JMP105 JumpStart: Single Sign-on (SAML) Administration Basics
|
|
- Winfred Mitchell
- 8 years ago
- Views:
Transcription
1 JMP105 JumpStart: Single Sign-on (SAML) Administration Basics Jane Marcus Senior software engineer, IBM 2014 IBM Corporation
2 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 2
3 Single sign-on (SSO) environment Browser IBM Notes IBM Sametime IBM Smartcloud IBM Connections IBM inotes mail facebook Services on-premises, cloud services, third party services. User doesn't want multiple password prompts. 3
4 Fewer password prompts. Fewer passwords in general. We need single sign-on (SSO) because: High administrative cost for managing passwords. Users can't remember a lot of passwords. Password prompts are annoying. Many different passwords leads to lower security. If we use cryptographic mechanisms instead of passwords, we can improve security and minimize cost. 4
5 Security Assertion Markup Language (SAML) SSO public standard from OASIS One SSO approach for countless different products! Many implementations available from IBM and third party providers Including open source implementations Many organizations currently use SAML for web SSO. 5
6 How is SSO possible across third party applications? User's identity is represented in a signed XML assertion. Public standard provides specification for assertion format. User may be known to applications across domains and across corporations. Usually the SAML assertion contains user's address. A service receives the user's identity assertion. The assertion must pass cryptographic verification. The service doesn't need the user's password to know who the user is. (Optional, but recommended) the SAML assertion is encrypted. Private unique identity information could be included in a SAML assertion. 6
7 Eliminate or minimize password prompting with Notes/ Domino 9.x SAML features. Web user SAML authentication when accessing Domino 9.x web URLs SAML authentication for accessing inotes 9.x secure mail Feature name: Web federated login Notes 9.x user SAML authentication at Notes startup Feature name: Notes federated login Notes plugins and accounts using SAML for accessing web URLs, including IBM Smartcloud 7
8 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 8
9 SAML Federated Identity architecture SAML Identity Provider (IdP) Server creating the SAML assertion Directory Service Provider (SP), for example, Domino 9.x Server processing the SAML assertion Clients used for accessing services Browser Notes 9.x (standard) with embedded browser 9
10 SAML Identity Provider (IdP) authenticates the user and creates the user's SAML assertion IdP Directory Knows about user names, passwords. Might be able to authenticate the user via Integrated Windows Authentication (SPNEGO/Kerberos), or alternate non-password method. Prepares credentials (SAML identity assertion) for the user IdP authenticated user x at time y Notes/Domino 9.x is integrated with these IdPs Microsoft ADFS 2.0 integrated with Active Directory IBM Tivoli Federated Identity Manager (TFIM, IBM Security Identity Manager) Ø Other IdPs are not supported, but might work. 10
11 Federated identity using SAML assertions Why is it a good thing for security? Minimized use of password (only handled by IdP, if required). Authenticate once to IdP. The IdP may remember the user. SSO is achieved if applications use the same IdP, or... SSO is achieved if authentication at the IdP is transparent to the user. Customers can use/control their own on-premises IdP. Less user data redundancy. Goal: password info is unavailable to crackers wanting to launch an offline password guessing attack Directory Browser 11
12 SAML Assertion Security Overview User's identity is represented in a signed XML assertion. Standards based Internet certificates and keys are used. Where did this assertion come from? Has it been tampered with? PKI-based signature: Server creating the assertion has certificate with private key, public key pair: Ø Server creating the assertion signs it using its private key. Ø Server processing assertion validates signature using the trusted signer's public key. Information privacy: PKI-based encryption Server processing the assertion has certificate with private key, public key pair: Ø Server creating the assertion encrypts with processing server's public key. Ø Processing server decrypts assertion using its private key. 12
13 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 13
14 Domino 8.5x web server authentication In Domino 8.5x, user browses to a Domino URL User is challenged for user name and password. Domino handles password verification. The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again. The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again. 14
15 Domino 8.5x Windows single sign-on for Web clients User browses to a Domino URL, and is not challenged for username and password. For Intranet access only. Domino server is required to be on Windows platform only. The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again. 15
16 Domino 9.x web server SAML authentication Domino server can be on any supported platform. SSO options for the Internet and Intranet The SAML IdP takes responsibility to authenticate the user. Best SSO interoperability with third party applications. 16
17 Domino 9.x web server SAML authentication: no password The SAML IdP may be able to authenticate the user with non-password method Integrated Windows Authentication (SPNEGO/Kerberos) for the Intranet. The user starts browsing Domino URL without any prompting. The user does not need any Domino HTTP password. The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again. 17
18 Domino 9.x web server SAML authentication: password at IdP The user browses to a Domino URL: The user does not need any Domino HTTP password. The SAML IdP takes responsibility to authenticate the user. SAML IdP's login web page prompts for password. ü The SAML IdP verifies the user's password. IdP remembers the user so that additional prompts not needed. The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open the file again. If the red x still appears, you may have to delete the image and then insert it again. 18
19 Domino web server authentication using SAML Web Browser SAML IdP Domino 19
20 Domino web server authentication using SAML Web Browser SAML IdP Domino User browses to URL at Service Provider (SP) SP redirects browser to SAML Identity Provider (IdP) 20
21 Domino web server authentication using SAML Web Browser SAML IdP Domino User browses to URL at Service Provider (SP) SP redirects browser to SAML Identity Provider (IdP) User authenticates to IdP IdP returns SAML assertion 21
22 Domino web server authentication using SAML Web Browser SAML IdP Domino User browses to URL at Service Provider (SP) SP redirects browser to SAML Identity Provider (IdP) User authenticates to IdP IdP returns SAML assertion POST containing the SAML assertion to the SP SP returns a session cookie to the client 22
23 Domino web server authentication using SAML Web Browser SAML IdP Domino User browses to URL at Service Provider (SP) SP redirects browser to SAML Identity Provider (IdP) User authenticates to IdP IdP returns SAML assertion POST containing the SAML assertion to the SP SP returns a session cookie to the client Browser sends session cookie with user request for URL 23
24 Web client: Third party browser application Web Browser SAML IdP Domino facebook If a third party application is configured to trust the same SAML IdP, the authenticated user achieves SSO. 24
25 SAML deployment overview Deploy a SAML IdP on-premises (We have cookbooks to assist you). Customers desiring an all-ibm solution will use IBM TFIM. For customers with large Windows deployment, Microsoft ADFS with Active Directory may be a common choice. 25
26 SAML deployment overview Deploy a SAML IdP on-premises Customers desiring an all-ibm solution will use IBM TFIM. For customers with large Windows deployment, we expect Microsoft ADFS with Active Directory may be a common choice. Configure Domino idpcat.nsf 26
27 Domino IdP catalog (idpcat.nsf) Use idpcat.ntf template. Database must be called idpcat.nsf Special database containing trusted identity providers and their certificates. 27
28 SAML deployment overview Deploy a SAML IdP on-premises Customers desiring an all-ibm solution will use IBM TFIM. For customers with large Windows deployment, we expect Microsoft ADFS with Active Directory may be a common choice. Configure Domino idpcat.nsf Import IdP information into the idpcat.nsf, so that Domino trusts the IdP. Idpcat contains the IdP's login URL and the IdP's certificate. Export Domino information to bring to the IdP. 28
29 SAML deployment overview Deploy a SAML IdP on-premises Customers desiring an all-ibm solution will use IBM TFIM. For customers with large Windows deployment, we expect Microsoft ADFS with Active Directory may be a common choice. Configure Domino idpcat.nsf Import IdP information into the idpcat.nsf, so that Domino trusts the IdP. Idpcat contains the IdP's login URL and the IdP's certificate. Export Domino information to bring to the IdP. Configure the IdP to know about Domino. Configure a partnership between the IdP and Domino, including Domino URL to send SAML assertion. 29
30 SAML deployment overview Deploy a SAML IdP on-premises Customers desiring an all-ibm solution will use IBM TFIM. For customers with large Windows deployment, we expect Microsoft ADFS with Active Directory may be a common choice. Configure Domino idpcat.nsf Import IdP information into the idpcat.nsf, so that Domino trusts the IdP. Idpcat contains the IdP's login URL and the IdP's certificate. Export Domino information to bring to the IdP. Configure the IdP to know about Domino. Configure a partnership between the IdP and Domino, including Domino URL to send SAML assertion. Enable SAML authentication in the Domino web server. 30
31 Domino web server configured for SAML authentication Internet site document or server document specifies SAML Also specify the type of session cookie to be used Single server session cookie (default, see below) Web SSO Configuration: LTPA session cookie, if needed to facilitate SSO with other IBM applications 31
32 IdP administrator decisions IdP administrator Manages the SAML federation (at ADFS or TFIM IdP). 32
33 SAML 2.0 vs SAML 1.1 federation SAML 2.0 and 1.1 assertions have different formats. New SAML deployments typically use SAML 2.0. SAML 2.0 supports encrypted assertions. Consider the applications for which SSO is needed. Domino supports SAML 2.0 and SAML 1.1 IBM SmartCloud supports SAML 2.0 and SAML
34 Configure SSL for the IdP IdP operations require an SSL connection. IdP can use either a CA-signed or a self-signed SSL certificate. A self-signed certificate requires a specific keyusage setting, including "keycertsign" and "crlsign". Creating a self-signed certificate for an ADFS IdP has a special procedure documented in IBM technote #
35 Configure SSL for the IdP IdP operations require an SSL connection. IdP can use either a CA-signed or a self-signed SSL certificate. A self-signed certificate requires a specific keyusage setting, including "keycertsign" and "crlsign". Creating a self-signed certificate for an ADFS IdP has a special procedure documented in IBM technote # Trust setup for Domino, if participating in SSL connection to IdP: Export a copy of the Internet SSL certificate from your IdP federation (ADFS or TFIM). Import the SSL certificate into Domino Directory. Cross-certify the SSL certificate. 35
36 Review: authentication using SAML (part one) Web Browser SAML IdP Domino User browses to URL at Service Provider (SP) SP redirects browser to SAML Identity Provider (IdP) User authenticates to IdP IdP returns SAML assertion 36
37 IdP login setup IdP administrator Manages the SAML federation (at ADFS or TFIM IdP). Decides how users will authenticate to the IdP: IWA (Kerberos) for Intranet transparent login. Password for Internet. Possible to configure non-password authentication method. 37
38 IdP directory user records IdP administrator Manages the SAML federation (at ADFS or TFIM IdP). Decides how users will authenticate to the IdP: Manages (or works with the manager of) the IdP's directory user records. The IdP's directory is an LDAP directory. All SAML users must have an assigned address. ü SAML assertion contains the user's address. 38
39 IdP partnership (relying party) configuration specifies how to find the user's address 39
40 IdP partnership with Domino IdP administrator Manages the SAML federation (at ADFS or TFIM IdP). Decides how users will authenticate to the IdP. Manages (or works with the manager of) the IdP's directory user records. Manages IdP partnerships with SAML service providers (Domino server). 40
41 Review: authentication using SAML (part two) Web Browser SAML IdP Domino User browses to URL at Service Provider (SP) SP redirects browser to SAML Identity Provider (IdP) User authenticates to IdP IdP returns SAML assertion POST containing the SAML assertion to the SP 41
42 SAML IdP is configured to know about Domino Domino URL to redirect to, with the user's SAML assertion: Domino Web server command: SAMLLogin When receiving this command, Domino knows that SAML is in progress. 42
43 IdP administrator sets up partnership with Domino IdP administrator Manages the SAML federation (at ADFS or TFIM IdP). Decides how users will authenticate to the IdP Manages (or works with the manager of) the IdP's directory user records. Manages IdP partnerships with SAML service providers (Domino server). Decides with Domino administrator whether SAML assertions must be encrypted. Ø Encrypted assertions require a Domino certificate. Ø Additional steps at IdP to configure use of encryption. 43
44 IdP metadata IdP administrator Manages the SAML federation (at ADFS or TFIM IdP). Decides how users will authenticate to the IdP Manages (or works with the manager of) the IdP's directory user records. Manages IdP partnerships with SAML service providers (Domino server). Decides with Domino administrator whether SAML assertions must be encrypted. Ø Encrypted assertions require a Domino certificate. Ø Additional steps at IdP to configure use of encryption. Provides Domino administrator with IdP metadata file for the federation. 44
45 Cooperating administrators: Domino setup to trust the IdP IdP administrator.. Domino administrator Creates and deploys the idpcat.nsf Decides whether to replicate the idpcat.nsf between Domino servers that share the same Domino directory. Ø Separate idpcat.nsf on each Domino SAML server Ø Or shared, replicated idpcat.nsf 45
46 Domino IdP catalog (idpcat.nsf) Prevent attacks by deploying a very restrictive ACL on idpcat. That's why this highly sensitive configuration isn't in the directory! If the idpcat.nsf with intact configuration is present on server: Server enforces SAML authentication configured in idpcat.nsf, even if Domino directory configuration does not specify use of SAML. 46
47 Domino Internet site for SAML Domino administrator Creates and deploys the idpcat.nsf Decides the security configuration per deployed Internet site. Example deployment: ü Internet Site for users who should not be authenticated by SAML.» URL ü Internet Site for users in Active directory who should be authenticated by ADFS IdP.» URL 47
48 Cooperating administrators: Domino administrator and multiple IdP administrators? Domino administrator Creates and deploys the idpcat.nsf Decides the security configuration per deployed Internet site. Example deployment: ü Internet Site for users who should not be authenticated by SAML. ü Internet Site for users in Active directory who should be authenticated by ADFS IdP. May want some servers/urls serviced by one IdP, and other servers/ URLs serviced by alternate IdP. 48
49 Which IdP will authenticate Domino Web users? Domino URL corresponds to a particular Internet site (or server config). Idpcat.nsf has a document for each Internet site (or server config) supporting SAML authentication. 49
50 Create SAML partnership between Domino and trusted IdP in an idpcat.nsf document Import IdP's information using the metadata file supplied by the IdP administrator. 50
51 Create SAML partnership between Domino and trusted IdP in an idpcat.nsf document Import IdP's information using the metadata file supplied by the IdP administrator. Domino Internet certificate required for SAML 2.0. You can use an existing certificate for Domino with SAML. Use Domino server console certmgmt command for SAML operations. Or you can create a new certificate. 51
52 Create SAML partnership between Domino and trusted IdP in an idpcat.nsf document Import IdP's information using the metadata file supplied by the IdP administrator. Domino Internet certificate required for SAML 2.0. You can use an existing certificate for Domino with SAML. Use Domino server console certmgmt command for SAML operations. Or you can create a new certificate. Domino Internet certificate required for encrypted assertions. You can use Domino s certificate for the SAML 2.0 partnership to also be used with SAML assertion encryption. 52
53 Creating SAML certificates with idpcat or Domino server console command Create a new Domino certificate using idpcat Certificate Management tab. Prerequisites for running the idpcat agents on Domino server: Administrator listed (or belongs to a group) in Full Access administrators in server document in Domino directory, Administrator listed (or belongs to a group) in Administrators in server document, Administrator listed (or belongs to a group) in Sign or run unrestricted methods and operations in server document. 53
54 Creating SAML certificates with idpcat or Domino server console command Create a new Domino certificate using idpcat Certificate Management tab. Prerequisites for running the idpcat agents on Domino server: Administrator listed (or belongs to a group) in Full Access administrators in server document in Domino directory, Administrator listed (or belongs to a group) in Administrators in server document, Administrator listed (or belongs to a group) in Sign or run unrestricted methods and operations in server document. Or create a new Domino certificate using certmgmt console command. Required if the server id file is password protected. 54
55 Creating SAML certificate Visit the idpcat document, Certificate Management tab. Create self-signed certificate, added to the Domino server id file. Once the cert is created, you will see its hash reported in the UI. 55
56 Typical errors creating a SAML certificate in idpcat.nsf idpcat document property "NotesError" is helpful to diagnose the most recent error: "You are not authorized to perform that function" Action: Check permissions in server document security tab. "Cannot accept internet certificate because the certificate is already in the ID file." Action: Use a different certifier name (company name)
57 Updating SAML certificate If you want to use a different certificate later, you must update the certificate public hash value: Server console certmgmt show all to research hash values Export to XML file, for configuring the partnership at the IdP. 57
58 Export XML: Export metadata to give to the IdP administrator SAML 2.0 partnerships at the IdP may require a Domino metadata file. Prerequisites for successful metadata file export: Create (or re-use existing) certificate, and Company name. Enter a Single logout URL (even if your IdP doesn t support one). Enter valid (partial) Domino URL for the Domino web server. Specify https if Domino is configured for SSL. 58
59 Must the Domino deployment include SSL (HTTPS)? At IdP, SSL is required. Used to protect any password challenge to the user during login. At a Domino SAML-enabled server, SSL is optional. TFIM IdP can either be configured to expect SSL at Domino URLs, or not. Microsoft ADFS IdP requires Domino server must be configured for SSL. 59
60 SSL at Domino is always recommended for security User's SAML assertion is sent by HTTP protocols. HTTPS is always recommended. If SSL is not used to encrypt the channels to Domino: Eavesdropper steals the identity assertion. Good for short period of time. Eavesdropper steals the session cookie. Good for an administrator configured period of time. 60
61 SSL deployment at Domino Domino administrator Creates and deploys the idpcat.nsf Decides the security configuration per deployed Internet site. May cooperate with multiple IdPs. Determines SSL deployment per Internet site. If multiple SSL-protected Internet sites are serviced on one Domino server: Ø Each site needs its own https URL. Ø Each site needs its own SSL keyring file. Ø Each site needs its own ip address. 61
62 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 62
63 Debug prerequisite Before turning on SAML authentication: Make sure SSL is deployed properly (if required). Make sure the Web server is functioning properly for session authentication. Single server session Or Multi-server session (LTPA) Test the session and SSO behavior across Domino URLs 63
64 Synchronize clocks! SAML assertions contain timestamps If the Domino server machine s time is behind the SAML IdP machine s time: SAML assertions received by Domino are invalid due to already being expired. Domino notes.ini SAML_NotOnOrAfterSkewInMinutes Ø Allows up to n extra minutes in the 'not after' timestamp check on the SAML assertion. Ø Positive integer (any minus sign will be ignored), with maximum of 10 minutes. If the Domino server machine s time is ahead of the SAML IdP machine s time: SAML assertions received by Domino are invalid due to specifying a future time. Domino notes.ini SAML_NotBeforeSkewInMinutes Ø Allows up to n extra minutes in the 'not before' timestamp check on the SAML assertion. Ø Positive integer (any minus sign will be ignored), with maximum of 10 minutes. 64
65 Debug assistance at the Domino server console: DEBUG_SAML DEBUG_SAML flags #define SAML_DEBUG_HTTP 0x0001 /* Debug output contains information from http side. */ #define SAML_DEBUG_PARSE 0x0002 /* Debug output contains SAML parse information. */ #define SAML_DEBUG_ERRORS 0x0004 /* Debug output only contains errors. */ #define SAML_DEBUG_DECODE_ASSERT 0x0008 /* Debug to dump decoded assertion. */ #define SAML_DEBUG_IDPCAT 0x0010 /* Debug to trace idpcat activity */ #define SAML_DEBUG_CERT 0x2000 /* Debug output for certificate management */ Example server console logging notes.ini setting: DEBUG_SAML = 31 65
66 Debug tips in addition to DEBUG_SAML Domino must resolve the name in the SAML assertion to the Domino name. Server ini: WEBAUTH_VERBOSE_TRACE=1 Test the Single sign-on service URL to make sure the IdP is functioning, independent of Domino. Is the user properly prompted by the IdP (if password prompt required)? If Integrated Windows Authentication (SPNEGO/Kerberos), use klist to see Kerberos ticket for the user to the SAML IdP. Use fiddler or firebug for network trace. Check the HTTP post with SAML assertion. 66
67 Viewing SAML Assertions For a SAML assertion saved to file: Open a text editor to view the SAML assertion file. Open a tool or web site that can do base 64 decoding, such as Ø From text editor, copy the base 64 encoded assertion. Ø Paste base 64 encoded assertion to the decoder tool, and decode. Open a new text editor window, copy the decoded assertion. Save to file, providing a file extension of.xml Open IE browser, enter the path to the.xml file 67
68 Seeing the SAML Assertion content outside of Domino IdP sends the SAML assertion to Domino in an HTTP POST If we view the source of the HTTP POST, it looks something like this. SAML response contains base 64 encoded SAML assertion. 68
69 Sample decoded SAML 2.0 encrypted assertion 69
70 Sample decoded SAML 1.1 assertion 70
71 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 71
72 inotes 8.5x secure mail Secure mail (encrypted or signed) requires the Notes id file. Prompt the user for the Notes id password (sometimes avoided when the user's inotes login password is the same as the Notes id password). User's notes id might be stored in the mailfile. Password needed to unlock the Notes id. User's notes id might be in the ID vault. Password needed to authenticate to ID vault to request id download. mail/jdoe.nsf inotes ID Files Browser ID vault 72
73 9.x Web federated login: Fewer password prompts, fewer passwords in general. inotes secure mail automates the download of Notes id file from id vault. inotes uses SAML authentication to ID vault to avoid Notes id password prompt. Notes id is stored in the vault, and not in the mailfile. Notes id is downloaded and stored in memory when being used. mail/jdoe.nsf inotes ID Files Browser Notes RPC to authenticate to ID vault using SAML 73
74 Web federated login user s id is in the ID vault If the Notes ID vault does not already exist: Vault administrator creates the vault. User s security policy provides the name of the user s ID vault Domino administrator manages the security policy. 74
75 User's policy configured for Web federated login 75
76 Notes NRPC channel to the Notes ID vault An ID vault server usually is not configured for HTTP(S). May be risky to open HTTP(S) port on the vault server. SAML protocols use HTTP (usually HTTPS) inotes will participate in SAML on behalf of the ID vault inotes communicates with the ID vault using Notes NRPC. NRPC encrypted channel protects communication with the vault instead of SSL. 76
77 Web federated login Web Browser SAML IdP inotes ID vault [Web server SAML authentication resulting in a session cookie] 77
78 Web federated login Web Browser SAML IdP inotes ID vault [Web server SAML authentication resulting in a session cookie] NRPC request for id download vault returns IdP URL 78
79 Which IdP will be used to authenticate users to vault? The Notes ID vault administrator decides whether SAML authentication to the vault is allowed. Edits the vault control document to name any approved idpcat configuration documents 79
80 On the ID vault server, idpcat.nsf contains a vault partnership For vault partnership, prepend vault. to the inotes server name. inotes server: domino1.us.renovations.com vault partnership name: vault.domino1.us.renovations.com The name given to the vault partnership need not be a valid DNS, but must look valid to the IdP. The IdP wants entries to look like DNS names with HTTPS URLs. IdP does NOT send anything directly to the vault server. Do NOT specify an ip address. 80
81 Web federated login Web Browser SAML IdP inotes ID vault [Web server SAML authentication resulting in a session cookie] NRPC request for id download vault returns IdP URL inotes redirects browser to SAML IdP 81
82 Web federated login Web Browser SAML IdP inotes ID vault [Web server SAML authentication resulting in a session cookie] NRPC request for id download vault returns IdP URL inotes redirects browser to SAML IdP User authenticates to IdP IdP returns SAML assertion 82
83 Metadata for the vault partnership is exported to bring to IdP Domino URL contains the URL of the inotes server Domino URL does NOT contain the partnership name vault.domino1.us.renovations.com Domino URL is a (partial) URL where the server will receive the SAML assertion inotes server receives the SAML assertion inotes server sends assertion to vault server over NRPC 83
84 At IdP, inotes URL configured for ID download inotes URL to redirect to with the user's SAML assertion: Domino Web server command: SAMLIDLogin When receiving this command, inotes knows that ID download from vault is in progress. NRPC to vault will be used to send assertion. 84
85 Web federated login Web Browser SAML IdP inotes ID vault [Web server SAML authentication resulting in a session cookie] NRPC request for id download vault returns IdP URL inotes redirects browser to SAML IdP User authenticates to IdP IdP returns SAML assertion POST containing SAML assertion sent to inotes 85
86 Web federated login Web Browser SAML IdP inotes ID vault [Web server SAML authentication resulting in a session cookie] NRPC request for id download inotes redirects browser to SAML IdP vault returns IdP URL User authenticates to IdP IdP returns SAML assertion POST containing SAML assertion sent to inotes Assertion sent via NRPC vault returns unlocked id file 86
87 9.x Web federated login requirements summary inotes server is configured for SAML authentication. Usually the session cookie will be LTPA (instead of single server session cookie) to achieve SSO with Sametime awareness. A SAML partnership with the IdP is set up on behalf of the ID vault. Setup required at the IdP. Idpcat document for the vault, and SAML certificate for SAML 2.0. Vault administrator configures the ID vault to allow SAML authentication. User's policy supports federated login User's id is stored in the ID vault. User's policy enables Web federated login. 87
88 Policy can require SAML-only authentication to ID vault l Download of id from vault could be done by: l SAML authentication. OR l (optional) Password last known to id vault 88
89 Idpcat.nsf deployment best practice Typically all vault server replicas will share the same idpcat.nsf. Typically all vault server replicas will share the same SAML Internet certificate. Desirable to have an encrypted assertion be decrypted by any vault server replica. 89
90 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 90
91 Common problem: only one partnership Web federated login ALWAYS requires 2 partnerships for the inotes server, declared at the IdP and in idpcat.nsf 1. inotes server SSO service URL includes SAMLLogin command 2. inotes server communicating with the ID vault vault. is prepended to the inotes DNS name SSO service URL includes SAMLIDLogin command 91
92 Other useful server ini settings in addition to DEBUG_SAML inotes and the ID vault server each needs to resolve the name in the SAML assertion to the Domino name. Server ini: WEBAUTH_VERBOSE_TRACE=1 Diagnosing vault transaction problems: Server ini: Secure_log = 2 Problem with in-memory id file Server ini: DEBUG_MMFILE=1 92
93 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 93
94 8.5x Notes Login User is challenged for the password of Notes ID file. 94
95 9.x Notes Federated Login Use SAML authentication to log in to Notes The SAML IdP authenticates the Notes user. IdP usually configured for Kerberos-based authentication to avoid password prompt for user. Directory Notes id is downloaded from ID vault, and stored in memory when being used. User is operating online. Works great with Notes on Citrix! ID Files Domino ID vault 95
96 Notes Federated Login: No password prompt User logs into Notes without entering Notes password SAML IdP is configured to use IWA (Kerberos) authentication on Windows. 96
97 Notes Federated Login: Form-based authentication User logs into Notes by providing username/password in SAML IdP's login page 97
98 Prerequisites Directory l Notes Client 9.x l Notes standard client l Not supported: Notes basic client l Domino Server 9.x l User ID must be stored in the Notes ID vault. ID Files ID vault Domino 98
99 Prerequisite: Users must remove old feature Notes client single logon l Notes single logon synchronizes Notes id password with the Windows password. l The policy to deploy Notes federated login will not be applied if Notes client single logon feature has been installed. l Client single logon is not supported with ID vault, and cannot coexist with Notes federated login. l Remove single logon. See full details in Domino wiki l Notes installation program, de-select the Client Single Logon Or l Use the Windows utility SC.exe 99
100 Notes federated login Standard Notes SAML IdP Domino ID vault Check user s policy, find the user s vault 100
101 Notes federated login Standard Notes SAML IdP Domino ID vault Check user s policy, find the user s vault NRPC request for id download 101
102 Notes federated login Standard Notes SAML IdP Domino ID vault Check user s policy, find the user s vault NRPC request for id download vault returns IdP URL 102
103 Notes federated login Standard Notes SAML IdP Domino ID vault Check user s policy, find the user s vault NRPC request for id download Notes embedded browser HTTP request to SAML IdP vault returns IdP URL 103
104 Notes federated login Standard Notes SAML IdP Domino ID vault Check user s policy, find the user s vault NRPC request for id download vault returns IdP URL Notes embedded browser HTTP request to SAML IdP User authenticates to IdP IdP returns SAML assertion 104
105 Notes federated login Standard Notes SAML IdP Domino ID vault Check user s policy, find the user s vault NRPC request for id download Notes embedded browser HTTP request to SAML IdP User authenticates to IdP IdP returns SAML assertion Extract assertion from IdP s response (DOM API) Send assertion via NRPC vault returns IdP URL 105
106 Notes federated login Standard Notes SAML IdP Domino ID vault Check user s policy, find the user s vault NRPC request for id download vault returns IdP URL Notes embedded browser HTTP request to SAML IdP User authenticates to IdP IdP returns SAML assertion Extract assertion from IdP s response (DOM API) Send assertion via NRPC vault returns unlocked id file 106
107 Not compatible, or only partially compatible with Notes Federated Login Smartcard protected ID Notes roaming user whose ID file is stored on the server in a roaming personal address book Notes on a USB device Notes user IDs with multiple passwords Server-based password checking for Notes users Domino 9.x servers will ignore password checking if configured in policy with federated login. 107
108 idpcat.nsf and the IdP configuration typically are similar to Web federated login, but fewer restrictions Follow vault. recommendation similar to Web federated login or It is possible for Notes federated login to re-use an existing partnership for Domino web server on the same host (shown below) 108
109 Client settings tab 109
110 Configuring the ID vault for Notes federated login The Notes ID vault administrator decides whether SAML authentication to the vault is allowed. Edits the vault control document to name any approved idpcat configuration documents 110
111 Security settings policy to apply Notes federated login configuration to users Be careful about the Domino administrator s login policy! 111
112 New user with Notes federated login: Provide an administrative deploy.nsf l New user starting for the first time l Notes.ini set up on the local machine, with the user s Notes name. 112
113 New user with Notes federated login: Provide an administrative deploy.nsf l l New user starting for the first time l Notes.ini set up on the local machine, with the user s Notes name. Administrator facilitates automated id file download from id vault: l deploy.nsf ensures required certificates are available: Ø Notes organization certifier certificate Ø Internet cross certificate to the SAML IdP s SSL certificate. l If deploy.nsf is available, no password prompting needed, unless required by the SAML IdP. 113
114 New user with roaming and Notes federated login Current required deployment order: 1. Enable roaming for the Notes user, and ensure roaming policy is applied. 2. Enable Notes Federated Login after roaming is in place. 114
115 Notes federated login in combination with Notes shared login supports offline usage (Windows only) Notes Shared Login for offline support. It will be the primary authentication method. Notes federated login feature used only if user's ID file is missing, or local copy is corrupted. 115
116 Roaming users with Notes shared login and Notes federated login: Provide an administrative deploy.nsf l Notes shared login user has his id file on his local machine. l Roaming user might move to new machine. l User security Copy ID to assist manually moving id file to new machine. OR l Download id file from id vault. l If deploy.nsf is available, no password prompting needed, unless required by the SAML IdP. l In deploy.nsf: Ø Notes organization certifier certificate Ø Internet cross certificate to the SAML IdP s SSL certificate. 116
117 Roaming users with Notes shared login and Notes federated login: Provide an administrative deploy.nsf l Notes shared login user has his id file on his local machine. l Roaming user might move to new machine. l User security Copy ID to assist manually moving id file to new machine. OR l Download id file from id vault. l If deploy.nsf is available, no password prompting needed, unless required by the SAML IdP. l In deploy.nsf: Ø Notes organization certifier certificate Ø Internet cross certificate to the SAML IdP s SSL certificate. If adding Notes roaming: 1. Enable roaming for the Notes user, and ensure roaming policy is applied. 2. Enable Notes federated login after roaming is in place. 117
118 In memory id, vs id file written to disk ID Files ID vault l Notes shared login l User s id is written to disk. l User s id is available for offline usage. l Id is downloaded from vault only if missing, or local copy is corrupted. l Notes federated login (NOT in combination with Notes shared login) l Id is always downloaded from vault. l User s ID is in memory only. 118
119 Tighten security after (Notes/Web) federated login deployment in a stable state. l l Download of id from vault could be done by: l SAML authentication. OR (optional) Password last known to id vault 119
120 Notes client can use SAML to authenticate with other services Directory l Account framework is leveraged in this scenario. IBM SmartCloud Sametime IBM SmartCloud Connections Embedded/external browser access to SmartCloud services Domino web resources Feeds 120
121 Federated login for services used in Notes sidebars and other embedded elements Domino directory, Policies->Accounts view. (Policy applied as desktop settings.) Create a SAML account for the SAML IdP. (Basics tab) Account server name: enter the DNS name of the IdP server, for example adfs01.us.renovations.com (Advanced tab) Authentication URL: enter the IdP s login URL, for example an ADFS login for IBM SmartCloud. apps.na.collabserv.com/sps/sp/saml/v2_0 121
122 Link accounts that are using the same SAML IdP For example: IBM SmartCloud Connections IBM SmartCloud Sametime chat Create a managed account for each service using the same IdP, and link to the SAML account. See Domino wiki for examples and full instructions. 122
123 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 123
124 Debug Tips Use server debugging similar to Web federated login Also, add Notes console logging with debug flags in client notes.ini: DEBUG_CONSOLE=1 DEBUG_CLOCK=32 DEBUG_OUTFILE=c:\temp\debugout.txt DEBUGGINGWCTENABLED= CONSOLE_LOG_ENABLED=1 DEBUG_DYNCONFIG=1 DEBUG_TRUST_MGMT=1 DEBUG_IDV_TRACE=1 DEBUG_ROAMING=4 DEBUG_BSAFE_IDFILE_LOCKED=8 STX9=2 124
125 Debug Tips Java logging with rcpinstall.properties com.ibm.rcp.internal.security.auth.samlsso.level=finest com.ibm.rcp.internal.security.auth.dialog.level=finest com.ibm.rcp.core.internal.launcher.level=finest com.ibm.notes.internal.federated.manager.level=finest com.ibm.notes.java.api.internal.level=finest com.ibm.notes.java.init.level=finest com.ibm.notes.java.init.win32.level=finest com.ibm.workplace.noteswc.level=finest com.ibm.workplace.internal.notes.security.auth.level=finest com.ibm.workplace.internal.notes.security.level=finest Find logs in the Notes data\workspace\logs folder, for example C:\Program Files\IBM\Lotus\Notes\Data\workspace\logs 125
126 Debug Tips Sample log: NFL Response XML from native code: <response><nflresponse IDPurl=' IDPUserName='CN=John Doe/O=renovations' IsKerberosEnabled='false' IsSSLEnforced='true' SuppressErrorDisplay='false' CurrentLocation='Online' CurrentLocationOnline='true'><AllLocations ><Location name='home' file=''/><location name='offline' file=''/><location name='online' file=''/><location name='travel' file=''/></alllocations><trustedsites ><TrustedSite url=' 126
127 Agenda Single sign-on introduction SAML concepts Domino 9.x web server authentication using SAML Troubleshooting Web federated login Troubleshooting Notes Federated Login Troubleshooting Q&A 127
128 Legal disclaimer IBM Corporation All Rights Reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The actual throughput or performance that any user will experience will vary depending upon many factors, including considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results similar to those stated here. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. UNIX is a registered trademark of The Open Group in the United States and other countries. Mac and Mac OS X are trademarks or registered trademarks of Apple Inc. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. All references to Renovations and secnfla refer to fictitious companies and are used for illustration purposes only.
New Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation
New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole
More informationSingle Sign-on (SSO) technologies for the Domino Web Server
Single Sign-on (SSO) technologies for the Domino Web Server Jane Marcus December 7, 2011 2011 IBM Corporation Welcome Participant Passcode: 4297643 2011 IBM Corporation 2 Agenda USA Toll Free (866) 803-2145
More informationTenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.
Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,
More informationIBM Software Services for Collaboration
An introduction to: IBM Collaboration Services for ProjExec ProjExec is easy to use professional project management software that is combined with innovative social features to provide project teams a
More informationSAML and OAUTH Technologies WebSphere Application Server
SAML and OAUTH Technologies WebSphere Application Server Bill O'Donnell STSM WebSphere Foundation Security Architect Session TAW-1701 Session TAW-1698 Please Note IBM s statements regarding its plans,
More informationCA Nimsoft Service Desk
CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationIntegrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER
Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication
More informationAgenda. How to configure
dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services
More informationThis chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:
CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access
More informationSingle Sign-On Implementation Guide
Salesforce.com: Salesforce Winter '09 Single Sign-On Implementation Guide Copyright 2000-2008 salesforce.com, inc. All rights reserved. Salesforce.com and the no software logo are registered trademarks,
More informationConfigure Single Sign on Between Domino and WPS
Configure Single Sign on Between Domino and WPS What we are doing here? Ok now we have the WPS server configured and running with Domino as the LDAP directory. Now we are going to configure Single Sign
More informationOkta/Dropbox Active Directory Integration Guide
Okta/Dropbox Active Directory Integration Guide Okta Inc. 301 Brannan Street, 3rd Floor San Francisco CA, 94107 info@okta.com 1-888- 722-7871 1 Table of Contents 1 Okta Directory Integration Edition for
More informationPassword Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos
Password Power 8 Plug-In for Lotus Domino Single Sign-On via Kerberos PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website:
More informationFlexible Identity Federation
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationSametime Version 9. Integration Guide. Integrating Sametime 9 with Domino 9, inotes 9, Connections 4.5, and WebSphere Portal 8.0.0.
Sametime Version 9 Integration Guide Integrating Sametime 9 with Domino 9, inotes 9, Connections 4.5, and WebSphere Portal 8.0.0.1 Edition Notice Note: Before using this information and the product it
More informationSetting Up Resources in VMware Identity Manager
Setting Up Resources in VMware Identity Manager VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced
More informationIBM Digital Experience meets IBM WebSphere Commerce
Portal Arbeitskreis - 27.10.2014 IBM Digital Experience meets IBM WebSphere Commerce Stefan Koch Chief Programmer IBM Digital Experience 2013 IBM Corporation 2 2013 IBM Corporation Integration Pattern
More informationAdministration Guide. . All right reserved. For more information about Specops Password Sync and other Specops products, visit www.specopssoft.
Administration Guide. All right reserved. For more information about Specops Password Sync and other Specops products, visit www.specopssoft.com Copyright and Trademarks Specops Password Sync is a trademark
More informationIBM MOBILE SECURITY SOLUTIONS - Identity and Access Management Focus
IBM MOBILE SECURITY SOLUTIONS - Identity and Access Focus May 2012 Executive Overview Mobile devices are pervasive in our daily lives and increasingly coming to work Bring Your Own Device (BYOD) IBM is
More informationDell One Identity Cloud Access Manager 8.0.1 - How to Configure for SSO to SAP NetWeaver using SAML 2.0
Dell One Identity Cloud Access Manager 8.0.1 - How to Configure for SSO to SAP NetWeaver using SAML 2.0 May 2015 About this guide Prerequisites and requirements NetWeaver configuration Legal notices About
More informationCA Performance Center
CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is
More informationImplementation Guide SAP NetWeaver Identity Management Identity Provider
Implementation Guide SAP NetWeaver Identity Management Identity Provider Target Audience Technology Consultants System Administrators PUBLIC Document version: 1.10 2011-07-18 Document History CAUTION Before
More informationLeverage Active Directory with Kerberos to Eliminate HTTP Password
Leverage Active Directory with Kerberos to Eliminate HTTP Password PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309 E-mail: salesteam@pistolstar.com Website: www.pistolstar.com
More informationConfiguration Guide BES12. Version 12.2
Configuration Guide BES12 Version 12.2 Published: 2015-07-07 SWD-20150630131852557 Contents About this guide... 8 Getting started... 9 Administrator permissions you need to configure BES12... 9 Obtaining
More informationConfiguring. Moodle. Chapter 82
Chapter 82 Configuring Moodle The following is an overview of the steps required to configure the Moodle Web application for single sign-on (SSO) via SAML. Moodle offers SP-initiated SAML SSO only. 1 Prepare
More informationUse Enterprise SSO as the Credential Server for Protected Sites
Webthority HOW TO Use Enterprise SSO as the Credential Server for Protected Sites This document describes how to integrate Webthority with Enterprise SSO version 8.0.2 or 8.0.3. Webthority can be configured
More informationConfiguration Guide BES12. Version 12.1
Configuration Guide BES12 Version 12.1 Published: 2015-04-22 SWD-20150422113638568 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12... 8 Product documentation...
More informationHOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services
1 HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided
More informationFairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG-201406--R001.
Fairsail Implementer Microsoft Active Directory Federation Services 2.0 Version 1.92 FS-SSO-XXX-IG-201406--R001.92 Fairsail 2014. All rights reserved. This document contains information proprietary to
More informationADFS Integration Guidelines
ADFS Integration Guidelines Version 1.6 updated March 13 th 2014 Table of contents About This Guide 3 Requirements 3 Part 1 Configure Marcombox in the ADFS Environment 4 Part 2 Add Relying Party in ADFS
More informationIBM Systems Director Navigator for i5/os New Web console for i5, Fast, Easy, Ready
Agenda Key: Session Number: 35CA 540195 IBM Systems Director Navigator for i5/os New Web console for i5, Fast, Easy, Ready 8 Copyright IBM Corporation, 2008. All Rights Reserved. This publication may refer
More informationLeveraging SAML for Federated Single Sign-on:
Leveraging SAML for Federated Single Sign-on: Seamless Integration with Web-based Applications whether cloudbased, private, on-premise, or behind a firewall Single Sign-on Layer v.3.2-006 PistolStar, Inc.
More informationIntegration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server
SafeNet Authentication Service Integration Guide Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1 Document Information
More informationMicrosoft Office 365 Using SAML Integration Guide
Microsoft Office 365 Using SAML Integration Guide Revision A Copyright 2013 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate.
More informationConfiguration Guide BES12. Version 12.3
Configuration Guide BES12 Version 12.3 Published: 2016-01-19 SWD-20160119132230232 Contents About this guide... 7 Getting started... 8 Configuring BES12 for the first time...8 Configuration tasks for managing
More informationSAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS
SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS Applies to: SAP Gateway 2.0 Summary This guide describes how you install and configure SAML 2.0 on Microsoft ADFS server and SAP NetWeaver
More informationCentralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac
Making it easy to deploy, integrate and manage Macs, iphones and ipads in a Windows environment. Centralized Mac Home Directories On Windows Servers: Using Windows To Serve The Mac 2011 ENTERPRISE DEVICE
More informationGetting Started with AD/LDAP SSO
Getting Started with AD/LDAP SSO Active Directory and LDAP single sign- on (SSO) with Syncplicity Business Edition accounts allows companies of any size to leverage their existing corporate directories
More informationPingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1
PingFederate Salesforce Connector Version 4.1 Quick Connection Guide 2011 Ping Identity Corporation. All rights reserved. PingFederate Salesforce Quick Connection Guide Version 4.1 June, 2011 Ping Identity
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationEnabling Kerberos SSO in IBM Cognos Express on Windows Server 2008
Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008 Nature of Document: Guideline Product(s): IBM Cognos Express Area of Interest: Infrastructure 2 Copyright and Trademarks Licensed Materials
More informationSalesforce1 Mobile Security Guide
Salesforce1 Mobile Security Guide Version 1, 1 @salesforcedocs Last updated: December 8, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com,
More informationPingFederate. IWA Integration Kit. User Guide. Version 3.0
PingFederate IWA Integration Kit Version 3.0 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate IWA Integration Kit User Guide Version 3.0 April, 2012 Ping Identity Corporation
More informationEVault Endpoint Protection 7.0 Single Sign-On Configuration
Revision: This manual has been provided for Version 7.0 (July 2014). Software Version: 7.0 2014 EVault Inc. EVault, A Seagate Company, makes no representations or warranties with respect to the contents
More informationDameWare Server. Administrator Guide
DameWare Server Administrator Guide About DameWare Contact Information Team Contact Information Sales 1.866.270.1449 General Support Technical Support Customer Service User Forums http://www.dameware.com/customers.aspx
More informationSAP Cloud Identity Service Document Version: 1.0 2014-09-01. SAP Cloud Identity Service
Document Version: 1.0 2014-09-01 Content 1....4 1.1 Release s....4 1.2 Product Overview....8 Product Details.... 9 Supported Browser Versions....10 Supported Languages....12 1.3 Getting Started....13 1.4
More informationStep-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x Sverview Trust between SharePoint 2010 and ADFS 2.0 Use article Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies
More informationOnly LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.
This chapter provides information about the Security Assertion Markup Language (SAML) Single Sign-On feature, which allows administrative users to access certain Cisco Unified Communications Manager and
More informationConfiguration Guide. BlackBerry Enterprise Service 12. Version 12.0
Configuration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2014-12-19 SWD-20141219132902639 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12...
More informationConfiguring ADFS 3.0 to Communicate with WhosOnLocation SAML
Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML --------------------------------------------------------------------------------------------------------------------------- Contents Overview...
More informationwww.novell.com/documentation Policy Guide Access Manager 3.1 SP5 January 2013
www.novell.com/documentation Policy Guide Access Manager 3.1 SP5 January 2013 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation,
More informationNovell Access Manager
J2EE Agent Guide AUTHORIZED DOCUMENTATION Novell Access Manager 3.1 SP3 February 02, 2011 www.novell.com Novell Access Manager 3.1 SP3 J2EE Agent Guide Legal Notices Novell, Inc., makes no representations
More informationInstallation and Configuration Guide
Installation and Configuration Guide BlackBerry Resource Kit for BlackBerry Enterprise Service 10 Version 10.2 Published: 2015-11-12 SWD-20151112124827386 Contents Overview: BlackBerry Enterprise Service
More informationApache Server Implementation Guide
Apache Server Implementation Guide 340 March Road Suite 600 Kanata, Ontario, Canada K2K 2E4 Tel: +1-613-599-2441 Fax: +1-613-599-2442 International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042
More information2X Cloud Portal v10.5
2X Cloud Portal v10.5 URL: www.2x.com E-mail: info@2x.com Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise
More informationUbiquitous Computing, Pervasive Risk: Securely Deploy and Manage Enterprise Mobile Devices
Ubiquitous Computing, Pervasive Risk: Securely Deploy and Manage Enterprise Mobile Devices S. Rohit rohits@sg.ibm.com Trends in Enterprise Mobility The need for business agility along with changing employee
More informationSAP NetWeaver AS Java
Chapter 75 Configuring SAP NetWeaver AS Java SAP NetWeaver Application Server ("AS") Java (Stack) is one of the two installation options of SAP NetWeaver AS. The other option is the ABAP Stack, which is
More informationThe increasing popularity of mobile devices is rapidly changing how and where we
Mobile Security BACKGROUND The increasing popularity of mobile devices is rapidly changing how and where we consume business related content. Mobile workforce expectations are forcing organizations to
More informationUser Guide. Version R91. English
AuthAnvil User Guide Version R91 English August 25, 2015 Agreement The purchase and use of all Software and Services is subject to the Agreement as defined in Kaseya s Click-Accept EULATOS as updated from
More informationWHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)
WHITE PAPER Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ) SEPTEMBER 2004 Overview Password-based authentication is weak and smart cards offer a way to address this weakness,
More informationArchitecture and Data Flow Overview. BlackBerry Enterprise Service 10 721-08877-123 Version: 10.2. Quick Reference
Architecture and Data Flow Overview BlackBerry Enterprise Service 10 721-08877-123 Version: Quick Reference Published: 2013-11-28 SWD-20131128130321045 Contents Key components of BlackBerry Enterprise
More informationBlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2. Feature and Technical Overview
BlackBerry Enterprise Server for Microsoft Exchange Version: 5.0 Service Pack: 2 Feature and Technical Overview Published: 2010-06-16 SWDT305802-1108946-0615123042-001 Contents 1 Overview: BlackBerry Enterprise
More informationSingle Sign On for ShareFile with NetScaler. Deployment Guide
Single Sign On for ShareFile with NetScaler Deployment Guide This deployment guide focuses on defining the process for enabling Single Sign On into Citrix ShareFile with Citrix NetScaler. Table of Contents
More informationFlexible Identity Federation
Flexible Identity Federation Administration guide version 1.0.1 Publication history Date Description Revision 2015.09.24 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
More informationIIS SECURE ACCESS FILTER 1.3
OTP SERVER INTEGRATION MODULE IIS SECURE ACCESS FILTER 1.3 Copyright, NordicEdge, 2006 www.nordicedge.se Copyright, 2006, Nordic Edge AB Page 1 of 14 1 Introduction 1.1 Overview Nordic Edge One Time Password
More informationTIBCO Spotfire Web Player 6.0. Installation and Configuration Manual
TIBCO Spotfire Web Player 6.0 Installation and Configuration Manual Revision date: 12 November 2013 Important Information SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED
More informationEndpoint Manager for Mobile Devices Setup Guide
Endpoint Manager for Mobile Devices Setup Guide ii Endpoint Manager for Mobile Devices Setup Guide Contents Endpoint Manager for Mobile Devices Setup Guide............. 1 Components.............. 1 Architecture..............
More informationSAM Context-Based Authentication Using Juniper SA Integration Guide
SAM Context-Based Authentication Using Juniper SA Integration Guide Revision A Copyright 2012 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete
More informationAdministration Guide. BlackBerry Enterprise Service 12. Version 12.0
Administration Guide BlackBerry Enterprise Service 12 Version 12.0 Published: 2015-01-16 SWD-20150116150104141 Contents Introduction... 9 About this guide...10 What is BES12?...11 Key features of BES12...
More informationCritical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management
Security Comparison Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management PistolStar, Inc. PO Box 1226 Amherst, NH 03031 USA Phone: 603.547.1200 Fax: 603.546.2309
More informationSetup Guide Access Manager 3.2 SP3
Setup Guide Access Manager 3.2 SP3 August 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE
More informationHow To Use Saml 2.0 Single Sign On With Qualysguard
QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,
More informationLotus Sametime. FIPS Support for IBM Lotus Sametime 8.0. Version 8.0 SC23-8760-00
Lotus Sametime Version 8.0 FIPS Support for IBM Lotus Sametime 8.0 SC23-8760-00 Disclaimer THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE
More informationVMware Identity Manager Administration
VMware Identity Manager Administration VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new
More informationRSA Authentication Manager 7.1 Basic Exercises
RSA Authentication Manager 7.1 Basic Exercises Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks RSA and the RSA logo
More informationSecurity Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0
Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features
More informationIT@Intel. Improving Security and Productivity through Federation and Single Sign-on
White Paper Intel Information Technology Computer Manufacturing Security Improving Security and Productivity through Federation and Single Sign-on Intel IT has developed a strategy and process for providing
More informationSalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy
SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy Contact information SecurEnvoy www.securenvoy.com 0845 2600010 Merlin House
More informationComputer Systems Security 2013/2014. Single Sign-On. Bruno Maia ei09095@fe.up.pt. Pedro Borges ei09063@fe.up.pt
Computer Systems Security 2013/2014 Single Sign-On Bruno Maia ei09095@fe.up.pt Pedro Borges ei09063@fe.up.pt December 13, 2013 Contents 1 Introduction 2 2 Explanation of SSO systems 2 2.1 OpenID.................................
More informationSophos SafeGuard Native Device Encryption for Mac Administrator help. Product version: 7
Sophos SafeGuard Native Device Encryption for Mac Administrator help Product version: 7 Document date: December 2014 Contents 1 About SafeGuard Native Device Encryption for Mac...3 1.1 About this document...3
More information2X SecureRemoteDesktop. Version 1.1
2X SecureRemoteDesktop Version 1.1 Website: www.2x.com Email: info@2x.com Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious
More information1 of 24 7/26/2011 2:48 PM
1 of 24 7/26/2011 2:48 PM Home Community Articles Product Documentation Learning Center Community Articles Advanced Search Home > Deployments > Scenario 3: Setting up SiteMinder Single Sign-On (SSO) with
More informationPingFederate. IWA Integration Kit. User Guide. Version 2.6
PingFederate IWA Integration Kit Version 2.6 User Guide 2012 Ping Identity Corporation. All rights reserved. PingFederate IWA Integration Kit User Guide Version 2.6 March, 2012 Ping Identity Corporation
More informationConfiguration Guide. BES12 Cloud
Configuration Guide BES12 Cloud Published: 2016-04-08 SWD-20160408113328879 Contents About this guide... 6 Getting started... 7 Configuring BES12 for the first time...7 Administrator permissions you need
More informationSharepoint server SSO
Configuring g on-premise Sharepoint server SSO Chapter 99 You can now provide single sign-on to your on-premise Sharepoint server applications. This section includes the following topics: "An overview
More informationConfiguring Single Sign-On from the VMware Identity Manager Service to Office 365
Configuring Single Sign-On from the VMware Identity Manager Service to Office 365 VMware Identity Manager JULY 2015 V1 Table of Contents Overview... 2 Passive and Active Authentication Profiles... 2 Adding
More informationwww.novell.com/documentation SSL VPN Server Guide Access Manager 3.1 SP5 January 2013
www.novell.com/documentation SSL VPN Server Guide Access Manager 3.1 SP5 January 2013 Legal Notices Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation,
More informationConfiguring Sponsor Authentication
CHAPTER 4 Sponsors are the people who use Cisco NAC Guest Server to create guest accounts. Sponsor authentication authenticates sponsor users to the Sponsor interface of the Guest Server. There are five
More informationAdobe Marketing Cloud Bloodhound for Mac 3.0
Adobe Marketing Cloud Bloodhound for Mac 3.0 Contents Adobe Bloodhound for Mac 3.x for OSX...3 Getting Started...4 Processing Rules Mapping...6 Enable SSL...7 View Hits...8 Save Hits into a Test...9 Compare
More informationIBM Endpoint Manager. Security and Compliance Analytics Setup Guide
IBM Endpoint Manager Security and Compliance Analytics Setup Guide Version 9.2 IBM Endpoint Manager Security and Compliance Analytics Setup Guide Version 9.2 Note Before using this information and the
More informationConfiguring EPM System 11.1.2.1 for SAML2-based Federation Services SSO
Configuring EPM System 11.1.2.1 for SAML2-based Federation Services SSO Scope... 2 Prerequisites Tasks... 2 Procedure... 2 Step 1: Configure EPM s WebLogic domain for SP Federation Services... 2 Step 2:
More informationNovell Access Manager
Access Gateway Guide AUTHORIZED DOCUMENTATION Novell Access Manager 3.1 SP2 November 16, 2010 www.novell.com Novell Access Manager 3.1 SP2 Access Gateway Guide Legal Notices Novell, Inc., makes no representations
More informationRelease Notes for Version 1.5.207
Release Notes for Version 1.5.207 Created: March 9, 2015 Table of Contents What s New... 3 Fixes... 3 System Requirements... 3 Stonesoft Appliances... 3 Build Version... 4 Product Binary Checksums... 4
More informationSAML single sign-on configuration overview
Chapter 46 Configurin uring Drupal Configure the Drupal Web-SAML application profile in Cloud Manager to set up single sign-on via SAML with a Drupal-based web application. Configuration also specifies
More informationINTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server
INTEGRATION GUIDE DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is
More information2 Downloading Access Manager 3.1 SP4 IR1
Novell Access Manager 3.1 SP4 IR1 Readme May 2012 Novell This Readme describes the Novell Access Manager 3.1 SP4 IR1 release. Section 1, Documentation, on page 1 Section 2, Downloading Access Manager 3.1
More informationIntroduction to the EIS Guide
Introduction to the EIS Guide The AirWatch Enterprise Integration Service (EIS) provides organizations the ability to securely integrate with back-end enterprise systems from either the AirWatch SaaS environment
More informationWhat's New in BlackBerry Enterprise Server 5.0 SP4 for Novell GroupWise
What's New in BlackBerry Enterprise Server 5.0 SP4 for Novell GroupWise Upgrade paths Enhancements to the setup application Administrators can upgrade to BlackBerry Enterprise Server 5.0 SP4 for Novell
More informationSSL VPN Server Guide. Access Manager 3.2 SP2. June 2013
SSL VPN Server Guide Access Manager 3.2 SP2 June 2013 Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A
More informationProduct Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15
Product Manual MDM On Premise Installation Version 8.1 Last Updated: 06/07/15 Parallels IP Holdings GmbH Vordergasse 59 8200 Schaffhausen Switzerland Tel: + 41 52 632 0411 Fax: + 41 52 672 2010 www.parallels.com
More information