Wfl
- 2. 2
IBM Corporation ©2015
Open Mic Team
Irfan Jaffery - IBM ICS Support engineer Presenter
Deepankar Panda - IBM ICS Support engineer Presenter
Ranjit Rai - IBM ICS SWAT Focusing on entire Notes/Domino
Jayavel Rajendran - IBM ICS SWAT Focusing on entire Notes/Domino
Hansraj Mali - IBM ICS SWAT Focusing on Notes/Domino
Narendra Nesarikar – IBM ICS Support Facilitator for Open Mics
- 3. 3
IBM Corporation ©2015
IBM Web Federated Login introduction
Different Components
• A web browser client for all iNotes users Federation Identity Provider
• Windows Domain Environment
• IdP Catalog (IdPCat.nsf)
• Domino Web Server running iNotes functioning as the Home Mail Server for INotes
client users server
• ID Vault
Deployment Requirements
Implementation
General Troubleshooting
References
Q/A
Agenda
- 4. 4
IBM Corporation ©2015
IBM Web Federated Login Introduction
Provides a single sign-on experience when starting up the Notes client or iNotes
SSO between Notes, iNotes and windows domain environment and many other
supported/compatible Identity Providers.
Eliminates regular iNotes password prompt.
Reduces the administrative cost for maintaining multiple directories.
Uses cryptographic mechanisms instead of passwords to improve security and minimize cost
The SAML IdP takes responsibility to authenticate the Notes user.
Users' IDs must be stored in an ID vault
- 5. 5
IBM Corporation ©2015
Different Components
Federation Identity Provider
Currently Supported with IBM Notes/Domino 9.0.x
Microsoft® ADFS 2.0 integrated with Active Directory
IBM Tivoli Federated Identity Manager (TFIM, IBM Security Identity Manager).
Domino web server authentication process using SAML
- 7. 7
IBM Corporation ©2015
Contd...
Windows Domain Environment
Requires Active Directory Configuration
Active Directory Federation Service 2.0 (ADFS) is used as Identity Provider
Client computer where the user is logging into Windows and running the browser
ADFS does the job of user authentication via Kerberos Authentication
- 8. 8
IBM Corporation ©2015
Contd...
IdP Catalog (IdPCat.nsf)
A Database needs to be created on Domino Server hosting ID Vault
Use idpcat.ntf template and database name must be IdPCat.nsf
If using unix the filename must be all lower case
Special database that contains trusted identity providers and their certificates.
An IdP config document is created and IdP configuration is imported
The Admin creating the document must be listed in the following fields on the server
Full Access Administrators
Administrators
Sign or run unrestricted methods and operations
Imports FederationMetadata.xml file exported from ADFS. This builds trust.
The idpcat.nsf must not be enabled for document locking.
Prevent attacks by deploying a very restrictive ACL on idpcat. This is why this highly
sensitive information is not in the directory.
- 9. 9
IBM Corporation ©2015
Contd...
iNotes User Environment with Domino Home mail server
Web Browser
Domino Server 9.0/9.0.x Needs to be installed and should have HTTP enabled
SSL needs to be enabled on Domino Server
If the ID vault server is separate, it does not need to have SSL enabled
ID Vault should be hosted on Domino server
Security Policy for ID Vault should be configured and applied to iNotes users
Session Authentication should be set to SAML 2.0 under Server document
Exported copy of an SSL internet certificate from Federation Identity ( TIFM/ADFS 2.0
) must be imported in Domino Directory and should be cross certified to create an
internet cross certificate.
- 10. 10
IBM Corporation ©2015
Contd...
ID Vault
Standard ID Vault configuration should be done on Domino Server
Proper security policy should be created for ID Vault and should be pushed to the users
All user Ids must be harvested to the ID Vault Database
Identity Provider Configuration information should be updated under ID Vault
- 11. 11
IBM Corporation ©2015
Deployment Requirements
IBM Domino Server 9.x onwards
Confirm your iNotes user has been added to the vault and can access their ID for
encrypting/decrypting mails
Microsoft Windows Active Directory Domain Configuration
Active Directory Federation Services 2.0 ( ADFS 2.0 ) Configuration
If using ADFS or implementing SSL with TFIM then confirm that you can access your server
through HTTPs
Client machine should be part of Windows Domain environment
- 12. 12
IBM Corporation ©2015
Implementation – ADFS 2.0 Configuration
Run the ADFS console by selecting Start->Administrative Tools-> AD FS 2.0 Management
Navigate to the Relying Party Trusts folder
From the menu, select Action > Add Relying Party Trust
Note: We have to follow the below step twice. We need to have 2 Relying Partry Trusts
iNotes configuration on the IdP
ID Vault configuration on the IdP
- 27. 27
IBM Corporation ©2015
Contd...
Particularly if you have used a Domino metadata import file, check the Endpoints tab.
The Domino server uses the POST Binding, which should appear in the list of SAML
Assertion Consumer Endpoints. Domino server does not use an Artifact Binding, so if it
exists in the list, you can remove it.
- 36. 36
IBM Corporation ©2015
Creating a configuration document in the idpcat.nsf database
contd...
The IdP Catalog application (idpcat.nsf) must exist on the Domino server that hosts the ID vault whether
or not that is the same computer that runs iNotes.
You will always have two IdP config documents for any iNotes server supporting WebFederated Login.
One IdP config document is for the iNotes server with SAML authentication, and this document must reside
in the IdP Catalog application on the iNotes server.
The second IdP config document is for the iNotes server interface with the ID vault, and this document
must reside in the IdP Catalog application on the ID vault server.
The documents are similar, but differ in a few important fields.
- 39. 39
IBM Corporation ©2015
Go to server notes.ini and add below lines
SAMLAuthVersion=2
SAMLUrl=https://instructor.test.com
SAMLPublicKeyHash=7IE7P9VjPxtAG6yR1SyeKw==
SAMLCompanyName=TEST SAML
Restart Domino server
Contd...
- 45. 45
IBM Corporation ©2015
Integrated Windows Authentication (IWA)
●
IWA is not necessary for SAML configuration
●
Stops an iNotes user from being prompted for a password once they log on to their machine
The following need to be in the same Windows Active Directory domain
●
ADFS server
●
Client computer where the user is logging into Windows and running the browser or Notes client
●
The record for the user who is being authenticated via IWA
Step 1: Create the ADFS Kerberos identity
●
The Windows administrator logged into the Windows domain creates the ADFS Kerberos identity.
●
This identity must be mapped to the Active Directory user that represents the ADFS HTTP server instance.
●
setspn -a HTTP/instructor.test.com instructor$
●
setspn -a HTTP/Instructor instructor$
●
setspn -L Instructor$
- 46. 46
IBM Corporation ©2015
Step 2: Set up the browser for the Windows client iNotes user
Under Internet Options → Local Intranet → Sites add your ADFS URL
- 47. 47
IBM Corporation ©2015
General Troubleshooting
Before turning on SAML authentication:
Make sure the Web server is functioning properly for session authentication
Make sure SSL is deployed properly
You can use fiddler or firebug for network trace.
Test the Single sign-on service URL to make sure the IdP is functioning, independent of Domino.
Is the user properly prompted by the IdP (if password prompt required)?
If Integrated Windows Authentication (SPNEGO/Kerberos), use klist to see Kerberos ticket
for the user to the SAML IdP.
Check the HTTP post with SAML assertion.
If you face errors creating SAML certificate under IdP Configuration document in IdPCat.nsf database,
you can check below things first
Certificate creation and metadata export use an agent in idpcat.
Refer hidden field named "NotesError" in IdP config document as it is helpful to diagnose
error
"You are not authorized to perform that function"
Check permissions in server document security tab.
"Cannot accept internet certificate because the certificate is already in the ID file”
Use a different certifier name.
- 48. 48
IBM Corporation ©2015
Contd...
Sample output of DEBUG_SAML=31
Limitations:
No support with Traveler devices
Cannot work with Notes Single Login service
Current support with 2 IDPs (ADFS and TIFM)
- 49. 49
IBM Corporation ©2015
References
Web Federated Login:
http://www-
01.ibm.com/support/knowledgecenter/SSULMR_9.0.0/admin/saml_configuring_secure_web_feder
ated_login_for_inotes_using_saml_t.dita
- 50. 50
IBM Corporation ©2015
Questions?
Visit our Support Technical Exchange page or our Facebook page
for details on future events.
To help shape the future of IBM software, take this quality survey
and share your opinion of IBM software used within your
organization: https://ibm.biz/BdxqB2
50
IBM Collaboration Solutions Support page
http://www.facebook.com/IBMLotusSupport
IBM Collaboration Solutions Support
http://twitter.com/IBM_ICSSupport