CONFIGURING A SINGLE SIGN ON
EXPERIENCE FORYOUR NOTES CLIENTS
Gabriella Davis	

gabriella@turtlepartnership.com	

The Turt...
BACKGROUND
Hopefully you saw my presentation yesterday ?	

we talked about the difference between Single Sign On options	
...
WHO AM I?
Gab Davis	

Administrator, Problem Solver, Stubborn Fixer of Things	

Working with IBM technologies and all the ...
SOME HOWTO’S….	

(FROM EASY TO HARD)
Notes Shared Logon 	

Configure LDAP Authentication 	

Configure Kerberos / SPNEGO / IW...
NOTES SHARED LOGON
WHAT DOES IT DO?
Removes the password from your Notes ID	

No password - no problem	

!
Isn’t that a huge security problem?
NOTES SHARED LOGON
EXAMPLE
1 2 3 4 5
USER
LAUNCHES
NOTES & IS
PROMPTED
FOR THE
VAULTED ID
PASSWORD
NOTES
DOWNLOADS
THE VAU...
WHAT DOES IT NEED?
IDVault	

Simple authentication, no smartcards, dual passwords, retina
scans etc	

Windows OS
HOW DO I SET IT UP?
Start with an IDVault (you know how to do that right?)	

There’s no client side configuration at all	

...
Machine formula
to restrict NSL to
secured machines
MACHINE SPECIFIC FORMULA
@GetMachineInfo([Keyword];”text string where required”)	

IsLaptop boolean return True if machine...
WHAT DOESN’T IT DO
No password sync from Notes to Domino HTTP	

No Citrix	

No USB data	

No Roaming profiles (well you can...
LDAP AUTHENTICATION
WHAT DOES IT DO?
It’s not SSO but it can be single password	

No password synchronisation	

Login to any HTTP services inc...
LDAP AUTHENTICATION
EXAMPLE
1 2 3 4 5
DOMINO
CHECK IF THE
PASSWORD
MATCHES THE
HTTP
PASSWORD
IN THE
PERSON
DOCUMENT
ON FAI...
WHAT DOES IT NEED?
A LDAP server	

A directory assistance document wherever you want to authenticate	

for Traveler this w...
HOW DO I SET IT UP?
LDAP
attribute containing
Notes DN
Filter
LDAP search to
restrict
KERBEROS / SPNEGO / IWA
WHAT DOES IT DO?
Uses the token generated by Active Directory to authenticate
Domino access	

Using MSSO Domino generates ...
SPNEGO EXAMPLE FOR
DOMINO
1 2 3 4 5
ACTIVE
DIRECTORY
GENERATES
SPNEGO
TOKEN
USER TRIES
TO ACCESS
DOMINO
WEBSITE
BROWSER
SE...
WHAT DOES IT NEED?
An Active Directory domain for the user to login to	

SSO or MSSO	

A kerberos name mapped in the Domin...
HOW DO I SET IT UP?
• Ensure the clocks on the AD and Domino servers are in sync
(use the same time server..)	

• Run Domi...
HOW DO I SET IT UP?
OR if you don’t want to use Directory Assistance then 	

Set notes.ini on the Domino server 	

WIDE_SE...
HOW DO I SET IT UP?
Create a SPN (service principal name) in Active Directory representing
every Domino hostname your user...
IN SUMMARY
Enable SSO in Domino	

Enable AD Directory Assistance with single sign on for Windows
(IWA - Internet Web Authe...
SAML & NOTES
WHAT DOES IT DO?
One single authentication challenge for access to multiple systems	

Including a vaulted Notes ID	

Ident...
SAML EXAMPLE
28
1 2 3 4 5
USER
ATTEMPTS TO
LOG IN TO A
WEBSITE
USER IS
REDIRECTED
TO IDENTITY
PROVIDER
IDENTITY PROVIDER
R...
DEFINITIONS
IdP - Identity Provider (SSO) 	

ADFS (Active Directory Federation Services in Windows 2008 and Windows
2012)	...
DEFINITIONS
SP - Service Provider	

IBM Domino (web federated login)	

IBM WebSphere	

IBM Notes (requires IDVault) (notes...
MORE DEFINITIONS
IdP (Identity Providers) use HTTP or SOAP to communicate to
SP (Service Providers) via XML based assertio...
WHAT DOES IT NEED?
An Identity Provider - currently IBM support ADFS and TFIM	

Other IdPs may work but aren’t officially s...
WHAT DOES IT NEED?
An attribute in your Identity Provider that matches a unique user
identity in Domino 	

An IdP Catalog ...
WHERE DO WE START?
You’ll need to install ADFS 2.0 if using Active Directory	

You’ll need to have an IIS server with a SS...
SIMPLE RIGHT?	

!
……YOU’LL NEEDTIME AND PATIENCE
FROM ADFSTO DOMINO
Browse to https://<adfshostname>/FederationMetadata/2007-06/
FederationMetadata.xml and save the file
DOMINO IDP CONFIGURATION
Create the configuration document in your idpcat.nsf database	

Import the XML

file you just saved...
ENABLE CLIENT SETTINGS
The FederationMetadata.xml is attached from your previous step
DOMINOTO ADFS
Creating a certificate to give to ADFS containing information
about your Domino server	

Multiple servers / U...
DOMINOTO ADFS CERTIFICATE
When the “create certificate” button is clicked a new certificate
is saved in the document and an ...
ADFSTRUSTING DOMINO
ADFS needs to know about each Domino server / URL and you
use the Idp.xml for that
ADD RELYING PARTYTRUST
BROWSETOTHE IDP.XML
ADDING RELYING PARTY
MAPPING ADFS NAMESTO
DOMINO
MAPPING MUST BE UNIQUE
DOMINO SECURITY POLICY
Enabled Federated Login under Password Management
CONFIGURETHE IDVAULT
MORE…
The browser has to recognise the certificate being used by ADFS	

ADFS has to recognise the certificate used by Domino...
SUMMARY
If you’re not using SPNEGO then you should , it’s very simple to set up	

SAML is where single sign on needs to be...
HOWTO FIND ME
Twitter, blogs, Instagram, Facebook and more
gabriella@turtlepartnership.com	

GabriellaDavis (skype)	

http...
A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign On
Upcoming SlideShare
Loading in...5
×

A Technical Guide To Deploying Single Sign On

2,137

Published on

How to configure and deploy Single Sign On Tecnologies

Published in: Technology

A Technical Guide To Deploying Single Sign On

  1. 1. CONFIGURING A SINGLE SIGN ON EXPERIENCE FORYOUR NOTES CLIENTS Gabriella Davis gabriella@turtlepartnership.com The Turtle Partnership
  2. 2. BACKGROUND Hopefully you saw my presentation yesterday ? we talked about the difference between Single Sign On options Today we are going to look at the technical components to get your Notes, iNotes and Traveler clients logging with minimal fuss
  3. 3. WHO AM I? Gab Davis Administrator, Problem Solver, Stubborn Fixer of Things Working with IBM technologies and all the things surrounding and integrating with those Based in London, about half the time
  4. 4. SOME HOWTO’S…. (FROM EASY TO HARD) Notes Shared Logon Configure LDAP Authentication Configure Kerberos / SPNEGO / IWA for single sign on Configure SAML
  5. 5. NOTES SHARED LOGON
  6. 6. WHAT DOES IT DO? Removes the password from your Notes ID No password - no problem ! Isn’t that a huge security problem?
  7. 7. NOTES SHARED LOGON EXAMPLE 1 2 3 4 5 USER LAUNCHES NOTES & IS PROMPTED FOR THE VAULTED ID PASSWORD NOTES DOWNLOADS THE VAULTED ID TO THE FILE SYSTEM EVERY TIME THE USER LOGS INTO NOTES FROM THAT MACHINE, THE ID WITH NO PASSWORD IS DECRYPTED FOR USE NOTES REMOVES THE ID’S PASSWORD & ENCRYPTS THE ID WITH THE USER’S WINDOWS CREDENTIALS STEPS USER LOGS INTO WINDOWS
  8. 8. WHAT DOES IT NEED? IDVault Simple authentication, no smartcards, dual passwords, retina scans etc Windows OS
  9. 9. HOW DO I SET IT UP? Start with an IDVault (you know how to do that right?) There’s no client side configuration at all Use the security policy to enable Notes Shared Logon
  10. 10. Machine formula to restrict NSL to secured machines
  11. 11. MACHINE SPECIFIC FORMULA @GetMachineInfo([Keyword];”text string where required”) IsLaptop boolean return True if machine is a laptop, otherwise false IsDesktop boolean return True if machine is NOT a laptop, otherwise false
 IsMultiUser boolean return True if machine has Notes client installed as Multi-User, otherwise false HasDesigner boolean return True if machine has Designer client installed, otherwise false HasAdmin boolean return True if machine has Admin client installed, otherwise false IsStandard boolean return True if machine is running Standard Notes client, otherwise false
 
 http://www-01.ibm.com/support/docview.wss?uid=swg21501673
  12. 12. WHAT DOESN’T IT DO No password sync from Notes to Domino HTTP No Citrix No USB data No Roaming profiles (well you can roam if you don’t roam) more. http://bit.ly/1t50Adx
  13. 13. LDAP AUTHENTICATION
  14. 14. WHAT DOES IT DO? It’s not SSO but it can be single password No password synchronisation Login to any HTTP services including Traveler using an LDAP password (such as AD) Remove Domino HTTP Password entirely if you want Works from anywhere, any device
  15. 15. LDAP AUTHENTICATION EXAMPLE 1 2 3 4 5 DOMINO CHECK IF THE PASSWORD MATCHES THE HTTP PASSWORD IN THE PERSON DOCUMENT ON FAILURE TO MATCH DOMINO FORWARDS THE CREDENTIALS TO THE LDAP SERVER SPECIFIED IN DIRECTORY ASSISTANCE DOMINO USES THE CREDENTIALS IT WAS SENT TO GRANT THE USER ACCESS TO THE SERVICE / APPLICATION THE LDAP SERVER VERIFIES THE CREDENTIALS AND PASSES BACK TO DOMINO THE UNIQUE USER ID THAT IT VALIDATED STEPS USER TRIES TO LOG INTO INOTES USING THEIR LDAP (AD) PASSWORD
  16. 16. WHAT DOES IT NEED? A LDAP server A directory assistance document wherever you want to authenticate for Traveler this would just be on the Traveler server MSSO An attribute in LDAP that contains the user’s hierarchical name Keeping the attribute in sync…(TDI will do that easily)
  17. 17. HOW DO I SET IT UP? LDAP attribute containing Notes DN Filter LDAP search to restrict
  18. 18. KERBEROS / SPNEGO / IWA
  19. 19. WHAT DOES IT DO? Uses the token generated by Active Directory to authenticate Domino access Using MSSO Domino generates its own token for onwards authentication on other platforms
  20. 20. SPNEGO EXAMPLE FOR DOMINO 1 2 3 4 5 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME DOMINO CONTACTS ACTIVE DIRECTORY TO VALIDATE TOKEN AND RETRIEVE THE USER’S NAME STEPS USER LOGS INTO WINDOWS
  21. 21. WHAT DOES IT NEED? An Active Directory domain for the user to login to SSO or MSSO A kerberos name mapped in the Domino person document A windows client (3rd party support for other OS) An IE browser (3rd party support for other browsers)
  22. 22. HOW DO I SET IT UP? • Ensure the clocks on the AD and Domino servers are in sync (use the same time server..) • Run Domino using a specific service account not local system • Enable Active Directory in Directory Assistance ! AD domain. Must match the LDAP tab
  23. 23. HOW DO I SET IT UP? OR if you don’t want to use Directory Assistance then Set notes.ini on the Domino server WIDE_SEARCH_FOR_KERBEROS_NAMES=1 manually set in each person document On the Administration tab of each person document add the user’s Kerberos name in the format name (case sensitive) + domain (must be in caps)
  24. 24. HOW DO I SET IT UP? Create a SPN (service principal name) in Active Directory representing every Domino hostname your user’s will access The SPN authorisation account should match the account running Domino To get a SPN command run the program “domspnego” and give the output to your AD administrator setspn -a http://[hostname] [account] Create multiple SPNs for multiple servers or hostnames
  25. 25. IN SUMMARY Enable SSO in Domino Enable AD Directory Assistance with single sign on for Windows (IWA - Internet Web Authentication) Full Text Index Domino directory Run domspnego to generate setspn output Run setspn on Active Directory domain controller
  26. 26. SAML & NOTES
  27. 27. WHAT DOES IT DO? One single authentication challenge for access to multiple systems Including a vaulted Notes ID Identity Provider initial authentication can use many methods from passwords, multiple passwords, custom forms, smart cards and more Supports multiple client and server operating systems No passwords to compromise or intercept
  28. 28. SAML EXAMPLE 28 1 2 3 4 5 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED ORIGINAL SITE USES ITS SAML SERVICE PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS STEPS
  29. 29. DEFINITIONS IdP - Identity Provider (SSO) ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012) SAML 2.0 only can be combined with SPNEGO Enhances Integrated Windows Authentication (IWA) TFIM (Tivoli Federated Identity Manager) SAML 1.1 and 2.0
  30. 30. DEFINITIONS SP - Service Provider IBM Domino (web federated login) IBM WebSphere IBM Notes (requires IDVault) (notes federated login)
  31. 31. MORE DEFINITIONS IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
 Assertions have three roles Authentication Authorisation Retrieving Attributes
  32. 32. WHAT DOES IT NEED? An Identity Provider - currently IBM support ADFS and TFIM Other IdPs may work but aren’t officially support so check with IBM first IDVault configured for federated logins A partnership between the IDVault server and the Identity Provider An SSL certificate generated by a well known authority
  33. 33. WHAT DOES IT NEED? An attribute in your Identity Provider that matches a unique user identity in Domino An IdP Catalog in Domino (idpcat.nsf) At least one IdP configuration document to be used by your Domino server(s) A security policy that can be applied to your federating users
  34. 34. WHERE DO WE START? You’ll need to install ADFS 2.0 if using Active Directory You’ll need to have an IIS server with a SSL certificate You’ll need an IDVault You’ll need a security policy in Domino You’ll need an idpcat database based on the template idpcat.ntf
  35. 35. SIMPLE RIGHT? ! ……YOU’LL NEEDTIME AND PATIENCE
  36. 36. FROM ADFSTO DOMINO Browse to https://<adfshostname>/FederationMetadata/2007-06/ FederationMetadata.xml and save the file
  37. 37. DOMINO IDP CONFIGURATION Create the configuration document in your idpcat.nsf database Import the XML
 file you just saved
 from ADFS
  38. 38. ENABLE CLIENT SETTINGS The FederationMetadata.xml is attached from your previous step
  39. 39. DOMINOTO ADFS Creating a certificate to give to ADFS containing information about your Domino server Multiple servers / URLs mean multiple documents
  40. 40. DOMINOTO ADFS CERTIFICATE When the “create certificate” button is clicked a new certificate is saved in the document and an idp.xml file for ADFS created
  41. 41. ADFSTRUSTING DOMINO ADFS needs to know about each Domino server / URL and you use the Idp.xml for that
  42. 42. ADD RELYING PARTYTRUST
  43. 43. BROWSETOTHE IDP.XML
  44. 44. ADDING RELYING PARTY
  45. 45. MAPPING ADFS NAMESTO DOMINO
  46. 46. MAPPING MUST BE UNIQUE
  47. 47. DOMINO SECURITY POLICY Enabled Federated Login under Password Management
  48. 48. CONFIGURETHE IDVAULT
  49. 49. MORE… The browser has to recognise the certificate being used by ADFS ADFS has to recognise the certificate used by Domino Domino has to recognise the certificate used by ADFS Basically everything needs to talk to each other and be happy there’s not man in the middle intrusion
  50. 50. SUMMARY If you’re not using SPNEGO then you should , it’s very simple to set up SAML is where single sign on needs to be There are plenty of 3rd party tools and services that will help with any “uniqueness” in your environment (want SPNEGO but have Linux or Mac machines for instance) Don’t just think about Domino and its services, think about everything your business uses and will be using IBM is slow to support new Identity Providers and to support SAML in their products (Connections, Sametime etc) so if in doubt, start with a PMR
  51. 51. HOWTO FIND ME Twitter, blogs, Instagram, Facebook and more gabriella@turtlepartnership.com GabriellaDavis (skype) http://turtleblog.info gabturtle on twitter and elsewhere
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×