Web Federated Login (SAML) with inotes & Integrated Windows Authentication Open Mic May 21, 2014

Similar documents
New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

JMP105 JumpStart: Single Sign-on (SAML) Administration Basics

Configuring EPM System for SAML2-based Federation Services SSO

Connected Data. Connected Data requirements for SSO

Configuring. Moodle. Chapter 82

Agenda. How to configure

How To Use Saml 2.0 Single Sign On With Qualysguard

Configure Single Sign on Between Domino and WPS

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

Getting Started with AD/LDAP SSO

Copyright: WhosOnLocation Limited

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Fairsail. Implementer. Single Sign-On with Fairsail and Microsoft Active Directory Federation Services 2.0. Version 1.92 FS-SSO-XXX-IG R001.

Security Assertion Markup Language (SAML) Site Manager Setup

Configuring SuccessFactors

Configuring. SugarCRM. Chapter 121

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Creating a generic user-password application profile

T his feature is add-on service available to Enterprise accounts.

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Authentication Methods

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

PingFederate. IWA Integration Kit. User Guide. Version 3.0

SAP NetWeaver AS Java

Configuring. SuccessFactors. Chapter 67

Flexible Identity Federation

PingFederate. IWA Integration Kit. User Guide. Version 2.6

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Configuring Sponsor Authentication

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

SAML Single-Sign-On (SSO)

Configuring Parature Self-Service Portal

An overview of configuring Intacct for single sign-on. To configure the Intacct application for single-sign on (an overview)

Using etoken for Securing s Using Outlook and Outlook Express

Administration Guide. . All right reserved. For more information about Specops Password Sync and other Specops products, visit

Configuring Salesforce

SAML single sign-on configuration overview

CA Nimsoft Service Desk

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page

User Guide. Version R91. English

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

Single Sign-on (SSO) technologies for the Domino Web Server

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Deploying RSA ClearTrust with the FirePass controller

Get Success in Passing Your Certification Exam at first attempt!

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Microsoft Office 365 Using SAML Integration Guide

Single Sign-On Implementation Guide

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

HP Software as a Service. Federated SSO Guide

SAM Context-Based Authentication Using Juniper SA Integration Guide

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

CA Performance Center

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management

Configuring User Identification via Active Directory

Egnyte Single Sign-On (SSO) Installation for OneLogin

Active Directory 2008 Implementation Guide Version 6.3

How-to: Single Sign-On

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

qliqdirect Active Directory Guide

Single Sign On for ShareFile with NetScaler. Deployment Guide

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

SCADA Security. Enabling Integrated Windows Authentication For CitectSCADA Web Client. Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.

Application Note. ShoreTel 9: Active Directory Integration. Integration checklist. AN June 2009

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Flexible Identity Federation

Sharepoint server SSO

The increasing popularity of mobile devices is rapidly changing how and where we

HP Software as a Service

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

ADFS for. LogMeIn and join.me authentication

ADFS Integration Guidelines

Defender Token Deployment System Quick Start Guide

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Click Studios. Passwordstate. Installation Instructions

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

User Management Tool 1.5

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

How to Configure Active Directory based User Authentication

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

SAML Authentication Quick Start Guide

CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER

Installation Procedure SSL Certificates in IIS 7

Note that if at any time during the setup process you are asked to login, click either Cancel or Work Offline depending upon the prompt.

NSi Mobile Installation Guide. Version 6.2

Single Sign On. Configuration Checklist for Single Sign On CHAPTER

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

Authentication and Single Sign On

How to create a SP and a IDP which are visible across tenant space via Config files in IS

OneLogin Integration User Guide

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

EM Single Sign On 1.2 (1018)

Transcription:

Web Federated Login (SAML) with inotes & Integrated Windows Authentication Open Mic May 21, 2014 Yvonne Devlin, Software Engineer IBM Collaboration Solutions Powered by IBM SmartCloud Meetings 2014 IBM Corporation

Aim: To discuss the detailed implementation of Web Federated Login and Integrated Windows Authentication 2 2014 IBM Corporation

Advantages of using SAML(Security Assertion Markup Language) Reduces Administrative costs for maintaining passwords Increased security by using cryptographic mechanisms instead of passwords password info is unavailable to hackers to launch an offline password guessing attack Less password prompts for your users One SSO approach for countless different products 3 2014 IBM Corporation

How is SSO possible across third party applications with SAML? User's identity is represented in a signed XML assertion. User may be known to applications across domains and across corporations. Usually the SAML(XML) assertion contains the user's email address. A service (Domino / WAS) receives the user's identity assertion. The assertion must pass cryptographic verification. The service doesn't need the user's password to know who the user is. 4 2014 IBM Corporation

SAML Federated Identity architecture SAML Identity Provider (IdP) Server creating the SAML assertion Service Provider (SP), for example, Domino 9.x Server processing the SAML assertion Clients used for accessing services Browser 5 2014 IBM Corporation

Supported IDPs Microsoft ADFS 2.0 integrated with Active Directory IBM Tivoli Federated Identity Manager (TFIM, IBM Security Identity Manager) Its possible to use other implementations of IdPs but they are currently not supported. 6 2014 IBM Corporation

Web Federated Login requires four components 1)A Web browser client for all inotes users 2)Domino Web server running inotes and functioning as the home (mail) server for inotes client users 3)Domino ID vault server 4)SAML Identity Provider (IdP) 7 2014 IBM Corporation

Checks to be completed before implementing Web Federated Login with inotes If using ADFS or implementing SSL with TFIM then confirm that you can access your server through HTTPs Confirm your inotes user has been added to the vault and can access their ID for encrypting/decrypting mails Confirm your inotes user can authenticate with your inotes server using web authentication with SAML 8 2014 IBM Corporation

Domino web server authentication using SAML 9 2014 IBM Corporation

Web federated login 10 2014 IBM Corporation

Setting up Web Federated Login The documentation assumes that the Inotes Server and the Vault server are two different servers. The idpcat.nsf and a configuration document needs to be set up on both servers. The idpcat.nsf is where you provide Domino with the details of your IDP If the ID vault server is separate, it does not need to have SSL enabled Even if the inotes Server and the Vault server are the same server, two separate configurations need to be implemented in the idpcat.nsf 11 2014 IBM Corporation

Creating a configuration document in the idpcat.nsf database The database idpcat.nsf is not created by default.it can be created from the idpcat.ntf template. You must use the name idpcat.nsf. If using unix the filename must be all lower case The Admin creating the document must be listed in the following fields on the server Full Access Administrators Administrators Sign or run unrestricted methods and operations. The idpcat.nsf must not be enabled for document locking. If using the Create button to generate a certificate to use with SAML then the server ID cannot have a password 12 2014 IBM Corporation

Creating a configuration document in the idpcat.nsf database cont.d The IdP Catalog application (idpcat.nsf) must exist on the Domino server that hosts the ID vault whether or not that is the same computer that runs inotes. You will always have two IdP config documents for any inotes server supporting Web Federated Login. One IdP config document is for the inotes server with SAML authentication, and this document must reside in the IdP Catalog application on the inotes server. The second IdP config document is for the inotes server interface with the ID vault, and this document must reside in the IdP Catalog application on the ID vault server. The documents are similar, but differ in a few important fields. 13 2014 IBM Corporation

inotes configuration document in idpcat.nsf Hostname is the URL your inotes user uses to access their home mail server Also you need to list the IP address associated with your SSL configuration The Service provider ID is the string that identifies Domino as a SP partner with the IdP. 14 2014 IBM Corporation

inotes configuration document in idpcat.nsf cont.d For company name specify any string that is convenient for your administrators Domino pre-pends "CN=" to the string in the Company name field and uses this name as the certificate subject. When you click on create certificate it creates a certificate and adds it to your server ID It also adds the certificate public hash value to your configuration 15 2014 IBM Corporation

inotes configuration document in idpcat.nsf cont.d In the Domino URL field, enter a string to identify the fully qualified DNS name of the inotes server. The string in this field is used by the IdP as the initial part of the URL for sending the user's SAML assertion back to Domino. You can use the string you entered in the Service Provider ID field on the Basics tab. While not supported with Domino the Single logout URL is a requirement if using TFIM. Enter a syntactically correct URL expected by the IdP 16 2014 IBM Corporation

inotes configuration on the IdP Use the URL for accessing your inotes server with /names.nsf?samllogin appended 17 2014 IBM Corporation

inotes configuration on the IdP cont.d The string entered into the Relying party trust identifier field needs to needs to match the value in the Service Provider ID field located in the Domino idpcat configuration document 18 2014 IBM Corporation

inotes server interface with the ID vault second config document Enter a virtual name for the inotes interface to the vault on the Basics tab The resulting hostname does not need to be defined in DNS. If the ID vault is on a server that is configured for HTTP/HTTPS, you should not include an IP address. For the Service Provider ID field the string should be a syntactically-correct URL, as if the virtual hostname would be featured in a URL. 19 2014 IBM Corporation

inotes server interface with the ID vault second config document cont.d With the Domino URL field for the inotes server interface with the ID vault, the instructions are the same as the previous config document, except to note that the Domino URL will not be the same string as you entered in the Service Provider ID field on the Basics tab. Use the hostname for the inotes server instead of the virtual hostname. This is the hostname the IdP uses to return the SAML assertion so it needs to be a hostname that can be resolved by your DNS 20 2014 IBM Corporation

ID vault config on the IdP Use the inotes URL configured in your DNS With this config however you append /names.nsf?samlidlogin 21 2014 IBM Corporation

ID vault config on the IdP cont.d As before the string entered into the Relying party trust identifier field needs to match the value in the Service Provider ID field located in the Domino idpcat configuration document In this case its the virtual hostname we used for the vault configuration that is entered here 22 2014 IBM Corporation

Configuring the ID vault for Web Federated Login The ID vault administrator must approve the use of an IdP that will provide SAML credentials. The administrator supplies host names for identity provider (IdP) partnerships to the ID vault in a vault document. The vault server uses the host names to look up IdP information from the idpcat.nsf 23 2014 IBM Corporation

Using a security settings policy to apply a Web Federated Login configuration to your inotes users Before you can apply the policy to support Federated Login, you also need to export a copy of the Internet SSL certificate from your federation (ADFS or TFIM 2.0), Import that certifier into your Domino Directory Create an internet cross certificate 24 2014 IBM Corporation

Using a security settings policy to apply a Web Federated Login configuration to your inotes users cont.d Open the existing Security Settings policy for users of your organization s ID vault. Select the Password Management -> Federated Login tab. Select Yes for Enable Web federated login with SAML IdP. Select Set value whenever modified for how to apply this setting. For inotes deployments that have been upgraded to the current release, when the policy is initially being deployed, select Additional settings for Federated Login (Notes or Web) Allow password authentication with the ID vault Yes. 25 2014 IBM Corporation

Integrated Windows Authentication (IWA) IWA is not necessary for SAML configuration Stops an inotes user from being prompted for a password once they log on to their machine 26 2014 IBM Corporation

The following need to be in the same Windows Active Directory domain ADFS server Client computer where the user is logging into Windows and running the browser or Notes client The record for the user who is being authenticated via IWA 27 2014 IBM Corporation

Step 1: Create the ADFS Kerberos identity The Windows administrator logged into the Windows domain creates the ADFS Kerberos identity. This identity must be mapped to the Active Directory user that represents the ADFS HTTP server instance. setspn -a HTTP/dublcsvm20.saml.domino.com dublcsvm20$ setspn -a HTTP/dublcsvm20 adfs01$ 28 2014 IBM Corporation

Step 2: Set up the browser for the Windows client inotes user The settings discussed are from Internet Explorer Under Internet Options Advanced ensure that Enable Integrated Windows Authentication is selected Under Internet Options Security Local Intranet select Automatic logon only in Intranet Zone 29 2014 IBM Corporation

Step 2: Set up the browser for the Windows client inotes user con.d Under Internet Options Local Intranet Sites add your ADFS URL 30 2014 IBM Corporation

Related Links Supporting federated login on the inotes client - http://www- 10.lotus.com/ldd/dominowiki.nsf/xpDocViewer.xsp? lookupname=administering+ibm+inotes+9.0.1+social+edition#action=op endocument&res_title=supporting_federated_login_on_the_inotes_client_ in901&content=pdcontent Cookbook: Setting up ADFS for integrated Windows authentication (IWA) - http://www- 10.lotus.com/ldd/dominowiki.nsf/dx/Cookbookcol_Setting_up_ADFS_for_in tegrated_windows_authentication_lpriwarpr_ Supplementary information on Security Assertion Markup Language (SAML) configuration combinations of IBM Domino and other products - http://www-01.ibm.com/support/docview.wss?uid=swg21614543 31 2014 IBM Corporation

Press *1 on your telephone to ask a question. Visit our Support Technical Exchange page or our Facebook page for details on future events. To help shape the future of IBM software, take this quality survey and share your opinion of IBM software used within your organization: https://ibm.biz/bdxqb2 IBM Collaboration Solutions Support page http://www.facebook.com/ibmlotussupport IBM Collaboration Solutions Support http://twitter.com/ibm_icssupport 32 2014 IBM Corporation

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information