal.launcher.level=finest com.ibm.notes.internal.federated.manager.level=finest com.ibm.notes.java.api.internal.level=finest com.ibm.notes.java.init.level=finest com.ibm.notes.java.init.win32.level=finest com.ibm.workplace.noteswc.level=finest com.ibm.workplace.internal.notes.security.auth.level=finest com.ibm.workplace.internal.notes.security.level=finest Find logs in the Notes data\workspace\logs folder, for example C:\Program Files\IBM\Lotus\Notes\Data\workspace\logs 125

126 Debug Tips Sample log: NFL Response XML from native code: <response><nflresponse IDPurl=' IDPUserName='CN=John Doe/O=renovations' IsKerberosEnabled='false' IsSSLEnforced='true' SuppressErrorDisplay='false' CurrentLocation='Online' CurrentLocationOnline='true'><AllLocations ><Location name='home' file=''/><location name='offline' file=''/><location name='online' file=''/><location name='travel' file=''/></alllocations><trustedsites ><TrustedSite url=' 126

127 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 127

128 Legal disclaimer IBM Corporation All Rights Reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Mac and Mac OS X are trademarks or registered trademarks of Apple Inc. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. All references to Renovations and secnfla refer to fictitious companies and are used for illustration purposes only.