IBM Notes Federated Login Open Mic Date: 11-09-2015 IBM Collaboration Solutions
Open Mic Team Niraj V Jani - IBM ICS Support engineer Presenter Javed F Batliwala - IBM ICS Support engineer Presenter Ranjit Rai - IBM ICS SWAT Focusing on entire Notes/Domino Jayavel Rajendran - IBM ICS SWAT Focusing on entire Notes/Domino Hansraj Mali - IBM ICS SWAT Focusing on Notes/Domino Narendra Nesarikar IBM ICS Support Facilitator for Open Mics 2
Agenda IBM Notes Federated Login introduction Different Components Federation Identity Provider Windows Domain Environment IdP Catalog (IdPCat.nsf) Notes Client User Environment with Domino Home Mail Server ID Vault Deployment Requirements Implementation General Troubleshooting References Q/A 3
IBM Notes Federated Login Introduction Provides a single sign-on experience when starting up the Notes client or inotes SSO between Notes, inotes and windows domain environment and many other supported/compatible Identify Providers. Eliminates regular Notes or inotes password prompt. Reduces the administrative cost for maintaining multiple directories. Uses cryptographic mechanisms instead of passwords to improve security and minimize cost Reduces user data redundancy The SAML IdP takes responsibility to authenticate the Notes user. Users' IDs must be stored in an ID vault Notes client users' ID file contents are stored in memory on the client after being downloaded from the ID vault. You can enable Notes shared Login for offline usage as an alternate login capability. Works well with Notes client running on Citrix Environment.
Different Components Federation Identity Provider Currently Supported with IBM Notes/Domino 9.0.x Microsoft ADFS 2.0 integrated with Active Directory IBM Tivoli Federated Identity Manager (TFIM, IBM Security Identity Manager). Series of Action NFL uses Security Assertion Markup Language (SAML) authentication The Notes embedded browser contacts the SAML identity provider (IdP) for authentication IdP is configured to use transparent Kerberos-based authentication to avoid password prompt. The SAML IdP creates a SAML assertion for the authenticated user The SAML assertion contains the user's email address. The Notes embedded browser retrieves the SAML assertion The Notes client passes the assertion to the Notes id vault The Notes id vault cryptographically verifies the user's SAML assertion If valid, the vault server finds the user's unlocked id file in the vault, and downloads the id for use by Notes. The user can now use the Notes client.
Windows Domain Environment Requires Active Directory Configuration Active Directory Federation Service 2.0 (ADFS) is used as Identity Provider Client computer where the user is logging into Windows and running the browser or Notes client ADFS does the job of user authentication via Kerberos Authentication
IdP Catalog (IdPCat.nsf) A Database needs to be created on Domino Server hosting ID Vault Use idpcat.ntf template and database name must be IdPCat.nsf If using unix the filename must be all lower case Special database that contains trusted identity providers and their certificates. An IdP config document is created and IdP configuration is imported The Admin creating the document must be listed in the following fields on the server Full Access Administrators Administrators Sign or run unrestricted methods and operations Imports FederationMetadata.xml file exported from ADFS. This builds trust. The idpcat.nsf must not be enabled for document locking. Prevent attacks by deploying a very restrictive ACL on idpcat. This is why this highly sensitive information is not in the directory.
Notes Client Environment with Domino Home mail server Notes Client Standard 9.0/9.0.x needs to be installed Domino Server 9.0/9.0.x Needs to be installed and should have HTTP enabled SSL needs to be enabled on Domino Server If the ID vault server is separate, it does not need to have SSL enabled ID Vault should be hosted on Domino server Security Policy for ID Vault should be configured and applied to Notes users Session Authentication should be set to SAML 2.0 under Server document Exported copy of an SSL internet certificate from Federation Identity ( TIFM/ADFS 2.0 ) must be imported in Domino Directory and should be cross certified to create an internet cross certificate. Roaming users You need administrative deploy.nsf to install certificates for new or roaming users Roaming must be enabled and should be working fine for enabling NFL Deploy.nsf provides required certificate whenever required in order to download ID file from ID Vault.
ID Vault Standard ID Vault configuration should be done on Domino Server Proper security policy should be created for ID Vault and should be pushed to the users All user Ids must be harvested to the ID Vault Database Identity Provider Configuration information should be updated under ID Vault
Deployment Requirements IBM Notes Client 9.x onwards IBM Domino Server 9.x onwards Microsoft Windows Active Directory Domain Configuration Active Directory Federation Services 2.0 ( ADFS 2.0 ) Configuration IBM Notes Client machine as a part of Windows Domain environment
Implementation ADFS 2.0 Configuration Run the ADFS console by selecting Start->Administrative Tools-> AD FS 2.0 Management Navigate to the Relying Party Trusts folder From the menu, select Action > Add Relying Party Trust
Right-click the new Relying Party Trust, and select Properties
Particularly if you have used a Domino metadata import file, check the Endpoints tab. The Domino server uses the POST Binding, which should appear in the list of SAML Assertion Consumer Endpoints. Domino server does not use an Artifact Binding, so if it exists in the list, you can remove it.
Use the URL to download FederationMetaData from ADFS server (https://adfsservername/federationmetadata/2007-06/federationmetadata.xml)
Implementation Importing SSL Internet Certificate in Domino Directory
Implementation Creating cross certificate in Domino Directory
Implementation Importing FederationMetadata.xml in IdPCat.nsf
Implementation Creating Certificate in IdPCat.nsf Go to server notes.ini and add below lines SAMLAuthVersion=2 SAMLUrl=https://instructor.test.com SAMLPublicKeyHash=7IE7P9VjPxtAG6yR1SyeKw== SAMLCompanyName=TEST SAML Restart Domino server
Use Export command to export your key from server.id. certmgmt export saml xml idp.xml Note: You no needs to import in idpdocument from import button else it will corrupt your federation key file. You can keep the file in your server data directory.
Implementation ID Vault and IdP Configuration in ID Vault
Implementation Security Policy for ID Vault and NFL
Implementation Verifying that NFL is enabled for the client
General Troubleshooting Before turning on SAML authentication: Make sure the Web server is functioning properly for session authentication Make sure SSL is deployed properly (if required) You can use fiddler or firebug for network trace. Test the Single sign-on service URL to make sure the IdP is functioning, independent of Domino. Is the user properly prompted by the IdP (if password prompt required)? If Integrated Windows Authentication (SPNEGO/Kerberos), use klist to see Kerberos ticket for the user to the SAML IdP. Check the HTTP post with SAML assertion. If you face errors creating SAML certificate under IdP Configuration document in IdPCat.nsf database, you can check below things first Certificate creation and metadata export use an agent in idpcat. Refer hidden field named "NotesError" in IdP config document as it is helpful to diagnose error "You are not authorized to perform that function" Check permissions in server document security tab. "Cannot accept internet certificate because the certificate is already in the ID file Use a different certifier name.
Debug Parameters Client Side debugs DEBUG_CONSOLE=1 ==> To verify if NFL is enabled. DEBUG_CLOCK=32 ==> To verify if NFL is enabled. DEBUG_OUTFILE=c:\temp\debugout.txt ==> To verify if NFL is enabled. DEBUGGINGWCTENABLED=4294967295 ==> To verify if NFL is enabled. CONSOLE_LOG_ENABLED=1 ==> To verify if NFL is enabled. DEBUG_DYNCONFIG=1 ==> To verify if NFL is enabled. DEBUG_TRUST_MGMT=1 ==> To verify if NFL is enabled. DEBUG_IDV_TRACE=1 ==> To diagnose ID Vault Operations SECURE_LOG=2 ==> To diagnose ID Vault Operations DEBUG_BSAFE_IDFILE_LOCKED=8 ==> To diagnose ID Vault Operations DEBUG_ROAMING=4 ==> For Roaming Users STX9=2 ==> To verify if NFL is enabled. Server Side debugs DEBUG_SAML=31 ==> To Troubleshoot SAML errors at server level DEBUG_OUTFILE=c:\temp\debugserver.txt DEBUG_MMFILE=1 ==> To verify any problems with In-Memory ID file.
Sample output of DEBUG_SAML=31 Limitations: No support with Traveler devices Cannot work with Notes Single Login service Current support with 2 IDPs (ADFS and TIFM)
References Notes Federated Login: http://www- 10.lotus.com/ldd/dominowiki.nsf/dx/Security_Assertion_Markup_Language_lprSAMLrpr_Notes_Fe derated_login Cookbooks: http://www-01.ibm.com/support/docview.wss?uid=swg21614543
Questions? Press *1 on your telephone to ask a question. Visit our Support Technical Exchange page or our Facebook page for details on future events. To help shape the future of IBM software, take this quality survey and share your opinion of IBM software used within your organization: https://ibm.biz/bdxqb2 IBM Collaboration Solutions Support page http://www.facebook.com/ibmlotussupport IBM Collaboration Solutions Support 44 http://twitter.com/ibm_icssupport