ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What you NEED to know!


Published on

Presentation that I gave at Lotusphere 2011 with Jay Boyd. We talked about TDI, single sign on, and user management.

Published in: Technology
1 Like
  • Hello, LTPA is a an IBM standard. We call it Lightweight Third-Party Authentication cookie. Here are some examples on how to use this LTPA cookie for SSO in a PHP and/or .NET environment:

    This ST Awareness on a PHP page article ( on IBM developerWorks may help you. There is also an example of adding awareness to an ASP page in chapter 12 of the Redbook Building Sametime Enabled Applications ( It details a way of doing it if you don't have LTPA in your environment.
    Are you sure you want to  Yes  No
    Your message goes here
  • I have a question about slide 12 - It defines LTPA and uses the term ’Third Party’ in the description but then says it is an IBM Proprietary system, and integrates with 1st party products (ones owned by IBM).

    Are there any examples of how to use LTPA successfully in an SSO environment with other systems, like connecting to PHP or .Net?
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Lotus Connections supports the Internet Content Adaptation Protocol (ICAP) and its applications use this protocol to communicate with virus detection products. Ensure that the virus detection product used in your enterprise supports the ICAP 1.0 protocol. Lotus Connections is certified to work with Symantec AntiVirus Scan Engine 5.1 and McAfee web Security Appliance (3400) and (3300). Lotus® Connections provides security measures, such as an active content filter and content upload limits, that you can use to mitigate the risk of malicious attacks. Because these security measures can also limit the flexibility of the applications, you, as the system administrator, must evaluate the security of your network and determine whether or not you need to implement them. Any software that displays user authored content can be vulnerable to cross-site scripting (XSS) attacks. Attackers can introduce JavaScript™ into their content that can, among other things, steal a user's session. Session stealing in a single sign-on (SSO) environment poses particular challenges because any vulnerability to XSS attacks can render the entire single sign-on domain vulnerable.
  • SPNEGO = Simple and Protected Negotiation Portlets don't support SSO via TAM/Siteminder/SPNEGO – they require LTPA
  • Import the LTPA key and password from TAM and Import into WebSphere and set the SSO domain name Do not use TAM components as a caching proxy, configuration complexity is very high Lotus Connections only supports WebSeal Transparent Junction configuration Configure TAM for URL rewriting in XML and Javascript content TAM configuration setting 'use-same-session = yes' is required
  • A TDI assembly line is made up of components (connectors, flow controls, loops, branches) that collect data from your source repositories and reformat it into the Profiles database. Supports two-way synchronization on LDAP attributes. Assembly line hooks are available for scripting and customization TDI should be used to initially populate Profiles and then frequently used to keep it in sync Connections release 3 allows you to mark a person as “inactive” when they aren't found in LDAP
  • SyncAllMembersByExtId() takes several parameters indicating how a mismatch can be resolved (either by a matching email address, login id or left for later manual resolution).
  • Use Batch commands, external ids are consistent across all applications. Investigate once, create batch script to update across all apps Returning users can be re-linked with their old data ProfilesService.swapUserAccessByUserId("oldUserId","newUserId")
  • ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What you NEED to know!

    1. 1. ID304 Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What you NEED to know! Jay Boyd | Lotus Connections Team Lead | IBM Luis Benitez | Social Software Product Manager | IBM
    2. 2. Who we are
    3. 3. Tweet Away
    4. 4. Agenda <ul><li>Options for Securing Lotus Connections
    5. 5. SSO
    6. 6. New User Life Cycle Options in 3.0
    7. 7. Q&A </li></ul>
    8. 8. Not ideal security... Photo credit:
    9. 9. Securing Lotus Connections <ul><li>Lotus Connections has tons of security options </li><ul><li>Virus Scanning
    10. 10. SSL (even forced!)
    11. 11. Forced Authentication
    12. 12. Filtering active content
    13. 13. MIME control
    14. 14. and... </li></ul></ul>Photo credit:
    15. 15. Agenda <ul><li>Options for Securing Lotus Connections
    16. 16. SSO
    17. 17. New User Life Cycle Options in 3.0
    18. 18. Q&A </li></ul>
    19. 19. Single Sign On <ul><li>My favorite
    20. 20. Improves usability
    21. 21. Great for adoption </li></ul>Photo credit:
    22. 22. What's supported <ul><li>SSO </li><ul><li>… with Domino apps (of course!)
    23. 23. … with WebSphere apps (any doubt?)
    24. 24. … with Quickr J/D (go go Gadget docs)
    25. 25. … with Sametime (duh!)
    26. 26. … via Tivoli Access Manager 6.1.1
    27. 27. … via CA's Siteminder 6.0
    28. 28. … via SPNEGO </li></ul><li>Portlets are an exception :( </li></ul>
    29. 29. Single Sign On: Connections 3.0 Options <ul><li>SSO allows a user to authenticate once and then use other systems that are within the same authentication configuration without providing userid/password authentication subsequent times.
    30. 30. LTPA (WebSphere default)
    31. 31. SPNEGO
    32. 32. TAM (Form Based Auth, Transparent Junctions, LTPA)
    33. 33. SiteMinder (FBA, ASA/WebAgent)
    34. 34. TAM/SPNEGO
    35. 35. Except with LTPA, authentication is forced, there is no anonymous access </li></ul>
    36. 36. Cookies are key with most SSO options (these are not your mother's Cookies) <ul><li>Cookies </li><ul><li>Textual information consisting of Name/Value pairs
    37. 37. Usually used to provide State in an otherwise Stateless protocol (HTTP)
    38. 38. Domain and Path determine when Cookies are included with an HTTP Request </li></ul><li>SPNEGO uses Security tokens in the HTTP Header with every request </li></ul>
    39. 39. Single Sign On: LTPA <ul><li>Lightweight Third-Party Authentication </li><ul><li>IBM proprietary, supported by IBM products such as WebSphere and Domino
    40. 40. Represented as Cookies called LtpaToken (older format, not on by default in WAS7, Domino requires version1) or LtpaToken2, value is encrypted </li><ul><li>UserID
    41. 41. Authentication Realm
    42. 42. Authentication Expiration Time </li></ul></ul><li>Important to use both of these if integrating with Domino and Portal </li></ul>
    43. 43. Single Sign On: Keys to successful LTPA Configuration <ul><li>All participating Servers: </li><ul><li>Same Authentication Realm (correlates to Cookie domain)
    44. 44. Synchronized system time
    45. 45. Identical LDAP configuration (WAS Federated Repository)
    46. 46. Share the same LTPA keys
    47. 47. Servers should use FQDN </li><ul><li>“ipconfig/all” or “hostname” / “domainname” commands should show FQDN </li></ul></ul></ul>
    48. 48. Single Sign On: Troubleshooting LTPA <ul><li>Verify SSO Domain name
    49. 49. Verify Servers are within the same domain (or a subdomain)
    50. 50. Verify Servers imported the same LTPA Key </li></ul>
    51. 51. Single Sign On: Troubleshooting LTPA <ul><li>Ensure authentication expiration is consistent </li></ul><ul><li>Ensure auto generation is off </li></ul>
    52. 52. Simple Connections Deployment
    53. 53. Connections Enterprise Deployment
    54. 54. Single Sign On: TAM
    55. 55. Single Sign On: TAM <ul><li>TAM 6.1.1
    56. 56. TAM Form Based Auth, Transparent Junctions, LTPA
    57. 57. Yes, the configuration is complex and there are a ton of security realms
    58. 58. Yes, the Delete Action must be configured
    59. 59. TAM acts as a Reverse Proxy; don't forget to enable dynamicHosts in LotusConnections-config.xml
    60. 60. Cookies: PD-H-SESSION-ID & PD-S-SESSION-ID </li></ul>
    61. 61. Single Sign On: TAM <ul><li>TAM acts as a reverse proxy, only forwarding a request for protected URLs once the user is Authenticated.
    62. 62. Very specific configuration: </li><ul><li>Form Based Authentication
    63. 63. Transparent Junction
    64. 64. LTPA authentication </li></ul><li>“ Anonymous Access” ACL’s pass through for all ATOM url patterns
    65. 65. Test with a browser - - feeds that require authentication should prompt for Basic Auth, never TAM Form Authentication </li></ul>** double check your configuration settings with the Connections 3 Documentation **
    66. 66. Single Sign On: SiteMinder
    67. 67. Single Sign On: SiteMinder <ul><li>SiteMinder Policy Server 6.0 SP5, SiteMinder ASA 6.0 Agent for WebSphere Application Server (with CR00010 hotfix), and SiteMinder Web Agent v6qmr5-cr035
    68. 68. Yes, the configuration is complex and there are a lot of security realms </li><ul><li>Protect Web Applications with FBA
    69. 69. Protect ATOM feeds with BA </li></ul><li>Yes, the Delete Action must be configured
    70. 70. Cookies: SMSESSION
    71. 71. Watch for PERL script to be posted that creates realms </li></ul>** double check your configuration settings with the Connections 3 Documentation **
    72. 72. Configuration is hard, we feel your pain :( <ul><li>Single Sign On configuration is hard
    73. 73. Scripts are needed to automate Configuration </li><ul><li>Perl </li></ul><li>Detailed examples help (Prescriptive Deployment scenarios) </li></ul> <ul><li>TAM and SiteMinder SSO Validation Wizard is available! </li></ul>
    74. 74. Single Sign On: SPNEGO
    75. 75. Single Sign On: SPNEGO <ul><li>Simple and Protected GSSAPI Negotiation Mechanism </li><ul><li>Generic Security Services Application Program Interface </li><ul><li>Most notable implementations are Kerberos based </li></ul><li>Used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports.
    76. 76. Most wide use is Microsoft's Integrated Windows Authentication </li><ul><li>Kerberos
    77. 77. NTLM </li></ul></ul></ul>
    78. 78. Single Sign On: SPNEGO <ul><li>Client & Server perform negotiation, determining the preferred algorithm to use
    79. 79. On 1 st request browser gets back a 401, Headers indicate “Authorization: Negotiate”
    80. 80. If capable, Client & Server agree on protocol and on every subsequent request the client infrastructure generates a new security token that is included in the header </li></ul>
    81. 81. Single Sign On: Troubleshooting SPNEGO <ul><li>Configuring SPNEGO can be difficult </li><ul><li>Install Connections First, verify, then configure SPNEGO
    82. 82. Follow base WebSphere documentation and use standard SNOOP application to verify your configuration. </li></ul><li> </li></ul>** double check your configuration settings with the Connections 3 Documentation **
    83. 83. Connections Server to Server Communication & SSO <ul><li>Server to Server Communication </li><ul><li>Obtaining User information from Profiles (WPI)
    84. 84. Obtaining Membership information from Communities (WCI)
    85. 85. Community Life Cycle
    86. 86. Search Indexing </li></ul><li>All communication is authenticated and uses HTTP
    87. 87. Interservice URL vs Service URL
    88. 88. LotusConnections-config.xml: customAuth element specifies authentication type </li></ul>
    89. 89. Connections Server to Server Communication & SSO
    90. 90. Connections Server to Server Communication & SSO
    91. 91. Connections Server to Server Communication & SSO – Alternative Inter Service Configuration
    92. 92. SSO: LotusConnections-config.xml
    93. 93. Agenda <ul><li>Options for Securing Lotus Connections
    94. 94. SSO
    95. 95. New User Life Cycle Options in 3.0
    96. 96. Q&A </li></ul>
    97. 97. Why we need this <ul><li>Listened to many customers
    98. 98. Heard of situations where </li><ul><li>Maternity / Paternity Leave
    99. 99. Leave of Absence (Education, Military, etc)
    100. 100. Left the company
    101. 101. Etc </li></ul></ul>
    102. 102. Why we need this (cont'd) <ul><li>In 2.5, we had profile types
    103. 103. Required manual work via TDI </li><ul><li>No need to re-invent the wheel! </li></ul><li>Wanted to simplify this process for everyone </li></ul>Photo credit:
    104. 104. Tivoli Directory Integrator: Keeping Profiles in Sync <ul><li>TDI assembly line: connectors, flow controls, loops, branches
    105. 105. Supports two-way synchronization on LDAP attributes
    106. 106. Hooks enable scripting and customization </li></ul><ul><li>Use it for </li><ul><li>Initial population
    107. 107. Frequent updates </li></ul><li>3.0 Introduces Inactive Users!!! </li></ul>
    108. 108. Data Integrity – don't delete old data <ul><li>If you delete a user, you lose authorship information and data consistency
    109. 109. Don't delete the data, let your TDI assembly line inactivate the user </li></ul>
    110. 110. Profiles Platform Commands <ul><li>Drive administrative events from a single application
    111. 111. Provides a framework for future unified commands
    112. 112. User Life Cycle should be preceded by name synchronization in each Application </li><ul><li>Each application maintains its own user mapping table in the application database and it needs to be synchronized with LDAP, inactivating users not found in LDAP
    113. 113. Inactivating clears the user's login ids & email. </li></ul><li>Frequent periodic TDI Sync can be created to automatically mark users inactive
    114. 114. Profiles propagates the command to inactivate a user across all components
    115. 115. Administrator can re-activate users </li></ul>
    116. 116. Initial Synchronization <ul><li>wsadmin command session </li></ul>[root@tapstage bin]# ./ -lang jython wsadmin> execfile(&quot;;) Connecting to WebSphere:name=ActivitiesAdminService,type=LotusConnections, cell=tapstageCell01 , <ul><li>Synchronize users </li></ul>Wsadmin> ActivitiesMemberService.syncAllMembersByExtId(...) syncAllMembersByExtId request processed wsadmin>
    117. 117. Check the logs.... <ul><li>Locate the log file on the node specified when you started the WSADMIN command </li></ul>/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/clusterA_server1/ActivitiesUlcSyncCmd.log <ul><li>Typical log messages about users that are not found and are Inactivated </li></ul>[2010-12-21 07:34:32] CLFWY0261I: The synchronize command inactivated member Betsy Craig [current external id: b5bd83c0-8f09-1028-910f-db07163b51b2, application id 001G091E0E4B47BEF6967B3131AD59003CD0]
    118. 118. Resolving user mismatches <ul><li>Mismatch Needs investigation
    119. 119. [2010-12-21 07:34:31] CLFWY0242W: The synchronize command found that active member Benjamin Button [current external id: LDAP_ID , application id LC_ID ] could not be matched via external id, but could be matched via login or email to external id NEW_LDAP_ID . The member was not updated since this action was disabled by the command.
    120. 120. Review the information from HR systems about the user identified by external id NEW_LDAP_ID and determine if this entry matches Benjamin Button or if the person has left the company. </li></ul>
    121. 121. Resolving user mismatches (continued) <ul><li>If the User has left, inactivate: </li></ul>ActivitiesMemberService.inactivateMemberByExtId(&quot; LDAP_ID ”) <ul><li>If Old and New ids reflect the same person, synchronize the user accounts </li></ul>ActivitiesMemberService.syncMemberByExtId(&quot; OLD_LDAP_ID ”, {&quot; newExtId &quot;: &quot; NEW_LDAP_ID &quot;}) <ul><li>Good details here: </li></ul>
    122. 122. Agenda <ul><li>Options for Securing Lotus Connections
    123. 123. SSO
    124. 124. New User Life Cycle Options in 3.0
    125. 125. Q&A </li></ul>
    126. 126. Related Sessions <ul><li>JMP205 IBM Lotus Connections 3.0 Administration Overview Sunday, 1:30pm
    127. 127. SHOW202 Enterprise 2.0 Hero: A Beginner’s Guide to Installing IBM Lotus Connections 3.0 Monday, 4:30pm
    128. 128. SHOW203 Lotus Connections 3.0 – Enterprise Integration for Administrators Sunday, 4:00pm
    129. 129. BP105 Twelve MORE Things Your Mother Never Told You About Deploying IBM Lotus Connections 3.0 Thursday, 10am
    130. 130. BP114 IBM Lotus Connections Administration: From the Command Line to a Graphical UI Tuesday, 4:45pm
    131. 131. BP303 Social Comes to You: How to Bring IBM Lotus Connections to Your Application in Context! Wednesday, 11:15am
    132. 132. INV111 Making Decisions Collaboratively with Cognos Business Intelligence and IBM Lotus Connections Tuesday, 10am
    133. 133. AD303 Connecting Developers and Community with Rational Jazz and Lotus Connections Tuesday, 1:30pm
    134. 134. AD304 Customizing Lotus Connections 3.0 Tuesday 10am
    135. 135. ID301 What's New in IBM Lotus Connections 3.0 Monday, repeats on Tuesday, 11am
    136. 136. ID302 Best Practices for a Happy and Healthy IBM Lotus Connections Deployment! Tuesday, 1:30
    137. 137. ID303 Exceptional Work Experience - Integrating and Extending Lotus Connections, WebSphere Portal, Lotus Quickr, Lotus Notes, Lotus Sametime and ECM Monday, 11am
    138. 138. ID305 Build Large-scale Performing Enterprise Solutions for IBM Lotus Connections Tuesday, 4:45
    139. 139. ID306 Compliance and Moderation with Lotus Connections 3.0 Wednesday, 4:15 </li></ul>
    140. 140. References <ul><li>V3 System Requirements:
    141. 141. V3 Single Sign On:
    142. 142. All about security in v3:
    143. 143. Configuring Siteminder with Lotus Connections 3.0:
    144. 144. Use caution with the version 2.5 guides – concepts remain the same, but details may have changed in some cases: </li><ul><li>Lotus Connections 2.5 and Kerberos/SPNEGO:
    145. 145. Configuring IBM TAM with Lotus Connections 2.5:
    146. 146. Lotus Connections 2.5 Security Guidelines: </li></ul></ul>
    147. 147. Legal Disclaimer © IBM Corporation 2011. All Rights Reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. IBM, the IBM logo, Lotus, Lotus Connections, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. All references to Renovations refer to a fictitious company and are used for illustration purposes only.