IBM Connections 5 comes in a variety of exciting flavours - fancy a vanilla install, or maybe you want to add some extra sauce like External users or IBM Docs? A sprinkling of File Viewer and a few Surveys or maybe a dollop of Sametime. In this session we'll take a look at how to build the right flavour combination of Connections for your business from deciding what features you want through to architecting a solution. We will have plenty of "How Tos" such as how to add external users to your Connections communities securely and what does their experience look like? How much Sametime is just enough? What's the difference between IBM Docs, File Viewer and EditLive in features and deployment? If you're new to Connections, planning a move to Connections 5 or even considering what Connections features you might want to add, this is your session, low fat and calorie free!
BP201 Creating Your Own Connections Confection - Getting The Flavour Right
1. BP201: Creating Your Own
Connections Confection -
Getting The Flavour Right
Gabriella Davis
Technical Director - The Turtle Partnership
gabriella@turtlepartnership.com
2. Let’s talk about me for a minute
▪ Admin of all things and especially quite
complicated things where the fun is
– Working with security , healthchecks, single sign on,
design and deployment of Domino, ST, Connections
and things that they talk to
▪ Stubborn and relentless problem solver
▪ Lives in London about half of the time
▪ gabriella@turtlepartnership.com
▪ twitter: gabturtle
5. Designing Your User Experience
CREATING AND
SHARING CONTENT
TAGGING, LIKES &
@MENTIONS
CLIENT ACCESS:
BROWSER
DESKTOP APPLICATION
MOBILE
LEARNING ABOUT
PEOPLE, WHO THEY
ARE, WHAT THEY DO
DOCUMENT
MANAGEMENT
AUDIENCE & NETWORK
EXTERNAL USER BEHAVIOUR
8. Design For Growth
Clusters can be duplicated
Not everything needs to be clustered but everything should have the potential for clustering without
needing a rebuild
Avoid backing yourself into a corner with single points of failure
Data is accessed from the database server and from a shared data location
10. It’s All About Content - Companies Run On Content
Tags
Video
KPI
Processes
WEB2.0
Proposals
Projects
PH
O
TO
S
Video
Wikis
Places
Blogs
Tasks
✤ Companies generate and need to use
and retain a lot of data, much of it
unstructured
✤ To do this they use Enterprise Content
Management
✤ this is not the same as a Content
Management System
11. Sharing A Collective Memory
✤ Information needs context
✤ Why was it generated?
✤ What was it used for?
✤ Who worked on it?
✤ Is it still true?
17. Files Application
▪ Standard Connections application (default install)
▪ Each user has their own “Library” where they can upload and share files
▪ Each file can be shared
25. EditLive Install
▪ Custom installer downloadable from IBM
▪ Simple application install
▪ Enabled for everyone or for users by role
▪ J2EE application maps to a WebSphere
server
▪ you can use an existing server
28. Server 2
Server 3
IBM Docs Server
Mandatory
Linux OS
Conversion Server
Mandatory
Windows OS
IBM Connections
Server 1
IBM Docs Extension Plug-In File Viewer Extension Plugin
Server 4
IBM Docs Proxy
Optional
Linux OS
File Viewer Server
Windows or Linux
Connections Data Share
(moved to NFS share)
Viewer Data Share
IBMM Docs Data
NFS Share
31. Cognos BI
Cognos Transformer
Websphere
Application Server
Metrics J2EE Application
Cognos J2EE
Application
Database Server
Cognos DB
Metrics DB
The
metrics application
logs to the Metrics DB.
This DB can (and is) used
by other 3rd party
analytical tools
36. How Does Connections Mail Work?
Deployment
Manager
IBM Connections
Mail Installed
Connections
Application
Server
Connections
Application
Server
HTTP
Interface to Mail
(iNotes in the case of
Domino)
Domino
Server1
Domino
Server2
Domino
Server3
Or Exchange
38. Configuring Sametime With Connections
▪ Two choices
▪ Each user runs the Sametime standalone client
▪ Enable the Connections server to connect to the Sametime Proxy Server
using a web interface
▪ There are no Sametime applications installed under Connections
42. What Can An External Person Do?
▪ Be a full member of a Community that allows external users
▪ Share Files with others as well as Download files shared with you
▪ See Activity Streams that they are invited into
▪ Edit Their Profile
▪ View business cards of anyone who has shared content with them
43. What Can’t An External Person Do?
▪ See Any Public Content
▪ Create a community
▪ Follow people
▪ See or search the company directory
▪ Use type-ahead to find people
▪ See recommended content or people
▪ Access the Profiles menu
▪ Access other user profiles
▪ See @Mentions for them
50. SPNEGO EXAMPLE FOR WEBSPHERE
1 2 3 4 5
ACTIVE
DIRECTORY
GENERATES
SPNEGO
TOKEN
USER TRIES TO
ACCESS
CONNECTIONS
BROWSER
SENDS
SPNEGO
TOKEN TO
WEBSPHERE
ALONG WITH
USER NAME
WEBSPHERE
CONTACTS
ACTIVE
DIRECTORY TO
VALIDATE
TOKEN AND
RETRIEVE THE
USER’S NAME
STEPS
USER LOGS
INTO
WINDOWS
51. SETTING UP SPNEGO
Set up a SPN for the IHS and Connections application servers in Active
Directory
Use a dedicated account that you use to start WebSphere as a service
Run setspn -a http://<ihs hostname> <accountnamerunningwas>
If AD isn’t the LDAP being used then the LDAP entry should be updated with
the AD name
e.g for Domino update person documents with AD name appended to
FullName (and optional others like krbPrincipalName and LTPA User Name)
52. WHY NOT SPNEGO
It requires Active Directory
It requires users to login to Active Directory
It requires Microsoft Supported browsers*
It requires a Windows client for the users*
It requires a Windows platform*
It doesn’t work at all if the user is remotely connecting and not logging into Active
Directory
It has a very specific use case
* all these asterisks mean there are ways to extend to other platforms often using 3rd
party
addons
54. Assertion
Markup
Language
SAML is a protocol and process for exchanging
authorisation and authentication data for a user between
services and servers
Security
57. SAML Example

1 2 3 4 5
USER
ATTEMPTS TO
LOG IN TO A
WEBSITE
USER IS
REDIRECTED TO
IDENTITY
PROVIDER
IDENTITY PROVIDER
REQUESTS
AUTHENTICATION OR (IF
USER IS LOGGED IN)
RETURNS CREDENTIALS
USER IS REDIRECTED
BACK TO ORIGINAL
SITE WITH SAML
ASSERTION
ATTACHED
ORIGINAL SITE USES
ITS SAML SERVICE
PROVIDER TO
CONFIRM SAML
ASSERTION AND
GRANT ACCESS
STEPS
58. Definitions
▪ IdP - Identity Provider (SSO)
– ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012)
• SAML 2.0 only
• can be combined with SPNEGO
• Enhances Integrated Windows Authentication (IWA)
– TFIM (Tivoli Federated Identity Manager)
• SAML 1.1 and 2.0
59. definitions
▪ SP - Service Provider
– IBM WebSphere
• By extension some applications installed under WebSphere
– IBM Domino (web federated login)
– IBM Notes (requires ID Vault) (notes federated login)
60. More Definitions
▪ IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via
XML based assertions
▪ Assertions have three roles
– Authentication
– Authorisation
– Retrieving Attributes
61. An IdP can
service many service providers
A SP can be connected to
several IdPs
An IdP can
use a variety of authentication
methods including multi factor
62. Setting Up SAML
▪ Choose your IdP if you don’t already have one
– which fits best in your business
▪ Build the IdP
▪ Configure the SP
▪ Sounds easy doesn’t it?
– It’s really not easy by any means but it is worth the investment in time
63. SAML Support In Connections
▪ WebSphere supports SAML but that doesn’t mean all applications run under WebSphere
support it
▪ Where SAML is configured for authentication and can’t be used by an external application,
WebSphere can generate a LTPA token
▪ FileNet / CCM does not support SAML
▪ Metrics/Cognos can’t run in a SAML enabled cell and must be deployed in its own cell with
LTPA
▪ Connections Mail, Desktop and Mobile applications cannot use SAML
▪ Browser access to the rest of the Connections applications (homepage, profiles, activities,
communities etc) is supported
64. IBM PreApproval Process - SAML Isn’t Supported Without It
▪ SAML integration with IBM Connections is supported in specific circumstances
▪ WebSphere supports SAML but that doesn’t mean all applications that run under
WebSphere do
▪ Specific configuration instructions and fixes are only available from IBM Support once pre-
approval has been completed
▪ The pre-approval process is a questionnaire that must be completed and submitted to IBM
so support can evaluate if your environment can be supported
– IBM will also advise the best deployment for SAML to meet your needs
– There is no one size fits all solution
65. Configuring SAML With IBM Connections
▪ There are two methods for configuring SAML with IBM Connections
▪ For both the IdP (Identity Provider) tested are ADFS and TFIM
– Those are the IdP’s publicly documented for WebSphere
– That’s not to say other IdP wouldn’t be supported if accepted for pre-approval
▪ WebSphere acts as a SP (service provider) and configuration is completed in the cell
under Global Security
– This means SAML instructions are applied to all applications in the cell
▪ SAML can be deployed using WebSphere’s default authenticator or using SAML
redirection
– Using default authenticator gives more scope for external applications
– IBM will advise the best deployment based on your completed questionnaire
66. Where To From Here?
▪ Who are your users
▪ Where are your users
▪ What do they want to do
▪ Clouds vs On Premises
▪ Simplify Architecture But Build for Growth
▪ Have a Plan
67. Questions?
▪ Gab Davis - Technical Director
▪ The Turtle Partnership
▪ gabriella@turtlepartnership.com
▪ GabriellaDavis on Skype
▪ gabturtle on twitter
68. Engage Online
▪ SocialBiz User Group socialbizug.org
– Join the epicenter of Notes and Collaboration user groups
▪ Social Business Insights blog ibm.com/blogs/socialbusiness
– Read and engage with our bloggers
▪ Follow us on Twitter
– @IBMConnect and @IBMSocialBiz
▪ LinkedIn http://bit.ly/SBComm
– Participate in the IBM Social Business group on LinkedIn
▪ Facebook https://www.facebook.com/IBMConnected
– Like IBM Social Business on Facebook