A Technical Guide To Deploying Single Sign On
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

A Technical Guide To Deploying Single Sign On

on

  • 1,047 views

How to configure and deploy Single Sign On Tecnologies

How to configure and deploy Single Sign On Tecnologies

Statistics

Views

Total Views
1,047
Views on SlideShare
601
Embed Views
446

Actions

Likes
0
Downloads
26
Comments
0

5 Embeds 446

http://turtleblog.info 436
http://feedly.com 4
http://www.slideee.com 4
http://blogdotturtlepartnershipdotcom.wordpress.com 1
http://planetlotus.org 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

A Technical Guide To Deploying Single Sign On Presentation Transcript

  • 1. CONFIGURING A SINGLE SIGN ON EXPERIENCE FORYOUR NOTES CLIENTS Gabriella Davis gabriella@turtlepartnership.com The Turtle Partnership
  • 2. BACKGROUND Hopefully you saw my presentation yesterday ? we talked about the difference between Single Sign On options Today we are going to look at the technical components to get your Notes, iNotes and Traveler clients logging with minimal fuss
  • 3. WHO AM I? Gab Davis Administrator, Problem Solver, Stubborn Fixer of Things Working with IBM technologies and all the things surrounding and integrating with those Based in London, about half the time
  • 4. SOME HOWTO’S…. (FROM EASY TO HARD) Notes Shared Logon Configure LDAP Authentication Configure Kerberos / SPNEGO / IWA for single sign on Configure SAML
  • 5. NOTES SHARED LOGON
  • 6. WHAT DOES IT DO? Removes the password from your Notes ID No password - no problem ! Isn’t that a huge security problem?
  • 7. NOTES SHARED LOGON EXAMPLE 1 2 3 4 5 USER LAUNCHES NOTES & IS PROMPTED FOR THE VAULTED ID PASSWORD NOTES DOWNLOADS THE VAULTED ID TO THE FILE SYSTEM EVERY TIME THE USER LOGS INTO NOTES FROM THAT MACHINE, THE ID WITH NO PASSWORD IS DECRYPTED FOR USE NOTES REMOVES THE ID’S PASSWORD & ENCRYPTS THE ID WITH THE USER’S WINDOWS CREDENTIALS STEPS USER LOGS INTO WINDOWS
  • 8. WHAT DOES IT NEED? IDVault Simple authentication, no smartcards, dual passwords, retina scans etc Windows OS
  • 9. HOW DO I SET IT UP? Start with an IDVault (you know how to do that right?) There’s no client side configuration at all Use the security policy to enable Notes Shared Logon
  • 10. Machine formula to restrict NSL to secured machines
  • 11. MACHINE SPECIFIC FORMULA @GetMachineInfo([Keyword];”text string where required”) IsLaptop boolean return True if machine is a laptop, otherwise false IsDesktop boolean return True if machine is NOT a laptop, otherwise false
 IsMultiUser boolean return True if machine has Notes client installed as Multi-User, otherwise false HasDesigner boolean return True if machine has Designer client installed, otherwise false HasAdmin boolean return True if machine has Admin client installed, otherwise false IsStandard boolean return True if machine is running Standard Notes client, otherwise false
 
 http://www-01.ibm.com/support/docview.wss?uid=swg21501673
  • 12. WHAT DOESN’T IT DO No password sync from Notes to Domino HTTP No Citrix No USB data No Roaming profiles (well you can roam if you don’t roam) more. http://bit.ly/1t50Adx
  • 13. LDAP AUTHENTICATION
  • 14. WHAT DOES IT DO? It’s not SSO but it can be single password No password synchronisation Login to any HTTP services including Traveler using an LDAP password (such as AD) Remove Domino HTTP Password entirely if you want Works from anywhere, any device
  • 15. LDAP AUTHENTICATION EXAMPLE 1 2 3 4 5 DOMINO CHECK IF THE PASSWORD MATCHES THE HTTP PASSWORD IN THE PERSON DOCUMENT ON FAILURE TO MATCH DOMINO FORWARDS THE CREDENTIALS TO THE LDAP SERVER SPECIFIED IN DIRECTORY ASSISTANCE DOMINO USES THE CREDENTIALS IT WAS SENT TO GRANT THE USER ACCESS TO THE SERVICE / APPLICATION THE LDAP SERVER VERIFIES THE CREDENTIALS AND PASSES BACK TO DOMINO THE UNIQUE USER ID THAT IT VALIDATED STEPS USER TRIES TO LOG INTO INOTES USING THEIR LDAP (AD) PASSWORD
  • 16. WHAT DOES IT NEED? A LDAP server A directory assistance document wherever you want to authenticate for Traveler this would just be on the Traveler server MSSO An attribute in LDAP that contains the user’s hierarchical name Keeping the attribute in sync…(TDI will do that easily)
  • 17. HOW DO I SET IT UP? LDAP attribute containing Notes DN Filter LDAP search to restrict
  • 18. KERBEROS / SPNEGO / IWA
  • 19. WHAT DOES IT DO? Uses the token generated by Active Directory to authenticate Domino access Using MSSO Domino generates its own token for onwards authentication on other platforms
  • 20. SPNEGO EXAMPLE FOR DOMINO 1 2 3 4 5 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS DOMINO WEBSITE BROWSER SENDS SPNEGO TOKEN TO DOMINO ALONG WITH USER NAME DOMINO CONTACTS ACTIVE DIRECTORY TO VALIDATE TOKEN AND RETRIEVE THE USER’S NAME STEPS USER LOGS INTO WINDOWS
  • 21. WHAT DOES IT NEED? An Active Directory domain for the user to login to SSO or MSSO A kerberos name mapped in the Domino person document A windows client (3rd party support for other OS) An IE browser (3rd party support for other browsers)
  • 22. HOW DO I SET IT UP? • Ensure the clocks on the AD and Domino servers are in sync (use the same time server..) • Run Domino using a specific service account not local system • Enable Active Directory in Directory Assistance ! AD domain. Must match the LDAP tab
  • 23. HOW DO I SET IT UP? OR if you don’t want to use Directory Assistance then Set notes.ini on the Domino server WIDE_SEARCH_FOR_KERBEROS_NAMES=1 manually set in each person document On the Administration tab of each person document add the user’s Kerberos name in the format name (case sensitive) + domain (must be in caps)
  • 24. HOW DO I SET IT UP? Create a SPN (service principal name) in Active Directory representing every Domino hostname your user’s will access The SPN authorisation account should match the account running Domino To get a SPN command run the program “domspnego” and give the output to your AD administrator setspn -a http://[hostname] [account] Create multiple SPNs for multiple servers or hostnames
  • 25. IN SUMMARY Enable SSO in Domino Enable AD Directory Assistance with single sign on for Windows (IWA - Internet Web Authentication) Full Text Index Domino directory Run domspnego to generate setspn output Run setspn on Active Directory domain controller
  • 26. SAML & NOTES
  • 27. WHAT DOES IT DO? One single authentication challenge for access to multiple systems Including a vaulted Notes ID Identity Provider initial authentication can use many methods from passwords, multiple passwords, custom forms, smart cards and more Supports multiple client and server operating systems No passwords to compromise or intercept
  • 28. SAML EXAMPLE 28 1 2 3 4 5 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED ORIGINAL SITE USES ITS SAML SERVICE PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS STEPS
  • 29. DEFINITIONS IdP - Identity Provider (SSO) ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012) SAML 2.0 only can be combined with SPNEGO Enhances Integrated Windows Authentication (IWA) TFIM (Tivoli Federated Identity Manager) SAML 1.1 and 2.0
  • 30. DEFINITIONS SP - Service Provider IBM Domino (web federated login) IBM WebSphere IBM Notes (requires IDVault) (notes federated login)
  • 31. MORE DEFINITIONS IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
 Assertions have three roles Authentication Authorisation Retrieving Attributes
  • 32. WHAT DOES IT NEED? An Identity Provider - currently IBM support ADFS and TFIM Other IdPs may work but aren’t officially support so check with IBM first IDVault configured for federated logins A partnership between the IDVault server and the Identity Provider An SSL certificate generated by a well known authority
  • 33. WHAT DOES IT NEED? An attribute in your Identity Provider that matches a unique user identity in Domino An IdP Catalog in Domino (idpcat.nsf) At least one IdP configuration document to be used by your Domino server(s) A security policy that can be applied to your federating users
  • 34. WHERE DO WE START? You’ll need to install ADFS 2.0 if using Active Directory You’ll need to have an IIS server with a SSL certificate You’ll need an IDVault You’ll need a security policy in Domino You’ll need an idpcat database based on the template idpcat.ntf
  • 35. SIMPLE RIGHT? ! ……YOU’LL NEEDTIME AND PATIENCE
  • 36. FROM ADFSTO DOMINO Browse to https://<adfshostname>/FederationMetadata/2007-06/ FederationMetadata.xml and save the file
  • 37. DOMINO IDP CONFIGURATION Create the configuration document in your idpcat.nsf database Import the XML
 file you just saved
 from ADFS
  • 38. ENABLE CLIENT SETTINGS The FederationMetadata.xml is attached from your previous step
  • 39. DOMINOTO ADFS Creating a certificate to give to ADFS containing information about your Domino server Multiple servers / URLs mean multiple documents
  • 40. DOMINOTO ADFS CERTIFICATE When the “create certificate” button is clicked a new certificate is saved in the document and an idp.xml file for ADFS created
  • 41. ADFSTRUSTING DOMINO ADFS needs to know about each Domino server / URL and you use the Idp.xml for that
  • 42. ADD RELYING PARTYTRUST
  • 43. BROWSETOTHE IDP.XML
  • 44. ADDING RELYING PARTY
  • 45. MAPPING ADFS NAMESTO DOMINO
  • 46. MAPPING MUST BE UNIQUE
  • 47. DOMINO SECURITY POLICY Enabled Federated Login under Password Management
  • 48. CONFIGURETHE IDVAULT
  • 49. MORE… The browser has to recognise the certificate being used by ADFS ADFS has to recognise the certificate used by Domino Domino has to recognise the certificate used by ADFS Basically everything needs to talk to each other and be happy there’s not man in the middle intrusion
  • 50. SUMMARY If you’re not using SPNEGO then you should , it’s very simple to set up SAML is where single sign on needs to be There are plenty of 3rd party tools and services that will help with any “uniqueness” in your environment (want SPNEGO but have Linux or Mac machines for instance) Don’t just think about Domino and its services, think about everything your business uses and will be using IBM is slow to support new Identity Providers and to support SAML in their products (Connections, Sametime etc) so if in doubt, start with a PMR
  • 51. HOWTO FIND ME Twitter, blogs, Instagram, Facebook and more gabriella@turtlepartnership.com GabriellaDavis (skype) http://turtleblog.info gabturtle on twitter and elsewhere