Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Active Directory Single Sign-On with IBM


Published on

This presentation is from IBM's New Way to Learn 2016 partner enablement. The topic is an introduction to Active Directory Single Sign-On with WebSphere Portal and Connections Cloud. SSO with Domino and usage of SPNEGO are listed as resources at the end of the presentation.

Published in: Technology
  • Be the first to comment

Active Directory Single Sign-On with IBM

  1. 1. Active Directory Single Sign-On Worldwide Business Partner Technical Enablement 2016 Van Staub – North America Embedded Solution Agreement Technical Sales 1
  2. 2. Agenda • review in a practical format configuring Active Directory and Active Directory Federation Services • configure SAML with WebSphere • discuss SAML with Connections Cloud • list notable resources at the end
  3. 3. Installing and Configuring Active Directory • the “directory” used to perform authentication with IBM software (e.g. WebSphere Portal) • provides a variety of authentication mechanisms almost out of the box – namely SAML, SPNEGO, and LDAP • very easy to get started
  4. 4. Active Directory Federation Services 2.0 • supports SAML authentication with ”relying parties” • SAML is a protocol that specifies the identity of a user in an encrypted format • identity of the user is provided using a “claim” (i.e. sAMAccountName or email address)
  5. 5. SAMLFlow XML
  6. 6. Installing and Configuring ADFS 2.0 • install the ADFS 2.0 software • configure the first federation server • manually add the SSL certificate to IIS if one is not listed as available to use (I re-used a certificate; you can create a self-signed if needed) • verify the SSL certificate you imported is also set as the Token-Signing certificate • also make sure it’s the primary certificate
  7. 7. manually importing the SSL certificate into IIS
  8. 8. Manually set the Token-Signing Certificate
  9. 9. Configuring WebSphere for SAML • ensure that security is enabled and working with Active Directory • install the SAML ACS enterprise application • configure the SAML TAI to work with the ADFS IdP • steps create a global configuration • steps are shown manually for clarity
  10. 10. • simply deploys the SAML ACS enterprise application • can also be done manually
  11. 11. • Using WAS Console go to Security -> Global Security -> Web and SIP security - > Trust Association • Uncheck Enable trust association
  12. 12. • Click Interceptors • rity.web.saml.AC STrustAssociatio nInterceptor • add settings seen in screenshot
  13. 13. • Using WAS Console go to Security -> Global Security -> Custom Properties • add settings seen in screenshot
  14. 14. • Using WAS Console go to Security -> SSL Certificate and Key Management -> Key stores and Certificates • either NodeDefaultTrust Store or CellDefaultTrustST ore • Add SSL certificate (public key) manually or retrieve from port (i.e. the IIS server) the Token-Signer certificate specified earlier
  15. 15. certificate alias you just added to the TrustStore
  16. 16. • Using WAS Console go to Security -> Federated Repositories -> Configure • Click Trusted authentication realms - inbound • add external ream settings seen in screenshot Federation Server identifier seen earlier
  17. 17. • Using WAS Console go to Security -> Global Security -> Web and SIP security -> Trust Association • Check Enable trust association
  18. 18. Creating the Partnership • SAML 2.0 metadata XML can be exported from WebSphere and imported into ADFS • use AdminTask.exportSAMLSpMetadata(‘-spMetadataFileName <SpMetaDataFile> -ssoId 1′) sso_1.sp.acsURL sso_1.sp.acsURL
  19. 19. use defaults on next screens
  20. 20. Finished Partnership (Relying Party Trust)
  21. 21. Resources Understanding the WebSphere Application Server SAML Trust Association Interceptor Step by step guide to implement SAML 2.0 for Portal 8.5 saml-2-0-portal-8-5/ Front Side SAML SSO with microsoft product (ADFS -> WAS SAML TAI) 3620dbb3e46c/entry/Front_Side_SAML_SSO_with_microsoft_product_ADFS_WAS_SAML_TAI?lang =en Step-by-Step guide to Configure Single sign-on for HTTP requests using SPNEGO web authentication on_for_HTTP_requests_using_SPNEGO_web_authentication AD + SAML + Kerberos + IBM Notes and Domino = SSO! posted.htm BP104 Simplifying The S’s: Single Sign-On, SPNEGO and SAML (2014) spnego-and-saml-2014.htm
  22. 22. Thank You 31