a technical guide to deploying single sign on
DESCRIPTION
How to configure and deploy Single Sign On TecnologiesTRANSCRIPT
![Page 1: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/1.jpg)
CONFIGURING A SINGLE SIGN ON EXPERIENCE FOR YOUR NOTES CLIENTSGabriella Davis [email protected] The Turtle Partnership
![Page 2: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/2.jpg)
BACKGROUND
Hopefully you saw my presentation yesterday ?
we talked about the difference between Single Sign On options
Today we are going to look at the technical components to get your Notes, iNotes and Traveler clients logging with minimal fuss
![Page 3: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/3.jpg)
WHO AM I?
Gab Davis
Administrator, Problem Solver, Stubborn Fixer of Things
Working with IBM technologies and all the things surrounding and integrating with those
Based in London, about half the time
![Page 4: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/4.jpg)
SOME HOW TO’S…. (FROM EASY TO HARD)
Notes Shared Logon
Configure LDAP Authentication
Configure Kerberos / SPNEGO / IWA for single sign on
Configure SAML
![Page 5: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/5.jpg)
NOTES SHARED LOGON
![Page 6: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/6.jpg)
WHAT DOES IT DO?
Removes the password from your Notes ID
No password - no problem
!
Isn’t that a huge security problem?
![Page 7: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/7.jpg)
NOTES SHARED LOGON EXAMPLE
1 2 3 4 5
USER LAUNCHES NOTES & IS PROMPTED
FOR THE VAULTED ID PASSWORD
NOTES DOWNLOADS THE VAULTED
ID TO THE FILE SYSTEM
EVERY TIME THE USER LOGS
INTO NOTES FROM THAT
MACHINE, THE ID WITH NO
PASSWORD IS DECRYPTED
FOR USE
NOTES REMOVES THE
ID’S PASSWORD & ENCRYPTS THE ID WITH THE USER’S WINDOWS
CREDENTIALS
STEPS
USER LOGS INTO
WINDOWS
![Page 8: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/8.jpg)
WHAT DOES IT NEED?
ID Vault
Simple authentication, no smartcards, dual passwords, retina scans etc
Windows OS
![Page 9: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/9.jpg)
HOW DO I SET IT UP?
Start with an ID Vault (you know how to do that right?)
There’s no client side configuration at all
Use the security policy to enable Notes Shared Logon
![Page 10: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/10.jpg)
Machine formula to restrict NSL to secured machines
![Page 11: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/11.jpg)
MACHINE SPECIFIC FORMULA
@GetMachineInfo([Keyword];”text string where required”)
IsLaptop boolean return True if machine is a laptop, otherwise false
IsDesktop boolean return True if machine is NOT a laptop, otherwise false
IsMultiUser boolean return True if machine has Notes client installed as Multi-User, otherwise false
HasDesigner boolean return True if machine has Designer client installed, otherwise false
HasAdmin boolean return True if machine has Admin client installed, otherwise false
IsStandard boolean return True if machine is running Standard Notes client, otherwise false http://www-01.ibm.com/support/docview.wss?uid=swg21501673
![Page 12: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/12.jpg)
WHAT DOESN’T IT DO
No password sync from Notes to Domino HTTP
No Citrix
No USB data
No Roaming profiles (well you can roam if you don’t roam)
more. http://bit.ly/1t50Adx
![Page 13: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/13.jpg)
LDAP AUTHENTICATION
![Page 14: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/14.jpg)
WHAT DOES IT DO?
It’s not SSO but it can be single password
No password synchronisation
Login to any HTTP services including Traveler using an LDAP password (such as AD)
Remove Domino HTTP Password entirely if you want
Works from anywhere, any device
![Page 15: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/15.jpg)
LDAP AUTHENTICATION EXAMPLE
1 2 3 4 5
DOMINO CHECK IF THE PASSWORD
MATCHES THE HTTP
PASSWORD IN THE
PERSON DOCUMENT
ON FAILURE TO MATCH DOMINO
FORWARDS THE CREDENTIALS TO THE LDAP
SERVER SPECIFIED IN DIRECTORY ASSISTANCE
DOMINO USES THE
CREDENTIALS IT WAS SENT TO
GRANT THE USER ACCESS
TO THE SERVICE /
APPLICATION
THE LDAP SERVER
VERIFIES THE CREDENTIALS AND PASSES
BACK TO DOMINO THE
UNIQUE USER ID THAT IT
VALIDATED
STEPS
USER TRIES TO LOG INTO
INOTES USING THEIR LDAP
(AD) PASSWORD
![Page 16: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/16.jpg)
WHAT DOES IT NEED?
A LDAP server
A directory assistance document wherever you want to authenticate
for Traveler this would just be on the Traveler server
MSSO
An attribute in LDAP that contains the user’s hierarchical name
Keeping the attribute in sync…(TDI will do that easily)
![Page 17: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/17.jpg)
HOW DO I SET IT UP?
LDAP attribute containing
Notes DN
Filter LDAP search to
restrict
![Page 18: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/18.jpg)
KERBEROS / SPNEGO / IWA
![Page 19: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/19.jpg)
WHAT DOES IT DO?
Uses the token generated by Active Directory to authenticate Domino access
Using MSSO Domino generates its own token for onwards authentication on other platforms
![Page 20: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/20.jpg)
SPNEGO EXAMPLE FOR DOMINO
1 2 3 4 5
ACTIVE DIRECTORY GENERATES
SPNEGO TOKEN
USER TRIES TO ACCESS
DOMINO WEBSITE
BROWSER SENDS
SPNEGO TOKEN TO DOMINO
ALONG WITH USER NAME
DOMINO CONTACTS
ACTIVE DIRECTORY
TO VALIDATE TOKEN AND
RETRIEVE THE USER’S NAME
STEPS
USER LOGS INTO
WINDOWS
![Page 21: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/21.jpg)
WHAT DOES IT NEED?
An Active Directory domain for the user to login to
SSO or MSSO
A kerberos name mapped in the Domino person document
A windows client (3rd party support for other OS)
An IE browser (3rd party support for other browsers)
![Page 22: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/22.jpg)
HOW DO I SET IT UP?
• Ensure the clocks on the AD and Domino servers are in sync (use the same time server..)
• Run Domino using a specific service account not local system
• Enable Active Directory in Directory Assistance
! AD domain. Must match
the LDAP tab
![Page 23: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/23.jpg)
HOW DO I SET IT UP?OR if you don’t want to use Directory Assistance then
Set notes.ini on the Domino server
WIDE_SEARCH_FOR_KERBEROS_NAMES=1
manually set in each person document
On the Administration tab of each person document add the user’s Kerberos name in the format
name (case sensitive) + domain (must be in caps)
![Page 24: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/24.jpg)
HOW DO I SET IT UP?
Create a SPN (service principal name) in Active Directory representing every Domino hostname your user’s will access
The SPN authorisation account should match the account running Domino
To get a SPN command run the program “domspnego” and give the output to your AD administrator
setspn -a http://[hostname] [account]
Create multiple SPNs for multiple servers or hostnames
![Page 25: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/25.jpg)
IN SUMMARY
Enable SSO in Domino
Enable AD Directory Assistance with single sign on for Windows (IWA - Internet Web Authentication)
Full Text Index Domino directory
Run domspnego to generate setspn output
Run setspn on Active Directory domain controller
![Page 26: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/26.jpg)
SAML & NOTES
![Page 27: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/27.jpg)
WHAT DOES IT DO?
One single authentication challenge for access to multiple systems
Including a vaulted Notes ID
Identity Provider initial authentication can use many methods from passwords, multiple passwords, custom forms, smart cards and more
Supports multiple client and server operating systems
No passwords to compromise or intercept
![Page 28: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/28.jpg)
SAML EXAMPLE
28
1 2 3 4 5
USER ATTEMPTS TO LOG IN TO A
WEBSITE
USER IS REDIRECTED TO IDENTITY PROVIDER
IDENTITY PROVIDER REQUESTS
AUTHENTICATION OR (IF USER IS LOGGED
IN) RETURNS CREDENTIALS
USER IS REDIRECTED
BACK TO ORIGINAL SITE
WITH SAML ASSERTION ATTACHED
ORIGINAL SITE USES ITS SAML
SERVICE PROVIDER TO CONFIRM SAML
ASSERTION AND GRANT ACCESS
STEPS
![Page 29: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/29.jpg)
DEFINITIONS
IdP - Identity Provider (SSO)
ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012)
SAML 2.0 only
can be combined with SPNEGO
Enhances Integrated Windows Authentication (IWA)
TFIM (Tivoli Federated Identity Manager)
SAML 1.1 and 2.0
![Page 30: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/30.jpg)
DEFINITIONS
SP - Service Provider
IBM Domino (web federated login)
IBM WebSphere
IBM Notes (requires ID Vault) (notes federated login)
![Page 31: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/31.jpg)
MORE DEFINITIONS
IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
Assertions have three roles
Authentication
Authorisation
Retrieving Attributes
![Page 32: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/32.jpg)
WHAT DOES IT NEED?
An Identity Provider - currently IBM support ADFS and TFIM
Other IdPs may work but aren’t officially support so check with IBM first
ID Vault configured for federated logins
A partnership between the ID Vault server and the Identity Provider
An SSL certificate generated by a well known authority
![Page 33: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/33.jpg)
WHAT DOES IT NEED?
An attribute in your Identity Provider that matches a unique user identity in Domino
An IdP Catalog in Domino (idpcat.nsf)
At least one IdP configuration document to be used by your Domino server(s)
A security policy that can be applied to your federating users
![Page 34: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/34.jpg)
WHERE DO WE START?
You’ll need to install ADFS 2.0 if using Active Directory
You’ll need to have an IIS server with a SSL certificate
You’ll need an ID Vault
You’ll need a security policy in Domino
You’ll need an idpcat database based on the template idpcat.ntf
![Page 35: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/35.jpg)
SIMPLE RIGHT? !
…… YOU’LL NEED TIME AND PATIENCE
![Page 36: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/36.jpg)
FROM ADFS TO DOMINOBrowse to https://<adfshostname>/FederationMetadata/2007-06/FederationMetadata.xml and save the file
![Page 37: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/37.jpg)
DOMINO IDP CONFIGURATIONCreate the configuration document in your idpcat.nsf database
Import the XML file you just savedfrom ADFS
![Page 38: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/38.jpg)
ENABLE CLIENT SETTINGS
The FederationMetadata.xml is attached from your previous step
![Page 39: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/39.jpg)
DOMINO TO ADFS
Creating a certificate to give to ADFS containing information about your Domino server
Multiple servers / URLs mean multiple documents
![Page 40: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/40.jpg)
DOMINO TO ADFS CERTIFICATE
When the “create certificate” button is clicked a new certificate is saved in the document and an idp.xml file for ADFS created
![Page 41: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/41.jpg)
ADFS TRUSTING DOMINOADFS needs to know about each Domino server / URL and you use the Idp.xml for that
![Page 42: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/42.jpg)
ADD RELYING PARTY TRUST
![Page 43: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/43.jpg)
![Page 44: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/44.jpg)
BROWSE TO THE IDP.XML
![Page 45: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/45.jpg)
![Page 46: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/46.jpg)
![Page 47: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/47.jpg)
ADDING RELYING PARTY
![Page 48: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/48.jpg)
MAPPING ADFS NAMES TO DOMINO
![Page 49: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/49.jpg)
MAPPING MUST BE UNIQUE
![Page 50: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/50.jpg)
DOMINO SECURITY POLICY
Enabled Federated Login under Password Management
![Page 51: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/51.jpg)
CONFIGURE THE ID VAULT
![Page 52: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/52.jpg)
MORE…
The browser has to recognise the certificate being used by ADFS
ADFS has to recognise the certificate used by Domino
Domino has to recognise the certificate used by ADFS
Basically everything needs to talk to each other and be happy there’s not man in the middle intrusion
![Page 53: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/53.jpg)
SUMMARY
If you’re not using SPNEGO then you should , it’s very simple to set up
SAML is where single sign on needs to be
There are plenty of 3rd party tools and services that will help with any “uniqueness” in your environment (want SPNEGO but have Linux or Mac machines for instance)
Don’t just think about Domino and its services, think about everything your business uses and will be using
IBM is slow to support new Identity Providers and to support SAML in their products (Connections, Sametime etc) so if in doubt, start with a PMR
![Page 54: A Technical Guide To Deploying Single Sign On](https://reader033.vdocuments.mx/reader033/viewer/2022042512/555149cfb4c905c6268b5074/html5/thumbnails/54.jpg)
HOW TO FIND METwitter, blogs, Instagram, Facebook and more
[email protected] GabriellaDavis (skype) http://turtleblog.info
gabturtle on twitter and elsewhere