New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)
Upcoming SlideShare
Loading in...5
×
 

New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)

on

  • 9,440 views

 

Statistics

Views

Total Views
9,440
Views on SlideShare
9,436
Embed Views
4

Actions

Likes
2
Downloads
236
Comments
0

3 Embeds 4

http://www.twylah.com 2
http://192.168.33.10 1
https://twitter.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT) New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT) Presentation Transcript

  • New Single Sign-on Options forIBM® Lotus® Notes® & Domino®© 2012 IBM Corporation
  • IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawalwithout notice at IBM’s sole discretion.Information regarding potential future products is intended to outline our general product directionand it should not be relied on in making a purchasing decision.The information mentioned regarding potential future products is not a commitment, promise, orlegal obligation to deliver any material, code or functionality. Information about potential futureproducts may not be incorporated into any contract. The development, release, and timing of anyfuture features or functionality described for our products remains at our sole discretion. 2 | © 2012 IBM Corporation
  • Agenda■ Standards based SSO using SAML■ SAML for IBM Lotus Domino web server and IBM Lotus iNotes®■ SAML for IBM Lotus Notes client 3 | © 2012 IBM Corporation
  • User accesses many different IBM services withbrowser or Lotus Notes IBM Connections® LotusLive® Engage® IBM Sametime® Browser Lotus Domino Lotus Quickr® User doesnt want multiple password prompts. 4 | © 2012 IBM Corporation
  • User might also access third party services. IBM Sametime IBM Connections LotusLive Engage Browser Facebook® Lotus Domino Lotus Quickr User doesnt want multiple password prompts. 5 | © 2012 IBM Corporation
  • SSO Mission:Fewer password prompts, fewer passwords in general■ We need SSO because: ─ High administrative cost for managing passwords. ─ Users cant remember a lot of passwords. ─ Password prompts are annoying. ─ Many “different” passwords leads to lower security.■ If we use cryptographic mechanisms instead of passwords, we can improve security and minimize cost.■ For best interoperability across IBM and third party applications, we look to adopt standards based SSO. 6 | © 2012 IBM Corporation
  • Security Assertion Markup Language (SAML)■ Standard to address Internet SSO.■ OASIS publishes the standards documents.■ Many implementations available, including open source.■ SSO across cooperating domains and across cooperating corporations.■ IBM LotusLive® Notes implements SAML. 7 | © 2012 IBM Corporation
  • SAML identity assertion■ Security is based on PKI. ─ Users identity is represented in a signed XML assertion. ─ Private key, public key pair: – Server creating the assertion signs it using its private key. – Servers processing assertions validate signature using the trusted signers public key. ─ Standards based, Internet certificates and keys are used.■ Service identifies the user based on the users assertion. ─ Assertion contains the authenticated users name (e.g. email address). 8 | © 2012 IBM Corporation
  • SAML Identity provider (IdP) authenticates the user Directory■ IdP implements “federated identity”. ─ Knows about user names, passwords. ─ Might be able to authenticate the user via SPNEGO/Kerberos, or alternate non- password method. ─ Prepares credentials (SAML identity assertion) for the user to target service. – IdP authenticated user x at time y ─ Can be used by services from different vendors.■ Common IdPs ─ IBM Tivoli® Federated Identity Manager (TFIM®) ─ Microsoft® ADFS® 2.0 integrated with Active Directory® ─ many others 9 | © 2012 IBM Corporation
  • Federated Identity using SAML assertions■ Why is it a good thing for security? ─ Minimized use of password (only handled by IdP, if required). ─ Authenticate once to IdP. The IdP may “remember” the user. ─ Customers can use/control their own on-premises IdP. ─ Less user data redundancy. ─ Goal: password info is unavailable to crackers wanting to launch an offline password guessing attack Directory 10 | © 2012 IBM Corporation
  • Services accepting SAML assertions■ SAML service provider (SP) receives authentication decision from the IdP.■ SP authenticates a user by successful verification of the users SAML assertion. Directory Service 11 | © 2012 IBM Corporation
  • Remove risk using SSL■ HTTP protocols in use■ If SSL (HTTPS) is not used to encrypt the channels ─ Eavesdropper steals user login information, e.g. password. ─ Eavesdropper steals the identity assertion. – Good for short period of time. ─ Eavesdropper steals any cookies. – Good for configured period of time. Directory Service 12 | © 2012 IBM Corporation
  • Agenda■ Standards based SSO using SAML■ SAML for IBM Lotus Domino web server and IBM Lotus iNotes■ SAML for IBM Lotus Notes client 13 | © 2012 IBM Corporation
  • (future release)Domino web server as a SAML service provider (SP)■ Domino SP receives authentication decision from the IdP.■ Domino authenticates a user by successful verification of the users SAML assertion. Directory Browser Domino 14 | © 2012 IBM Corporation
  • Web client: user accessing Domino via browser (1) Directory Browser http://domino1.renovations.com/db.nsf DominoUser browses to a protected Domino URL, but hasnt logged in yet. 15 | © 2012 IBM Corporation
  • Web client: user accessing Domino via browser (2) Directory Browser SAML request and Redirect DominoDomino redirects the browser to the IdPs URL with a SAML request. 16 | © 2012 IBM Corporation
  • Web client: user accessing Domino via browser (3) URL might look something like thishttps://idp.renovations.com/sps/saml11/login?TARGET=.... Directory Browser Domino Browser redirects to SAML IdP. 17 | © 2012 IBM Corporation
  • Web client: user accessing Domino via browser (4) Directory Browser Login info DominoUser may be prompted to authenticate to IdP, or the IdP may be configuredto authenticate user with non-password method (e.g. SPNEGO/Kerberos). 18 | © 2012 IBM Corporation
  • Web client: user accessing Domino via browser (5) SAML response, Directory redirect back to Domino Browser DominoIdP has authenticated the user and sends the SAML assertion. 19 | © 2012 IBM Corporation
  • Web client: user accessing Domino via browser (6) Directory Browser (Http post containing SAML assertion) DominoSAML assertion received at Domino is verified using the IdPs public key.Domino needs to map the name in the assertion to users Domino name. 20 | © 2012 IBM Corporation
  • Web client: user accessing Domino via browser (7) Directory Browser Redirect to URL to display Session cookie DominoUser is logged in at Domino. Users browser now has credentials to accessprotected Domino URLs. 21 | © 2012 IBM Corporation
  • Web client: user accessing Domino via browser (8) Directory http://domino1.renovations.com/db.nsf Browser Session cookie DominoNow the user will see the protected Domino URL. 22 | © 2012 IBM Corporation
  • User accesses other Domino SAML serversIdP remembers the user, and issues SAML assertions transparently to the user. Directory Browser Session cookie only for Domino 2 Domino2 Domino1 Each Domino server can use SAML assertion and issue the user a single server session cookie. SSO achieved by use of common IdP. 23 | © 2012 IBM Corporation
  • Administrator sets up Domino SAML in environmentwith non-SAML IBM servers Directory Browser LTPA Session cookie Domino3Instead of a single server session cookie, Domino SAML is configured touse an LTPA session cookie that can be shared with other IBM servers. 24 | © 2012 IBM Corporation
  • Web client: Third party browser application IdP remembers the user. Assertions from IdP may be accepted by a variety of applications. Directory Browser Facebook DominoAdministrator has registered the on-premises IdP with Facebook®, so thatFacebook can verify SAML assertions from the IdP. 25 | © 2012 IBM Corporation
  • iNotes may authenticate the user via SAML assertion Directory Browser ● HTTP flows (as shown in previous ID Files slides) to authenticate iNotes ID vault 26 | © 2012 IBM Corporation
  • iNotes secure mail: Using SAML to avoid prompting forpassword to Notes id file Directory Browser ID Files Users iNotes ID File ID vault The ID vault server using new Notes RPC channel to receive users assertion, and to return users unlocked id file to iNotes. 27 | © 2012 IBM Corporation
  • Deployment steps for Domino web server SAML■ Deploy a SAML IdP on-premises. ─ (Optimal) To avoid password prompting by the IdP, configure IdP for SPNEGO/Kerberos user authentication. ─ Tell the IdP about each participating Domino server.■ Configure Domino. ─ Domino web server settings for SAML. ─ Declare trust in the IdP to login Domino users. ─ Set up name mapping (map users email address to a Domino distinguished name). ─ (for iNotes secure mail users) Deploy security policy for id file in ID vault. ─ (for iNotes secure mail users) Declare trust in the IdP to authenticate to ID vault. 28 | © 2012 IBM Corporation
  • Agenda■ Standards based SSO using SAML■ SAML for IBM Lotus Domino web server and IBM Lotus iNotes■ SAML for IBM Lotus Notes client 29 | © 2012 IBM Corporation
  • Notes Shared Login providing SSO at Notes startup■ Notes Shared Login is a great feature. ─ User does not have a Notes password. ─ Users id file can be managed in the ID vault. ─ Administrators policy determines which users have Notes Shared Login.■ Notes Shared Login cant be used in virtual environments (e.g. Citrix). ─ SAML may provide a useful alternative. 30 | © 2012 IBM Corporation
  • Notes on Citrix: Virtual environment Active Windows Domain Directory Controller (Kerberos security, ADFS IdP) ID Files ID vault Domino 31 | © 2012 IBM Corporation
  • (future release)Notes on Citrix: Users home serverchecks policy to determine whether this is a SAML user. Windows Domain Active Controller Directory (Kerberos security, ADFS IdP) ➢ Administrator has picked one of these ID Files policy choices to enforce for user: ● User is a SAML user. ● User should be prompted for password. ID vault Domino 32 | © 2012 IBM Corporation
  • Notes on Citrix can leverage the Windows environmentfor a SAML user. Active Windows Domain Directory Controller (Kerberos security, ADFS IdP) ID Files ID vault Domino For Citrix Windows environment, it may be convenient to deploy Microsoft ADFS 2.0 for the SAML IdP. 33 | © 2012 IBM Corporation
  • Notes on Citrix: Use SAML to avoid password promptto start Notes Active Windows Domain Directory Controller (Kerberos security, ADFS IdP) ● Notes embedded browser handles authentication to SAML IdP via ID Files SPNEGO/Kerberos over HTTP. ID vault Domino User has already logged into Windows. User doesnt need to prove who he is to the Microsoft ADFS IdP. 34 | © 2012 IBM Corporation
  • Notes on Citrix: Use SAML to avoid password promptto start Notes (by retrieving unlocked id file) Windows Domain Active Controller Directory (Kerberos security, ADFS IdP) ● Send SAML assertion to ID vault server ID Files via Notes RPC channel. ● ID vault server returns users unlocked id file via Notes RPC channel. ID vault Domino ID vault server evaluates whether the assertion comes from trusted IdP. 35 | © 2012 IBM Corporation
  • Deployment steps for Notes client use of SAML atstartup■ Deploy a SAML IdP on-premises. ─ (Optimal) To avoid password prompting by the IdP, configure IdP for SPNEGO/Kerberos user authentication. ─ Tell the IdP about the Domino SAML service provider for the ID vault.■ Configure server settings. ─ Deploy security policy to assign SAML users, and managing id files in ID vault. ─ Declare trust in the IdP to login Notes users by SAML authentication to ID vault. ─ Set up name mapping (map users email address to a Domino distinguished name). 36 | © 2012 IBM Corporation
  • User accesses many different IBM services with Notes IBM Connections IBM Sametime LotusLive Engage Lotus Domino Lotus Quickr User doesnt want multiple password prompts. 37 | © 2012 IBM Corporation
  • Notes plug-ins● After login to Notes, Notes may attempt authentication to Internet servers.─ Notes sidebars:– Sametime– Activities (Connections)– Feeds.....─ Browser applications running in Notes 38 | © 2012 IBM Corporation
  • Notes plug-ins● After login to Notes, Notes may attempt authentication to Internet servers.─ Notes sidebars:– Sametime– Activities (Connections)– Feeds.....─ Browser applications running in Notes● Authentication mechanism is specified in Notes account─ In users personal Name and Address book 39 | © 2012 IBM Corporation
  • Notes plug-ins● After login to Notes, Notes may attempt authentication to Internet servers.─ Notes sidebars:– Sametime– Activities (Connections)– Feeds.....─ Browser applications running in Notes● Authentication mechanism is specified in Notes account─ In users personal Name and Address book● Notes already has an option for SAML to LotusLive Notes 40 | © 2012 IBM Corporation
  • Optimally Notes plug-ins can use SAML in the future■ Notes embedded browser can make requests to an IdP. ─ No login prompts if IdP using SPNEGO/Kerberos. ─ Issue: not all target servers will be able to accept a SAML assertion.■ Notes could send a SAML assertion to Domino to authenticate and receive a session token (LTPA) for use by Notes plug-in 41 | © 2012 IBM Corporation
  • 8.5.2 Notes managed accounts■ Administrator manages Account documents in Domino Directory. ─ Domino policy mechanism pushes accounts to Notes client. ─ We may need some tweaks to Account documents for SAML. 42 | © 2012 IBM Corporation
  • Legal disclaimer© IBM Corporation 2012. All Rights Reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, Lotuslive, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. Facebook is a registered trademark of Facebook, Inc in the United States, other countries, or both. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. All references to Renovations refer to a fictitious company and are used for illustration purposes only. 43 | © 2012 IBM Corporation
  • Questions? 44 | © 2012 IBM Corporation