Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2014 IBM Corporation 
Look mum, no passwords! 
ID Vault, SSO, LTPA, SPNEGO and SAML 
Martin Leyrer – IT Specialist 
IBM ...
© 2014 IBM Corporation 
2 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Navigation 
●The What And Wh...
© 2014 IBM Corporation 
3 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
What?
© 2014 IBM Corporation 
4 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Why (1/2) ?
© 2014 IBM Corporation 
5 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Why (2/2) ?
© 2014 IBM Corporation 
6 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Navigation 
●The What And Wh...
© 2014 IBM Corporation 
7 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Remove Notes Password Prompt...
© 2014 IBM Corporation 
8 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Uninstall/Remove “Notes Sing...
© 2014 IBM Corporation 
9 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
ID Vault 
●Optional 
●Server...
© 2014 IBM Corporation 
10 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
ID Vault Setup 1
© 2014 IBM Corporation 
11 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
ID Vault Setup 2
© 2014 IBM Corporation 
12 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
ID Vault Setup 3
© 2014 IBM Corporation 
13 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
ID Vault Setup 4
© 2014 IBM Corporation 
14 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
ID Vault Setup 5
© 2014 IBM Corporation 
15 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
ID Vault Setup 6
© 2014 IBM Corporation 
16 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
ID Vault Setup 7
© 2014 IBM Corporation 
17 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
ID Vault Setup 8
© 2014 IBM Corporation 
18 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
ID Vault Setup 9
© 2014 IBM Corporation 
19 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
ID Vault - Security Setting...
© 2014 IBM Corporation 
20 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
NSL - Security Settings Doc...
© 2014 IBM Corporation 
21 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
AND IT WORKS ! 
We have Sin...
© 2014 IBM Corporation 
22 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
ID Vault – If It Does NOT W...
© 2014 IBM Corporation 
23 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Navigation 
●The What And W...
© 2014 IBM Corporation 
24 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Smooth Client Start
© 2014 IBM Corporation 
25 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
ConfigFile To The Rescue 
●...
© 2014 IBM Corporation 
26 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Setup.txt 
Username=User Na...
© 2014 IBM Corporation 
27 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
No More Useless Prompts!
© 2014 IBM Corporation 
28 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Navigation 
●The What And W...
© 2014 IBM Corporation 
29 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Token Based Single Sign On ...
© 2014 IBM Corporation 
30 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
LTPA Token 
●The LTPA token...
© 2014 IBM Corporation 
31 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
LTPA Versions 1/2 
WebSpher...
© 2014 IBM Corporation 
32 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
LTPA Versions 2/2 
IBM Domi...
© 2014 IBM Corporation 
33 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
WebSSO Configuration
© 2014 IBM Corporation 
34 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Enable Multi Server SSO
© 2014 IBM Corporation 
35 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Account Documents
© 2014 IBM Corporation 
36 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration
© 2014 IBM Corporation 
37 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration
© 2014 IBM Corporation 
38 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration
© 2014 IBM Corporation 
39 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration
© 2014 IBM Corporation 
40 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Push Account Documents To U...
© 2014 IBM Corporation 
41 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Navigation 
●The What And W...
© 2014 IBM Corporation 
42 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Windows Single Sign-on for ...
© 2014 IBM Corporation 
43 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Setting Up SPNEGO 
●Create ...
© 2014 IBM Corporation 
44 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Navigation 
●The What And W...
© 2014 IBM Corporation 
45 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
SAML – Security Assertion M...
© 2014 IBM Corporation 
46 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
SAML – IdP - Identity Provi...
© 2014 IBM Corporation 
47 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Notes Federated Login with ...
© 2014 IBM Corporation 
48 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
SAML – Installation 
●Warni...
© 2014 IBM Corporation 
49 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
NSL/SPNEGO vs. SAML 
NSL/SP...
© 2014 IBM Corporation 
50 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Navigation 
●The What And W...
© 2014 IBM Corporation 
51 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Q & A 
Martin Leyrer 
IBM C...
© 2014 IBM Corporation 
52 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration 
Further Reading 
“Upgrading...
© 2014 IBM Corporation 
53 
Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration
Upcoming SlideShare
Loading in …5
×

ICON UK 2014 - Look mum, no passwords!

1,314 views

Published on

When using Notes, iNotes, Sametime and Connections on either Windows or a mobile device, users are confronted with several different passwords and settings they have to enter. In this session I will show you how to setup and configure Notes & Domino so that users do not have to enter passwords or server settings and still get logged into Notes, Sametime and Connections when starting their Notes Client or Browser.Buzzwords for this talk are: SSO, NSL, LTPA, SAML and SPNEGO.

Published in: Technology
  • Be the first to comment

ICON UK 2014 - Look mum, no passwords!

  1. 1. © 2014 IBM Corporation Look mum, no passwords! ID Vault, SSO, LTPA, SPNEGO and SAML Martin Leyrer – IT Specialist IBM Software Services for Collaboration 2014-09-12 at ICON UK
  2. 2. © 2014 IBM Corporation 2 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Navigation ●The What And Why ●The Quick Win ●ID Vault ●Automatic Client Configuration ●Token Based Single Sign On for Sametime And Connections ●SPNEGO For iNotes And Webapps ●Expanding The Possibilities – SAML ●Q & A
  3. 3. © 2014 IBM Corporation 3 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration What?
  4. 4. © 2014 IBM Corporation 4 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Why (1/2) ?
  5. 5. © 2014 IBM Corporation 5 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Why (2/2) ?
  6. 6. © 2014 IBM Corporation 6 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Navigation ●The What And Why ●The Quick Win ●Notes Shared Login / ID Vault ●Automatic Client Configuration ●SPNEGO For iNotes And Webapps ●Expanding The Possibilities – SAML ●Q & A
  7. 7. © 2014 IBM Corporation 7 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Remove Notes Password Prompts with NSL – Notes Shared Login ●Enabled via policy (or manually by the end user) ●Locks and encrypts the Notes ID in the current Windows Profile using the PC SID (Security Identifier) and Microsoft's Data Protection API (DPAPI). ●Certificates within the ID are locked and bound to that PC and that OS profile. ●The old “Notes Single Logon” feature has to be uninstalled. ●Limited to Windows. ●Need ID Vault ●Need Notes/Domino 8.5
  8. 8. © 2014 IBM Corporation 8 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Uninstall/Remove “Notes Single Logon” for NSL To Work
  9. 9. © 2014 IBM Corporation 9 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration ID Vault ●Optional ●Server-based database ●Holds protected copies of IBM Notes user Ids ●Users are assigned to a vault through policy configuration ●Copies of user IDs are uploaded to a vault automatically once the policy has taken effect The benefits of using an ID vault include: ●Authorized personnel can change (reset) passwords on IDs without access to the ID files or the vault ●Custom application to reset passwords ●Easy recovery of lost or damaged user IDs ●Automatic synchronization of multiple ID copies ●No user involvement during ID renames ●No user involvement during ID key rollover
  10. 10. © 2014 IBM Corporation 10 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration ID Vault Setup 1
  11. 11. © 2014 IBM Corporation 11 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration ID Vault Setup 2
  12. 12. © 2014 IBM Corporation 12 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration ID Vault Setup 3
  13. 13. © 2014 IBM Corporation 13 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration ID Vault Setup 4
  14. 14. © 2014 IBM Corporation 14 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration ID Vault Setup 5
  15. 15. © 2014 IBM Corporation 15 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration ID Vault Setup 6
  16. 16. © 2014 IBM Corporation 16 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration ID Vault Setup 7
  17. 17. © 2014 IBM Corporation 17 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration ID Vault Setup 8
  18. 18. © 2014 IBM Corporation 18 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration ID Vault Setup 9
  19. 19. © 2014 IBM Corporation 19 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration ID Vault - Security Settings Document / Policy
  20. 20. © 2014 IBM Corporation 20 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration NSL - Security Settings Document / Policy
  21. 21. © 2014 IBM Corporation 21 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration AND IT WORKS ! We have Single Sign On with Windows!
  22. 22. © 2014 IBM Corporation 22 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration ID Vault – If It Does NOT Work ●Check whether the policies are actually coming down to the client ●Check Policy Synopsis for that user in the Admin Client ●Check the “($Policies)” view in the PNAB ●Modify the person entry in the Domino Directory & access mail server to initiate a policy push ●Roaming user? Did you remove the ID file from the PNAB? ●https://ibm.biz/BdFnm9 ●8.5.3 provides a new detachid.zip utility and “javaAgentForDetachid.java” (in utilityNotesCustomizationKit_1_0.zip ●RoamingIDIsInNAB=0 in the person document
  23. 23. © 2014 IBM Corporation 23 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Navigation ●The What And Why ●The Quick Win ●Notes Shared Login / ID Vault ●Automatic Client Configuration ●Token Based Single Sign On for Sametime And Connections ●SPNEGO For iNotes And Webapps ●Expanding The Possibilities – SAML ●Q & A
  24. 24. © 2014 IBM Corporation 24 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Smooth Client Start
  25. 25. © 2014 IBM Corporation 25 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration ConfigFile To The Rescue ●It IS possible to install and configure the Notes Client completely WITHOUT user interaction* ●See https://ibm.biz/BdFnmd for details ●The notes.ini parameter, ConfigFile= points to a text (.TXT) file that contains the parameters that the wizard needs. For example: ConfigFile=C:Program FilesLotusNotesDatasetup.txt ●Starting with 8.5.1 the parameter CONFIGFILE= can contain system environment variables, too. In case the setup configuration file is stored next to the template notes.ini the following setting would apply to all Windows flavors: CONFIGFILE=%ALLUSERSPROFILE%Application DataLotusNotesDataconfig.txt which resolves to... CONFIGFILE=C:Documents and SettingsAll UsersApplication DataLotusNotesDataconfig.txt * … except from the one time password prompt for the ID Vault
  26. 26. © 2014 IBM Corporation 26 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Setup.txt Username=User Name/Acme KeyfileName=c:Program FilesLotusNotesDatausername.id ID Vault! Domino.Name=servername/Acme Domino.Address=servername.acme.com Domino.Port=TCPIP Domino.Server=1 AdditionalServices=0 AdditionalServices.NetworkDial=0 Replication.Threshold=9999 Replication.Schedule=0 Starting with 8.5 the scripted setup code can now resolve system environment variables on any line of the configuration file that is read in. See the chapter “Setting up Notes installation using scriptable setup” in the Domino 9 Admin help for more details and variables.
  27. 27. © 2014 IBM Corporation 27 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration No More Useless Prompts!
  28. 28. © 2014 IBM Corporation 28 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Navigation ●The What And Why ●The Quick Win ●Notes Shared Login / ID Vault ●Automatic Client Configuration ●Token Based Single Sign On for Sametime And Connections ●SPNEGO For iNotes And Webapps ●Expanding The Possibilities – SAML ●Q & A
  29. 29. © 2014 IBM Corporation 29 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Token Based Single Sign On for Sametime And Connections ●Works for Sametime Connect Embedded Client ●Works for Connections Plugins ●Prerequisite: Properly configured “Multiple Server SSO”
  30. 30. © 2014 IBM Corporation 30 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration LTPA Token ●The LTPA token is sent to the User Agent (Browser) as a Set-Cookie response header ●The user agent sends this to the target HTTP server as a Cookie request header for subsequent actions. ●Because browser user agents only send Cookie request headers to servers whose host name matches the issuer of the cookie, the server must share the same DNS (“DNS domain”) space as the other LTPA servers in the SSO group. ●The LTPA token, which includes user information and an expiration time, is signed by the issuer to ensure data integrity and is encrypted to ensure data privacy. ●LTPA tokens can be used only for SSO among LTPA servers that share the same key material (LTPA key)
  31. 31. © 2014 IBM Corporation 31 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration LTPA Versions 1/2 WebSphere Version 1 (“LtpaToken”) ●Contains ●the token expiration time ●the user identity (usually the LDAP distinguished name) ●a digital signature ●LTPA1 signatures are generated using SHA-1/RSA 1024-bit key ●After the digital signature has been attached, the user data and signature are encrypted with a 3DES key obtained from the LTPA key file WebSphere Version 2 (“LtpaToken2”) ●Same format as LTPA1 tokens ●can contain additional information relating to the security context of the authenticated user LTPA2 signatures are generated using SHA-1/RSA 1024-bit key ●After the digital signature has been attached, the user data and signature are encrypted with a 3DES or AES key obtained from the LTPA key file
  32. 32. © 2014 IBM Corporation 32 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration LTPA Versions 2/2 IBM Domino ●Contains ●a fixed-size and value header starting field ●a token creation time ●a token expiration time ●the authenticated user name ●a message authentication code (MAC) covering all content ●Domino uses a shared key and SHA-1 to calculate a MAC over the content ●After the MAC has been attached, the user data and MAC are encrypted with a 3DES key obtained from the LTPA key file ●Domino can consume (decrypt, parse and process) and generate (create and encrypt) either the Domino or Websphere formats ●WebSphere cannot consume or generate the Domino format.
  33. 33. © 2014 IBM Corporation 33 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration WebSSO Configuration
  34. 34. © 2014 IBM Corporation 34 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Enable Multi Server SSO
  35. 35. © 2014 IBM Corporation 35 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Account Documents
  36. 36. © 2014 IBM Corporation 36 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration
  37. 37. © 2014 IBM Corporation 37 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration
  38. 38. © 2014 IBM Corporation 38 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration
  39. 39. © 2014 IBM Corporation 39 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration
  40. 40. © 2014 IBM Corporation 40 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Push Account Documents To Users via Document Settings/Policy
  41. 41. © 2014 IBM Corporation 41 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Navigation ●The What And Why ●The Quick Win ●ID Vault ●Automatic Client Configuration ●Token Based Single Sign On for Sametime And Connections ●SPNEGO For iNotes And Webapps ●Expanding The Possibilities – SAML ●Q & A
  42. 42. © 2014 IBM Corporation 42 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Windows Single Sign-on for Web Clients (SPNEGO) ●Available since Lotus Domino 8.5.1 ●User acquires Kerberos credentials when starting Windows. ●Windows verifies user's password. ●Password never travels over the wire via HTTP. ●SSO technology leveraging the Windows credentials sometimes called by these names: ●SPNEGO (Simple and Protected GSS-API Negotiation Mechanism) ●Integrated Windows Authentication” for the Windows Intranet ●SPNEGO-aware browsers know how to ●Ask Windows for a Kerberos ticket, based on a) browser configuration, and b) the user's requested URL. ●Send the Kerberos ticket as part of SPNEGO protocol request ●SPNEGO-aware Domino validates the ticket to authenticate the user.
  43. 43. © 2014 IBM Corporation 43 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Setting Up SPNEGO ●Create a Domino Web SSO document (enable Windows single sign-on integration) ●Set up a SPN (Service Principal Name) for the Domino server in Active Directory ●Domino must run under an Active Directory account you set up for it ●Run domspnego ●Take the output and give it to your AD administrator to run setspn with ●Run setspn -a http://<dominohostname> <accountnamerunningdomino> ●Update person documents with AD name appended to FullName (and optional others like krbPrincipalName and LTPA User Name)
  44. 44. © 2014 IBM Corporation 44 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Navigation ●The What And Why ●The Quick Win ●ID Vault ●Automatic Client Configuration ●Token Based Single Sign On for Sametime And Connections ●SPNEGO For iNotes And Webapps ●Expanding The Possibilities – SAML ●Q & A
  45. 45. © 2014 IBM Corporation 45 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration SAML – Security Assertion Markup Language ●Provides ease of use for end users – reduce the # of passwords to memorize ●The only “Notes password” is the IdP's password ●And SPNEGO/Kerberos to Microsoft's ADFS can eliminate that prompt as well ●Once a user has authenticated with the IdP they won’t be asked again ●Notes client uses SAML to fetch the user's ID file from the vault ●ID file is stored in memory instead of being written to disk ●Works on Citrix, Linux, and Mac as well as Windows ●Requires Notes Standard client ●Support for Notes, iNotes, and web clients ●Identity Providers supported ●IBM Tivoli Federated Identity Manager (TFIM) ●Microsoft's ADFS 2.0 integrated with Active Directory
  46. 46. © 2014 IBM Corporation 46 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration SAML – IdP - Identity Provider (SSO) ●ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012) ●SAML 2.0 only ●can be combined with SPNEGO ●Enhances Integrated Windows Authentication (IWA) ●TFIM (Tivoli Federated Identity Manager) ●SAML 1.1 and 2.0 ●IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions ●Assertions have three roles ●Authentication ●Authorisation ●Retrieving Attributes
  47. 47. © 2014 IBM Corporation 47 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Notes Federated Login with SAML 1) User launches Notes and Notes connects to the ID Vault 2) The ID Vault (configured for SAML authentication) reaches out to IdP. 3) IdP prompts user for credentials. 4) Correct credentials are supplied. 5) IdP provides SAML artifact(XML) to ID Vault. 6) ID Vault provides ID to Notes. Once Notes session is completed, ID is removed from machine.
  48. 48. © 2014 IBM Corporation 48 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration SAML – Installation ●Warning! - This is hard! ●One of the most complex Domino based things I have seen so far. ●Find help with comprehensive knowledge of: ●Domino server admin ●Notes client configuration and security ●Active Directory configuration at your company ●ADFS ●SAML concepts ●SSL configuration on Domino & in Windows/IIS ●Enterprise browser configuration ●It's worth the effort, especially in the long run. ●Read the Connect 2014 presentation “SHOW100 : AD + SAML + Kerberos + IBM Notes and Domino = SSO!” by Rob Axelrod and Andy Pedisich, Technoticshttps://ibm.biz/BdFnyF
  49. 49. © 2014 IBM Corporation 49 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration NSL/SPNEGO vs. SAML NSL/SPNEGO ●SPNEGO requires Windows Environment ●Active Directory ●Windows Domain Login ●Microsoft Supported browsers ●Domino on Windows ●Requires Windows clients for the users ●Citrix not supported ●Requires Domino on Windows ●It has a very specific use case SAML ●Not everything supports it ●Traveler doesn’t ●Sametime doesn’t ●Citrix does! ●ID Vault is a requirement so IDs that can’t be vaulted can’t be used (multiple passwords, smartcards, etc) ●Complex to set up
  50. 50. © 2014 IBM Corporation 50 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Navigation ●The What And Why ●The Quick Win ●ID Vault ●Automatic Client Configuration ●Token Based Single Sign On for Sametime And Connections ●SPNEGO For iNotes And Webapps ●Expanding The Possibilities – SAML ●Q & A
  51. 51. © 2014 IBM Corporation 51 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Q & A Martin Leyrer IBM Collaboration Solutions IT-Specialist with IBM Austria IBM e-mail:martin.leyrer@at.ibm.com E-mail:leyrer@gmail.com Twitter:http://www.twitter.com/leyrer Facebook:https://www.facebook.com/leyrer Blog:http://www.leyon.at LinkedIn:http://at.linkedin.com/in/leyrer Martin LeyrerICS IT-SpecialistMail: martin.leyrer@at.ibm.comPhone: +43 664 618 6826
  52. 52. © 2014 IBM Corporation 52 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration Further Reading “Upgrading from Notes client single logon to Notes shared login” by Nancy E. Kho https://ibm.biz/BdFnM6 “Single Sign-on (SSO) technologies for the Domino Web Server” by Jane Marcus https://ibm.biz/BdFnyT “Connect 2014 SHOW100 : AD + SAML + Kerberos + IBM Notes and Domino = SSO!” by Rob Axelrod and Andy Pedisich, Technotics https://ibm.biz/BdFnyF “Simplifying The S's: Single Sign-On, SPNEGO and SAML” by Gabriella Davis https://ibm.biz/BdFnfq
  53. 53. © 2014 IBM Corporation 53 Martin.Leyrer@at.ibm.com, IBM Software Services for Collaboration

×