Wfl

IBM Collaboration Solutions
Open Mic
Date: 29-10-2015
IBM Domino WEB Federated Login

2
IBM Corporation ©2015
Open Mic Team
Irfan Jaffery - IBM ICS Support engineer Presenter
Deepankar Panda - IBM ICS Support engineer Presenter
Ranjit Rai - IBM ICS SWAT Focusing on entire Notes/Domino
Jayavel Rajendran - IBM ICS SWAT Focusing on entire Notes/Domino
Hansraj Mali - IBM ICS SWAT Focusing on Notes/Domino
Narendra Nesarikar – IBM ICS Support Facilitator for Open Mics

3
 IBM Web Federated Login introduction
 Different Components
• A web browser client for all iNotes users Federation Identity Provider
• Windows Domain Environment
• IdP Catalog (IdPCat.nsf)
• Domino Web Server running iNotes functioning as the Home Mail Server for INotes
client users server
• ID Vault
 Deployment Requirements
 Implementation
 General Troubleshooting
 References
 Q/A
Agenda

4
IBM Web Federated Login Introduction
 Provides a single sign-on experience when starting up the Notes client or iNotes
 SSO between Notes, iNotes and windows domain environment and many other
supported/compatible Identity Providers.
 Eliminates regular iNotes password prompt.
 Reduces the administrative cost for maintaining multiple directories.
 Uses cryptographic mechanisms instead of passwords to improve security and minimize cost
 The SAML IdP takes responsibility to authenticate the Notes user.
 Users' IDs must be stored in an ID vault

5
Different Components
Federation Identity Provider
Currently Supported with IBM Notes/Domino 9.0.x
 Microsoft® ADFS 2.0 integrated with Active Directory
 IBM Tivoli Federated Identity Manager (TFIM, IBM Security Identity Manager).
Domino web server authentication process using SAML

6
Contd...

7
Contd...
Windows Domain Environment
 Requires Active Directory Configuration
 Active Directory Federation Service 2.0 (ADFS) is used as Identity Provider
 Client computer where the user is logging into Windows and running the browser
 ADFS does the job of user authentication via Kerberos Authentication

8
Contd...
IdP Catalog (IdPCat.nsf)
 A Database needs to be created on Domino Server hosting ID Vault
 Use idpcat.ntf template and database name must be IdPCat.nsf
 If using unix the filename must be all lower case
 Special database that contains trusted identity providers and their certificates.
 An IdP config document is created and IdP configuration is imported
 The Admin creating the document must be listed in the following fields on the server
 Full Access Administrators
 Administrators
 Sign or run unrestricted methods and operations
 Imports FederationMetadata.xml file exported from ADFS. This builds trust.
 The idpcat.nsf must not be enabled for document locking.
 Prevent attacks by deploying a very restrictive ACL on idpcat. This is why this highly
sensitive information is not in the directory.

9
Contd...
iNotes User Environment with Domino Home mail server
 Web Browser
 Domino Server 9.0/9.0.x Needs to be installed and should have HTTP enabled
 SSL needs to be enabled on Domino Server
 If the ID vault server is separate, it does not need to have SSL enabled
 ID Vault should be hosted on Domino server
 Security Policy for ID Vault should be configured and applied to iNotes users
 Session Authentication should be set to SAML 2.0 under Server document
 Exported copy of an SSL internet certificate from Federation Identity ( TIFM/ADFS 2.0
) must be imported in Domino Directory and should be cross certified to create an
internet cross certificate.

10
Contd...
ID Vault
 Standard ID Vault configuration should be done on Domino Server
 Proper security policy should be created for ID Vault and should be pushed to the users
 All user Ids must be harvested to the ID Vault Database
 Identity Provider Configuration information should be updated under ID Vault

11
Deployment Requirements
 IBM Domino Server 9.x onwards
 Confirm your iNotes user has been added to the vault and can access their ID for
encrypting/decrypting mails
 Microsoft Windows Active Directory Domain Configuration
 Active Directory Federation Services 2.0 ( ADFS 2.0 ) Configuration
 If using ADFS or implementing SSL with TFIM then confirm that you can access your server
through HTTPs
 Client machine should be part of Windows Domain environment

12
Implementation – ADFS 2.0 Configuration
 Run the ADFS console by selecting Start->Administrative Tools-> AD FS 2.0 Management
 Navigate to the Relying Party Trusts folder
 From the menu, select Action > Add Relying Party Trust
Note: We have to follow the below step twice. We need to have 2 Relying Partry Trusts
iNotes configuration on the IdP
ID Vault configuration on the IdP

13
Contd...

14
Contd...

15
Contd...

16
Contd...

17
Contd...

18
Contd...

19
Contd...

20
Contd...

21
Contd...

22
Contd...

23
Contd...

24
Contd...

25
Contd...

26
Contd...
Right-click the new Relying Party Trust, and select Properties

27
Contd...
Particularly if you have used a Domino metadata import file, check the Endpoints tab.
The Domino server uses the POST Binding, which should appear in the list of SAML
Assertion Consumer Endpoints. Domino server does not use an Artifact Binding, so if it
exists in the list, you can remove it.

28
Contd...
This is property window for ID Vault Configuration on the IDP.

29
Contd...
Use the URL to download FederationMetaData from ADFS server
(https://ADFSservername/FederationMetaData/2007-06/FederationMetaData.xml)

30
Implementation – Importing SSL Internet Certificate in Domino Directory

31
Contd...

32
Contd...

33
Implementation – Creating cross certificate in Domino Directory

34
Contd...

35
Contd...

36
Creating a configuration document in the idpcat.nsf database
contd...
The IdP Catalog application (idpcat.nsf) must exist on the Domino server that hosts the ID vault whether
or not that is the same computer that runs iNotes.
You will always have two IdP config documents for any iNotes server supporting WebFederated Login.
One IdP config document is for the iNotes server with SAML authentication, and this document must reside
in the IdP Catalog application on the iNotes server.
The second IdP config document is for the iNotes server interface with the ID vault, and this document
must reside in the IdP Catalog application on the ID vault server.
The documents are similar, but differ in a few important fields.

37
Implementation – Importing FederationMetadata.xml in IdPCat.nsf
iNotes Server with SAML Authentication

38
Implementation – Creating Certificate in IdPCat.nsf

39
Go to server notes.ini and add below lines
SAMLAuthVersion=2
SAMLUrl=https://instructor.test.com
SAMLPublicKeyHash=7IE7P9VjPxtAG6yR1SyeKw==
SAMLCompanyName=TEST SAML
Restart Domino server
Contd...

40
Implementation – Importing FederationMetadata.xml in IdPCat.nsf
iNotes Server Inteface with the ID Vault

41
Contd...

42
Implementation – ID Vault and IdP Configuration in ID Vault

43
Contd...

44
Contd...

45
Integrated Windows Authentication (IWA)
●
IWA is not necessary for SAML configuration
●
Stops an iNotes user from being prompted for a password once they log on to their machine
The following need to be in the same Windows Active Directory domain
●
ADFS server
●
Client computer where the user is logging into Windows and running the browser or Notes client
●
The record for the user who is being authenticated via IWA
Step 1: Create the ADFS Kerberos identity
●
The Windows administrator logged into the Windows domain creates the ADFS Kerberos identity.
●
This identity must be mapped to the Active Directory user that represents the ADFS HTTP server instance.
●
setspn -a HTTP/instructor.test.com instructor$
●
setspn -a HTTP/Instructor instructor$
●
setspn -L Instructor$

46
Step 2: Set up the browser for the Windows client iNotes user
Under Internet Options → Local Intranet → Sites add your ADFS URL

47
General Troubleshooting
Before turning on SAML authentication:
 Make sure the Web server is functioning properly for session authentication
 Make sure SSL is deployed properly
You can use fiddler or firebug for network trace.
Test the Single sign-on service URL to make sure the IdP is functioning, independent of Domino.
 Is the user properly prompted by the IdP (if password prompt required)?
 If Integrated Windows Authentication (SPNEGO/Kerberos), use klist to see Kerberos ticket
for the user to the SAML IdP.
 Check the HTTP post with SAML assertion.
If you face errors creating SAML certificate under IdP Configuration document in IdPCat.nsf database,
you can check below things first
 Certificate creation and metadata export use an agent in idpcat.
 Refer hidden field named "NotesError" in IdP config document as it is helpful to diagnose
error
 "You are not authorized to perform that function"
 Check permissions in server document security tab.
 "Cannot accept internet certificate because the certificate is already in the ID file”
 Use a different certifier name.

48
Contd...
Sample output of DEBUG_SAML=31
Limitations:
No support with Traveler devices
Cannot work with Notes Single Login service
Current support with 2 IDPs (ADFS and TIFM)

49
References
Web Federated Login:
http://www-
01.ibm.com/support/knowledgecenter/SSULMR_9.0.0/admin/saml_configuring_secure_web_feder
ated_login_for_inotes_using_saml_t.dita

50
Questions?
Visit our Support Technical Exchange page or our Facebook page
for details on future events.
To help shape the future of IBM software, take this quality survey
and share your opinion of IBM software used within your
organization: https://ibm.biz/BdxqB2
50
IBM Collaboration Solutions Support page
http://www.facebook.com/IBMLotusSupport
IBM Collaboration Solutions Support
http://twitter.com/IBM_ICSSupport

Wfl

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (19)

Similar to Wfl

Similar to Wfl (20)

Recently uploaded

Recently uploaded (20)

Wfl