Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

BP201 Creating Your Own Connections Confection - Getting The Flavour Right

2,648 views

Published on

IBM Connections 5 comes in a variety of exciting flavours - fancy a vanilla install, or maybe you want to add some extra sauce like External users or IBM Docs? A sprinkling of File Viewer and a few Surveys or maybe a dollop of Sametime. In this session we'll take a look at how to build the right flavour combination of Connections for your business from deciding what features you want through to architecting a solution. We will have plenty of "How Tos" such as how to add external users to your Connections communities securely and what does their experience look like? How much Sametime is just enough? What's the difference between IBM Docs, File Viewer and EditLive in features and deployment? If you're new to Connections, planning a move to Connections 5 or even considering what Connections features you might want to add, this is your session, low fat and calorie free!

Published in: Software

BP201 Creating Your Own Connections Confection - Getting The Flavour Right

  1. 1. BP201: Creating Your Own Connections Confection - Getting The Flavour Right Gabriella Davis Technical Director - The Turtle Partnership gabriella@turtlepartnership.com
  2. 2. Let’s talk about me for a minute ▪ Admin of all things and especially quite complicated things where the fun is – Working with security , healthchecks, single sign on, design and deployment of Domino, ST, Connections and things that they talk to ▪ Stubborn and relentless problem solver ▪ Lives in London about half of the time ▪ gabriella@turtlepartnership.com ▪ twitter: gabturtle
  3. 3. Notices and Disclaimers Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. IBM, the IBM logo, ibm.com, BrassRing®, Connections™, Domino®, Global Business Services®, Global Technology Services®, SmartCloud®, Social Business®, Kenexa®, Notes®, PartnerWorld®, Prove It!®, PureSystems®, Sametime®, Verse™, Watson™, WebSphere®, Worklight®, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
  4. 4. Connections - The Whole Picture
  5. 5. Designing Your User Experience CREATING AND SHARING CONTENT TAGGING, LIKES & @MENTIONS CLIENT ACCESS: BROWSER DESKTOP APPLICATION MOBILE LEARNING ABOUT PEOPLE, WHO THEY ARE, WHAT THEY DO DOCUMENT MANAGEMENT AUDIENCE & NETWORK EXTERNAL USER BEHAVIOUR
  6. 6. Architecture Decisions USERS VS CONCURRENT USERS PUBLIC ACCESS AND SECURITY FILE AND DATA STORAGE SEPARATING COMPONENTS BUILD NOW / ADD LATER?
  7. 7. ALWAYS HAVE BOTH STAGING AND PRODUCTION ENVIRONMENTS
  8. 8. Design For Growth Clusters can be duplicated Not everything needs to be clustered but everything should have the potential for clustering without needing a rebuild Avoid backing yourself into a corner with single points of failure Data is accessed from the database server and from a shared data location
  9. 9. Document Management
  10. 10. It’s All About Content - Companies Run On Content Tags Video KPI Processes WEB2.0 Proposals Projects PH O TO S Video Wikis Places Blogs Tasks ✤ Companies generate and need to use and retain a lot of data, much of it unstructured ✤ To do this they use Enterprise Content Management ✤ this is not the same as a Content Management System
  11. 11. Sharing A Collective Memory ✤ Information needs context ✤ Why was it generated? ✤ What was it used for? ✤ Who worked on it? ✤ Is it still true?
  12. 12. Avoiding Reinvention WHY NOT JUST SHARE IT? IS IT WHAT YOU NEED?DOES CONTENT ALREADY EXIST? RE-USEREVIEWSEARCH
  13. 13. ▪ Always most recent ▪ Always validated ▪ Always in context Always The Right Information
  14. 14. ▪ Approvals ▪ Reviews ▪ Auditing ▪ Compliance Control & Confidence
  15. 15. Searching Files & Folder Metadata Document Types Tagging ✤ People / Unstructured ✤ Process / Structured Finding Things
  16. 16. Working With Documents
  17. 17. Files Application ▪ Standard Connections application (default install) ▪ Each user has their own “Library” where they can upload and share files ▪ Each file can be shared
  18. 18. Sharing Files - Behaviour
  19. 19. Files Sync Offline
  20. 20. CCM / Filenet DEP MGR + FILENET FILENETCONNECTIONS WAS DB STORE
  21. 21. It’s A Customised Connections-Specific Integrated Install CCM Isn’t Pure Filenet
  22. 22. 1. Websphere Application Server 2. Deployment Manager Server 3. Filenet Installers 1. Websphere Application Server 2. Filenet J2EE Applications 1. Database Server 2. FNCGD & FNOS Databases Connections Data Share (NFS) Filenet Server DB Server Storage CCM Libraries SSO Standalone Filenet External Libraries
  23. 23. Editing Things
  24. 24. EditLive Advanced editing, table management, inline images
  25. 25. EditLive Install ▪ Custom installer downloadable from IBM ▪ Simple application install ▪ Enabled for everyone or for users by role ▪ J2EE application maps to a WebSphere server ▪ you can use an existing server
  26. 26. FileViewer Server 2 Conversion Server Mandatory Windows OS IBM Connections Server 1 File Viewer Extension Plugin File Viewer Server Windows or Linux Connections Data Share (moved to NFS share) Viewer Data Share
  27. 27. IBM Docs
  28. 28. Server 2 Server 3 IBM Docs Server Mandatory Linux OS Conversion Server Mandatory Windows OS IBM Connections Server 1 IBM Docs Extension Plug-In File Viewer Extension Plugin Server 4 IBM Docs Proxy Optional Linux OS File Viewer Server Windows or Linux Connections Data Share (moved to NFS share) Viewer Data Share IBMM Docs Data NFS Share
  29. 29. Analytics
  30. 30. Cognos Cognos BI Cognos Transformer Cognos & Metrics DB Cognos & Metrics J2EE Apps Connections Reporting
  31. 31. Cognos BI Cognos Transformer Websphere Application Server Metrics J2EE Application Cognos J2EE Application Database Server Cognos DB Metrics DB The metrics application logs to the Metrics DB. This DB can (and is) used by other 3rd party analytical tools
  32. 32. Forms Experience Builder
  33. 33. Forms Experience Builder Polls & Surveys Installs on WebSphere Server(s) Requires DB2 Installs on every server in the chosen cluster
  34. 34. Websphere Application Server Forms Experience Builder FEB J2EE Application Database Server FEB DB
  35. 35. Connections Mail
  36. 36. How Does Connections Mail Work? Deployment Manager IBM Connections Mail Installed Connections Application Server Connections Application Server HTTP Interface to Mail (iNotes in the case of Domino) Domino Server1 Domino Server2 Domino Server3 Or Exchange
  37. 37. Sametime Integration
  38. 38. Configuring Sametime With Connections ▪ Two choices ▪ Each user runs the Sametime standalone client ▪ Enable the Connections server to connect to the Sametime Proxy Server using a web interface ▪ There are no Sametime applications installed under Connections
  39. 39. Online Status In Connections
  40. 40. Sametime Meetings In Connections All communication is through the Sametime Proxy Server - a web interface to Sametime Services
  41. 41. External Users
  42. 42. What Can An External Person Do? ▪ Be a full member of a Community that allows external users ▪ Share Files with others as well as Download files shared with you ▪ See Activity Streams that they are invited into ▪ Edit Their Profile ▪ View business cards of anyone who has shared content with them
  43. 43. What Can’t An External Person Do? ▪ See Any Public Content ▪ Create a community ▪ Follow people ▪ See or search the company directory ▪ Use type-ahead to find people ▪ See recommended content or people ▪ Access the Profiles menu ▪ Access other user profiles ▪ See @Mentions for them
  44. 44. Internal - Homepage
  45. 45. Visitor Homepage
  46. 46. Internal - My Profile
  47. 47. Visitor My Profile
  48. 48. Single Sign On
  49. 49. Negotiation known as NTLM or Kerberos in Active Directory GSSAPI Mechanism
  50. 50. SPNEGO EXAMPLE FOR WEBSPHERE 1 2 3 4 5 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS CONNECTIONS BROWSER SENDS SPNEGO TOKEN TO WEBSPHERE ALONG WITH USER NAME WEBSPHERE CONTACTS ACTIVE DIRECTORY TO VALIDATE TOKEN AND RETRIEVE THE USER’S NAME STEPS USER LOGS INTO WINDOWS
  51. 51. SETTING UP SPNEGO Set up a SPN for the IHS and Connections application servers in Active Directory Use a dedicated account that you use to start WebSphere as a service Run setspn -a http://<ihs hostname> <accountnamerunningwas> If AD isn’t the LDAP being used then the LDAP entry should be updated with the AD name e.g for Domino update person documents with AD name appended to FullName (and optional others like krbPrincipalName and LTPA User Name)
  52. 52. WHY NOT SPNEGO It requires Active Directory It requires users to login to Active Directory It requires Microsoft Supported browsers* It requires a Windows client for the users* It requires a Windows platform* It doesn’t work at all if the user is remotely connecting and not logging into Active Directory It has a very specific use case
 
 * all these asterisks mean there are ways to extend to other platforms often using 3rd party addons
  53. 53. What Is SAML
  54. 54. Assertion Markup Language SAML is a protocol and process for exchanging authorisation and authentication data for a user between services and servers Security
  55. 55. IdP (Identity Provider) Sp (Service Provider) Sp (Service Provider) Sp (Service Provider)
  56. 56. No Passwords…..
 To Compromise
 To Expire
 Once a user has authenticated with the IdP they won’t be asked again
  57. 57. SAML Example  1 2 3 4 5 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED ORIGINAL SITE USES ITS SAML SERVICE PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS STEPS
  58. 58. Definitions ▪ IdP - Identity Provider (SSO) – ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012) • SAML 2.0 only • can be combined with SPNEGO • Enhances Integrated Windows Authentication (IWA) – TFIM (Tivoli Federated Identity Manager) • SAML 1.1 and 2.0
  59. 59. definitions ▪ SP - Service Provider – IBM WebSphere • By extension some applications installed under WebSphere – IBM Domino (web federated login) – IBM Notes (requires ID Vault) (notes federated login)
  60. 60. More Definitions ▪ IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
 ▪ Assertions have three roles – Authentication – Authorisation – Retrieving Attributes
  61. 61. An IdP can service many service providers A SP can be connected to several IdPs An IdP can use a variety of authentication methods including multi factor
  62. 62. Setting Up SAML ▪ Choose your IdP if you don’t already have one – which fits best in your business ▪ Build the IdP ▪ Configure the SP ▪ Sounds easy doesn’t it? – It’s really not easy by any means but it is worth the investment in time
  63. 63. SAML Support In Connections ▪ WebSphere supports SAML but that doesn’t mean all applications run under WebSphere support it ▪ Where SAML is configured for authentication and can’t be used by an external application, WebSphere can generate a LTPA token ▪ FileNet / CCM does not support SAML ▪ Metrics/Cognos can’t run in a SAML enabled cell and must be deployed in its own cell with LTPA ▪ Connections Mail, Desktop and Mobile applications cannot use SAML ▪ Browser access to the rest of the Connections applications (homepage, profiles, activities, communities etc) is supported
  64. 64. IBM PreApproval Process - SAML Isn’t Supported Without It ▪ SAML integration with IBM Connections is supported in specific circumstances ▪ WebSphere supports SAML but that doesn’t mean all applications that run under WebSphere do ▪ Specific configuration instructions and fixes are only available from IBM Support once pre- approval has been completed ▪ The pre-approval process is a questionnaire that must be completed and submitted to IBM so support can evaluate if your environment can be supported – IBM will also advise the best deployment for SAML to meet your needs – There is no one size fits all solution
  65. 65. Configuring SAML With IBM Connections ▪ There are two methods for configuring SAML with IBM Connections ▪ For both the IdP (Identity Provider) tested are ADFS and TFIM – Those are the IdP’s publicly documented for WebSphere – That’s not to say other IdP wouldn’t be supported if accepted for pre-approval ▪ WebSphere acts as a SP (service provider) and configuration is completed in the cell under Global Security – This means SAML instructions are applied to all applications in the cell ▪ SAML can be deployed using WebSphere’s default authenticator or using SAML redirection – Using default authenticator gives more scope for external applications – IBM will advise the best deployment based on your completed questionnaire
  66. 66. Where To From Here? ▪ Who are your users ▪ Where are your users ▪ What do they want to do ▪ Clouds vs On Premises ▪ Simplify Architecture But Build for Growth ▪ Have a Plan
  67. 67. Questions? ▪ Gab Davis - Technical Director ▪ The Turtle Partnership ▪ gabriella@turtlepartnership.com ▪ GabriellaDavis on Skype ▪ gabturtle on twitter
  68. 68. Engage Online ▪ SocialBiz User Group socialbizug.org – Join the epicenter of Notes and Collaboration user groups ▪ Social Business Insights blog ibm.com/blogs/socialbusiness – Read and engage with our bloggers ▪ Follow us on Twitter – @IBMConnect and @IBMSocialBiz ▪ LinkedIn http://bit.ly/SBComm – Participate in the IBM Social Business group on LinkedIn ▪ Facebook https://www.facebook.com/IBMConnected – Like IBM Social Business on Facebook

×