ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What you NEED to know!
Upcoming SlideShare
Loading in...5
×
 

ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What you NEED to know!

on

  • 7,159 views

Presentation that I gave at Lotusphere 2011 with Jay Boyd. We talked about TDI, single sign on, and user management.

Presentation that I gave at Lotusphere 2011 with Jay Boyd. We talked about TDI, single sign on, and user management.

Statistics

Views

Total Views
7,159
Views on SlideShare
6,987
Embed Views
172

Actions

Likes
1
Downloads
181
Comments
2

11 Embeds 172

http://www.lbenitez.com 112
http://3eblogg.wordpress.com 28
http://www.genusllc.com 17
http://static.slidesharecdn.com 7
http://www.slideshare.net 2
http://planetlotus.org 1
http://twitter.com 1
https://3eblogg.wordpress.com 1
url_unknown 1
http://translate.googleusercontent.com 1
http://paper.li 1
More...

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Hello, LTPA is a an IBM standard. We call it Lightweight Third-Party Authentication cookie. Here are some examples on how to use this LTPA cookie for SSO in a PHP and/or .NET environment:

    This ST Awareness on a PHP page article (https://www.ibm.com/developerworks/mydeveloperworks/blogs/InsideLotus/entry/st_awareness_on_a_php?lang=en) on IBM developerWorks may help you. There is also an example of adding awareness to an ASP page in chapter 12 of the Redbook Building Sametime Enabled Applications (http://www.redbooks.ibm.com/redbooks.nsf/0/d9524ffb96c67e6185256d410065fafe?OpenDocument). It details a way of doing it if you don't have LTPA in your environment.
    Are you sure you want to
    Your message goes here
    Processing…
  • I have a question about slide 12 - It defines LTPA and uses the term ’Third Party’ in the description but then says it is an IBM Proprietary system, and integrates with 1st party products (ones owned by IBM).

    https://secure.wikimedia.org/wikipedia/en/wiki/Third-party_developer#Third-party_developer

    Are there any examples of how to use LTPA successfully in an SSO environment with other systems, like connecting to PHP or .Net?
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Lotus Connections supports the Internet Content Adaptation Protocol (ICAP) and its applications use this protocol to communicate with virus detection products. Ensure that the virus detection product used in your enterprise supports the ICAP 1.0 protocol. Lotus Connections is certified to work with Symantec AntiVirus Scan Engine 5.1 and McAfee web Security Appliance (3400) and (3300). Lotus® Connections provides security measures, such as an active content filter and content upload limits, that you can use to mitigate the risk of malicious attacks. Because these security measures can also limit the flexibility of the applications, you, as the system administrator, must evaluate the security of your network and determine whether or not you need to implement them. Any software that displays user authored content can be vulnerable to cross-site scripting (XSS) attacks. Attackers can introduce JavaScript™ into their content that can, among other things, steal a user's session. Session stealing in a single sign-on (SSO) environment poses particular challenges because any vulnerability to XSS attacks can render the entire single sign-on domain vulnerable.
  • SPNEGO = Simple and Protected Negotiation Portlets don't support SSO via TAM/Siteminder/SPNEGO – they require LTPA
  • Import the LTPA key and password from TAM and Import into WebSphere and set the SSO domain name Do not use TAM components as a caching proxy, configuration complexity is very high Lotus Connections only supports WebSeal Transparent Junction configuration Configure TAM for URL rewriting in XML and Javascript content TAM configuration setting 'use-same-session = yes' is required
  • A TDI assembly line is made up of components (connectors, flow controls, loops, branches) that collect data from your source repositories and reformat it into the Profiles database. Supports two-way synchronization on LDAP attributes. Assembly line hooks are available for scripting and customization TDI should be used to initially populate Profiles and then frequently used to keep it in sync Connections release 3 allows you to mark a person as “inactive” when they aren't found in LDAP
  • SyncAllMembersByExtId() takes several parameters indicating how a mismatch can be resolved (either by a matching email address, login id or left for later manual resolution).
  • Use Batch commands, external ids are consistent across all applications. Investigate once, create batch script to update across all apps Returning users can be re-linked with their old data ProfilesService.swapUserAccessByUserId("oldUserId","newUserId")

ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What you NEED to know! ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What you NEED to know! Presentation Transcript

  • ID304 Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What you NEED to know! Jay Boyd | Lotus Connections Team Lead | IBM Luis Benitez | Social Software Product Manager | IBM
  • Who we are
  • Tweet Away
  • Agenda
    • Options for Securing Lotus Connections
    • SSO
    • New User Life Cycle Options in 3.0
    • Q&A
  • Not ideal security... Photo credit: http://www.flickr.com/photos/fboyd/2494909325/
  • Securing Lotus Connections
    • Lotus Connections has tons of security options
      • Virus Scanning
      • SSL (even forced!)
      • Forced Authentication
      • Filtering active content
      • MIME control
      • and...
    Photo credit: http://www.flickr.com/photos/juanpol/2704542/
  • Agenda
    • Options for Securing Lotus Connections
    • SSO
    • New User Life Cycle Options in 3.0
    • Q&A
  • Single Sign On
    • My favorite
    • Improves usability
    • Great for adoption
    Photo credit: http://commons.wikimedia.org/wiki/File:Single_sign_on_aproaches.png
  • What's supported
    • SSO
      • … with Domino apps (of course!)
      • … with WebSphere apps (any doubt?)
      • … with Quickr J/D (go go Gadget docs)
      • … with Sametime (duh!)
      • … via Tivoli Access Manager 6.1.1
      • … via CA's Siteminder 6.0
      • … via SPNEGO
    • Portlets are an exception :(
  • Single Sign On: Connections 3.0 Options
    • SSO allows a user to authenticate once and then use other systems that are within the same authentication configuration without providing userid/password authentication subsequent times.
    • LTPA (WebSphere default)
    • SPNEGO
    • TAM (Form Based Auth, Transparent Junctions, LTPA)
    • SiteMinder (FBA, ASA/WebAgent)
    • TAM/SPNEGO
    • Except with LTPA, authentication is forced, there is no anonymous access
  • Cookies are key with most SSO options (these are not your mother's Cookies)
    • Cookies
      • Textual information consisting of Name/Value pairs
      • Usually used to provide State in an otherwise Stateless protocol (HTTP)
      • Domain and Path determine when Cookies are included with an HTTP Request
    • SPNEGO uses Security tokens in the HTTP Header with every request
  • Single Sign On: LTPA
    • Lightweight Third-Party Authentication
      • IBM proprietary, supported by IBM products such as WebSphere and Domino
      • Represented as Cookies called LtpaToken (older format, not on by default in WAS7, Domino requires version1) or LtpaToken2, value is encrypted
        • UserID
        • Authentication Realm
        • Authentication Expiration Time
    • Important to use both of these if integrating with Domino and Portal
  • Single Sign On: Keys to successful LTPA Configuration
    • All participating Servers:
      • Same Authentication Realm (correlates to Cookie domain)
      • Synchronized system time
      • Identical LDAP configuration (WAS Federated Repository)
      • Share the same LTPA keys
      • Servers should use FQDN
        • “ipconfig/all” or “hostname” / “domainname” commands should show FQDN
  • Single Sign On: Troubleshooting LTPA
    • Verify SSO Domain name
    • Verify Servers are within the same domain (or a subdomain)
    • Verify Servers imported the same LTPA Key
  • Single Sign On: Troubleshooting LTPA
    • Ensure authentication expiration is consistent
    • Ensure auto generation is off
  • Simple Connections Deployment
  • Connections Enterprise Deployment
  • Single Sign On: TAM
  • Single Sign On: TAM
    • TAM 6.1.1
    • TAM Form Based Auth, Transparent Junctions, LTPA
    • Yes, the configuration is complex and there are a ton of security realms
    • Yes, the Delete Action must be configured
    • TAM acts as a Reverse Proxy; don't forget to enable dynamicHosts in LotusConnections-config.xml
    • Cookies: PD-H-SESSION-ID & PD-S-SESSION-ID
  • Single Sign On: TAM
    • TAM acts as a reverse proxy, only forwarding a request for protected URLs once the user is Authenticated.
    • Very specific configuration:
      • Form Based Authentication
      • Transparent Junction
      • LTPA authentication
    • “ Anonymous Access” ACL’s pass through for all ATOM url patterns
    • Test with a browser - - feeds that require authentication should prompt for Basic Auth, never TAM Form Authentication
    ** double check your configuration settings with the Connections 3 Documentation **
  • Single Sign On: SiteMinder
  • Single Sign On: SiteMinder
    • SiteMinder Policy Server 6.0 SP5, SiteMinder ASA 6.0 Agent for WebSphere Application Server (with CR00010 hotfix), and SiteMinder Web Agent v6qmr5-cr035
    • Yes, the configuration is complex and there are a lot of security realms
      • Protect Web Applications with FBA
      • Protect ATOM feeds with BA
    • Yes, the Delete Action must be configured
    • Cookies: SMSESSION
    • Watch for PERL script to be posted that creates realms
    ** double check your configuration settings with the Connections 3 Documentation **
  • Configuration is hard, we feel your pain :(
    • Single Sign On configuration is hard
    • Scripts are needed to automate Configuration
      • Perl
    • Detailed examples help (Prescriptive Deployment scenarios)
    http://www-10.lotus.com/ldd/lcwiki.nsf/xpViewCategories.xsp?lookupName=Deployments
    • TAM and SiteMinder SSO Validation Wizard is available!
  • Single Sign On: SPNEGO
  • Single Sign On: SPNEGO
    • Simple and Protected GSSAPI Negotiation Mechanism
      • Generic Security Services Application Program Interface
        • Most notable implementations are Kerberos based
      • Used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports.
      • Most wide use is Microsoft's Integrated Windows Authentication
        • Kerberos
        • NTLM
  • Single Sign On: SPNEGO
    • Client & Server perform negotiation, determining the preferred algorithm to use
    • On 1 st request browser gets back a 401, Headers indicate “Authorization: Negotiate”
    • If capable, Client & Server agree on protocol and on every subsequent request the client infrastructure generates a new security token that is included in the header
  • Single Sign On: Troubleshooting SPNEGO
    • Configuring SPNEGO can be difficult
      • Install Connections First, verify, then configure SPNEGO
      • Follow base WebSphere documentation and use standard SNOOP application to verify your configuration.
    • http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/rsec_SPNEGO_troubles.html
    ** double check your configuration settings with the Connections 3 Documentation **
  • Connections Server to Server Communication & SSO
    • Server to Server Communication
      • Obtaining User information from Profiles (WPI)
      • Obtaining Membership information from Communities (WCI)
      • Community Life Cycle
      • Search Indexing
    • All communication is authenticated and uses HTTP
    • Interservice URL vs Service URL
    • LotusConnections-config.xml: customAuth element specifies authentication type
  • Connections Server to Server Communication & SSO
  • Connections Server to Server Communication & SSO
  • Connections Server to Server Communication & SSO – Alternative Inter Service Configuration
  • SSO: LotusConnections-config.xml
  • Agenda
    • Options for Securing Lotus Connections
    • SSO
    • New User Life Cycle Options in 3.0
    • Q&A
  • Why we need this
    • Listened to many customers
    • Heard of situations where
      • Maternity / Paternity Leave
      • Leave of Absence (Education, Military, etc)
      • Left the company
      • Etc
  • Why we need this (cont'd)
    • In 2.5, we had profile types
    • Required manual work via TDI
      • No need to re-invent the wheel!
    • Wanted to simplify this process for everyone
    Photo credit: http://www.dehats.com/drupal/?q=node/69
  • Tivoli Directory Integrator: Keeping Profiles in Sync
    • TDI assembly line: connectors, flow controls, loops, branches
    • Supports two-way synchronization on LDAP attributes
    • Hooks enable scripting and customization
    • Use it for
      • Initial population
      • Frequent updates
    • 3.0 Introduces Inactive Users!!!
  • Data Integrity – don't delete old data
    • If you delete a user, you lose authorship information and data consistency
    • Don't delete the data, let your TDI assembly line inactivate the user
  • Profiles Platform Commands
    • Drive administrative events from a single application
    • Provides a framework for future unified commands
    • User Life Cycle should be preceded by name synchronization in each Application
      • Each application maintains its own user mapping table in the application database and it needs to be synchronized with LDAP, inactivating users not found in LDAP
      • Inactivating clears the user's login ids & email.
    • Frequent periodic TDI Sync can be created to automatically mark users inactive
    • Profiles propagates the command to inactivate a user across all components
    • Administrator can re-activate users
  • Initial Synchronization
    • wsadmin command session
    [root@tapstage bin]# ./wsadmin.sh -lang jython wsadmin> execfile("activitiesAdmin.py") Connecting to WebSphere:name=ActivitiesAdminService,type=LotusConnections, cell=tapstageCell01 ,
    • Synchronize users
    Wsadmin> ActivitiesMemberService.syncAllMembersByExtId(...) syncAllMembersByExtId request processed wsadmin>
  • Check the logs....
    • Locate the log file on the node specified when you started the WSADMIN command
    /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/clusterA_server1/ActivitiesUlcSyncCmd.log
    • Typical log messages about users that are not found and are Inactivated
    [2010-12-21 07:34:32] CLFWY0261I: The synchronize command inactivated member Betsy Craig [current external id: b5bd83c0-8f09-1028-910f-db07163b51b2, application id 001G091E0E4B47BEF6967B3131AD59003CD0]
  • Resolving user mismatches
    • Mismatch Needs investigation
    • [2010-12-21 07:34:31] CLFWY0242W: The synchronize command found that active member Benjamin Button [current external id: LDAP_ID , application id LC_ID ] could not be matched via external id, but could be matched via login or email to external id NEW_LDAP_ID . The member was not updated since this action was disabled by the command.
    • Review the information from HR systems about the user identified by external id NEW_LDAP_ID and determine if this entry matches Benjamin Button or if the person has left the company.
  • Resolving user mismatches (continued)
    • If the User has left, inactivate:
    ActivitiesMemberService.inactivateMemberByExtId(" LDAP_ID ”)
    • If Old and New ids reflect the same person, synchronize the user accounts
    ActivitiesMemberService.syncMemberByExtId(" OLD_LDAP_ID ”, {" newExtId ": " NEW_LDAP_ID "})
    • Good details here:
    http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Synchronizing_user_data_using_administrative_commands_lc3
  • Agenda
    • Options for Securing Lotus Connections
    • SSO
    • New User Life Cycle Options in 3.0
    • Q&A
  • Related Sessions
    • JMP205 IBM Lotus Connections 3.0 Administration Overview Sunday, 1:30pm
    • SHOW202 Enterprise 2.0 Hero: A Beginner’s Guide to Installing IBM Lotus Connections 3.0 Monday, 4:30pm
    • SHOW203 Lotus Connections 3.0 – Enterprise Integration for Administrators Sunday, 4:00pm
    • BP105 Twelve MORE Things Your Mother Never Told You About Deploying IBM Lotus Connections 3.0 Thursday, 10am
    • BP114 IBM Lotus Connections Administration: From the Command Line to a Graphical UI Tuesday, 4:45pm
    • BP303 Social Comes to You: How to Bring IBM Lotus Connections to Your Application in Context! Wednesday, 11:15am
    • INV111 Making Decisions Collaboratively with Cognos Business Intelligence and IBM Lotus Connections Tuesday, 10am
    • AD303 Connecting Developers and Community with Rational Jazz and Lotus Connections Tuesday, 1:30pm
    • AD304 Customizing Lotus Connections 3.0 Tuesday 10am
    • ID301 What's New in IBM Lotus Connections 3.0 Monday, repeats on Tuesday, 11am
    • ID302 Best Practices for a Happy and Healthy IBM Lotus Connections Deployment! Tuesday, 1:30
    • ID303 Exceptional Work Experience - Integrating and Extending Lotus Connections, WebSphere Portal, Lotus Quickr, Lotus Notes, Lotus Sametime and ECM Monday, 11am
    • ID305 Build Large-scale Performing Enterprise Solutions for IBM Lotus Connections Tuesday, 4:45
    • ID306 Compliance and Moderation with Lotus Connections 3.0 Wednesday, 4:15
  • References
    • V3 System Requirements: http://www-01.ibm.com/support/docview.wss?uid=swg27019882
    • V3 Single Sign On: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Configuring_single_signon_lc3
    • All about security in v3: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Security_lc3
    • Configuring Siteminder with Lotus Connections 3.0: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Scenario_3_Setting_up_SiteMinder_Single_Sign-On_(SSO)_with_Lotus_Connections_3.0
    • Use caution with the version 2.5 guides – concepts remain the same, but details may have changed in some cases:
      • Lotus Connections 2.5 and Kerberos/SPNEGO: http://www.ibm.com/developerworks/lotus/library/connections-kerberos/index.html
      • Configuring IBM TAM with Lotus Connections 2.5: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Configuring_IBM_Tivoli_Access_Manager_SSO_for_IBM_Lotus_Connections_2.5
      • Lotus Connections 2.5 Security Guidelines: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/IBM_Lotus_Connections_2.5_secure_configuration_guidelines
  • Legal Disclaimer © IBM Corporation 2011. All Rights Reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. IBM, the IBM logo, Lotus, Lotus Connections, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. All references to Renovations refer to a fictitious company and are used for illustration purposes only.