Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

Notes, domino and the single sign on soup Slide 1 Notes, domino and the single sign on soup Slide 2 Notes, domino and the single sign on soup Slide 3 Notes, domino and the single sign on soup Slide 4 Notes, domino and the single sign on soup Slide 5 Notes, domino and the single sign on soup Slide 6 Notes, domino and the single sign on soup Slide 7 Notes, domino and the single sign on soup Slide 8 Notes, domino and the single sign on soup Slide 9 Notes, domino and the single sign on soup Slide 10 Notes, domino and the single sign on soup Slide 11 Notes, domino and the single sign on soup Slide 12 Notes, domino and the single sign on soup Slide 13 Notes, domino and the single sign on soup Slide 14 Notes, domino and the single sign on soup Slide 15 Notes, domino and the single sign on soup Slide 16 Notes, domino and the single sign on soup Slide 17 Notes, domino and the single sign on soup Slide 18 Notes, domino and the single sign on soup Slide 19 Notes, domino and the single sign on soup Slide 20 Notes, domino and the single sign on soup Slide 21 Notes, domino and the single sign on soup Slide 22 Notes, domino and the single sign on soup Slide 23 Notes, domino and the single sign on soup Slide 24 Notes, domino and the single sign on soup Slide 25
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Notes, domino and the single sign on soup

Download to read offline

MWLUG 2017 presentation on Notes/Domino single sign on. SAML. SPNEGO,

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Notes, domino and the single sign on soup

  1. 1. MWLUG 2017 Moving Collaboration Forward Notes, Domino and the Single Sign-on Soup Chef Darren Duke
  2. 2. MWLUG 2017 Moving Collaboration Forward Our Amazing Sponsors
  3. 3. MWLUG 2017 Moving Collaboration Forward About me • Relapsed podcaster http://wtftech.fm/ – Back on the horse with Stuart and Jesse – If you’re not listening, you’re really missing out – No, really, you are – NO, really you are – NO, REALLY YOU ARE!!!! • Hire me by talking to Lisa – She’ll be around here somewhere
  4. 4. MWLUG 2017 Moving Collaboration Forward SSO you say? • Many different things to many different people • Could be (listed in order of complexity): – Offload – Synchronization – Integration • Could be more than one of the above
  5. 5. MWLUG 2017 Moving Collaboration Forward Domino is different • It has two passwords – Because….well…..Domino – Makes it twice as difficult • One size doesn’t fit all – You may combine the following concepts
  6. 6. MWLUG 2017 Moving Collaboration Forward Why do it? • Single password • No password • Get away from ID and password management – You never *really* get away from the ID • It’s what all the cool kids are doing
  7. 7. MWLUG 2017 Moving Collaboration Forward Why do it? • What are you trying to solve? – Answer this and you know which of the following solutions are for you
  8. 8. MWLUG 2017 Moving Collaboration Forward Notes Shared Login (NSL) • Remove Notes password from ID • Well, mostly – Except for the first logon to a new computer account – Policy based – Requires Notes Single Logon Service to be removed from clients – Can be used with Notes Federated Logon (NFL)
  9. 9. MWLUG 2017 Moving Collaboration Forward You will need a (working) ID Vault • If you don’t have one – WHY NOT??? • If you do, is it working? • Several of the following solutions require it
  10. 10. MWLUG 2017 Moving Collaboration Forward Types of SSO…. • Offload – Pass it off • Synchronization – Move the data around • Integration – Link it altogether
  11. 11. MWLUG 2017 Moving Collaboration Forward Offload • Authenticate the password from elsewhere – Usually Active Directory – Uses Directory Assistance and LDAP referrals – Only usable (like this) for the HTTP password • So iNotes, web apps, Traveler, etc • Will also be needed if you do SAML and SPNEGO
  12. 12. MWLUG 2017 Moving Collaboration Forward Offload • Pros – Actually uses the AD password, not HTTP password exists anymore* • Cons – Only web protocols – You need to get the Domino LDAP DN into AD field – Traveler can lock the account out on a regular basis • Think AD password change policy
  13. 13. MWLUG 2017 Moving Collaboration Forward Synchronization • Copy password from “A” to “B” – “A” is usually AD, “B” is usually Domino • Capture AD password change, send to Domino – Can update ID Vault and/or HTTP password • TDI is free entitlement for most of you – And it can do this
  14. 14. MWLUG 2017 Moving Collaboration Forward Synchronization • Pros – Fixes AD lockout issue with “offload” – Notes ID and/or HTTP password thanks to ID Vault • Cons – Usually requires AD schema modification – HTTP password changes need to replicate – Doesn’t really get rid of Notes ID password • Just makes it known to the user
  15. 15. MWLUG 2017 Moving Collaboration Forward Integration • Use a different system (usually AD) to verify user ID and password • Two options – SPNEGO • Reasonably simple • Limited use • HTTP only – SAML/NFL • As far from reasonably simple as you can get • Notes client and/or HTTP
  16. 16. MWLUG 2017 Moving Collaboration Forward SPNEGO • Allows domain connected users using browser apps to login transparently using IWA • Web/Internet site based – All or nothing – Although with good firewall people…… • Two internet documents, one SPNEGO, one not – Source IP, agent sniffing, etc
  17. 17. MWLUG 2017 Moving Collaboration Forward SPNEGO • Pros – Simple(ish) • Cons – HTTP only – Windows desktops only (no Mac)* – Domino authentication server must be Windows – Kind of half-assed implementation • Will not fail back to user name and password – Domino User DN is still needed in AD
  18. 18. MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Uses SAML to connect to ADFS or TAM – Could use others but completely unsupported • Most are (and all of mine have been) ADFS • Can be used to get rid of Notes ID password • Very flexible – WFL for iNotes, web apps – NFL for Notes clients – Use either or both
  19. 19. MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Pros – Standard, cross platform • Client OS – All of them • Domino server OS – All of them – Use AD user name and password – Flexible WFL options • Inside the corporate network, transparent logon • Outside, use forms based logon – Go completely Notes ID password-less
  20. 20. MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Cons • Is pretty complex • Documentation is woeful • Notes requires files be present in the user profile to work – Stub notes.ini with full CN user name – Deploy.nsf for certificates • Requires a custom ADFS SSL cert – Means need to use non-commercial certificate – Create ADFS server specifically for NFL as users may get SSL certificate trust issues unless it is computer trusted roots – Again, a bit half arsed
  21. 21. MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Cons (cont) • Slow logging into Notes client – All this security shenanigans take time • But this can be fixed by also using NSL. – First login uses NFL – Subsequent logins switch to NSL • Domino User DN is still needed in AD • No ADFS 4.0 support – So no Windows 2016 server support – ADFS 3.0 support took 4 years
  22. 22. MWLUG 2017 Moving Collaboration Forward What about Traveler? • Verse client now supports Certificate Authentication – Note, *NOT* SSO, but at least password-less • No native iOS support that I know of – So iOS native still uses HTTP password • Some MDM’s have their own mail clients to address this
  23. 23. MWLUG 2017 Moving Collaboration Forward Common Thread…. • “Domino DN still needed in AD” – (or email address, just some unique ID equal in both systems) – Domino DN = “CN=Darren Duke,OU=blah,O=bob” • It’s the LDAP version of your Domino name – Use TDI to populate AD field with Domino DN • Prereq, needs *existing* common ID between AD and Domino – Email address? – Domino short name = sAMAccountName? • Some orgs use AltSecurityIdentities, some email address • Others use custom field – If custom make sure to AD index that field!!!
  24. 24. MWLUG 2017 Moving Collaboration Forward Notes client setup suggestions • Prepopulate Notes client setup values automatically – https://blog.darrenduke.net/Darren/DDBZ.nsf/dx/ use-a-custom-notes.ini-file-and-prepopulate-user- settings-on-notes-first-startup.htm – Use the above either standalone, with NSL or with NFL – Andy’s and Rob’s SAML LS/Connect Show and Tell • www.andypedisich.com/blogs/andysblog.nsf/dx/SHOW 100.ppt/%24file/SHOW100.ppt
  25. 25. MWLUG 2017 Moving Collaboration Forward Q and A • So if time permitted ask away….. • Also: – https://blog.darrenduke.net – @darrenduke on Twitter

MWLUG 2017 presentation on Notes/Domino single sign on. SAML. SPNEGO,

Views

Total views

3,139

On Slideshare

0

From embeds

0

Number of embeds

112

Actions

Downloads

19

Shares

0

Comments

0

Likes

0

×