Learn about the experience from a 6 month project to upgrade all infrastructure to Domino/Notes 9.0.1 to extend the life of its Domino web and Notes application environment by providing Single Sign On and data sharing capabilities using Notes Federated Login (NFL), Web Federated Login (WFL) and Cross Origin Resource Sharing (CORS) technologies with Microsoft's Active Directory Federation Services (ADFS).
How often do you hear that the business is discussing moving mail platforms because “our users want X” where X is nothing to do with the server and everything to do with the client UI. Domino remains the best mail server available but often user dissatisfaction drives a move and that comes from being asked to use the wrong client or from a bad deployment. If you’re using Domino you have an ever expanding range of clients to choose from browsers, iNotes, Verse, Traveler with iOS integration, Android applications, POP3 and IMAP. Come to this session to learn how to find the right client to fit the business and keep your Domino infrastructure.
This presentation is from IBM's New Way to Learn 2016 partner enablement. The topic is an introduction to Single Sign-On within products in the IBM Collaboration Solutions brand.
Connections Directory Integration: A Tour Through Best Practices for Directo...Gabriella Davis
Presentation from Connections 2015 with Terri Warren
In this directory, data integration and single sign on session, we'll explore best practices for successful integration of social software with your existing directory data. Learn how to utilize Single Sign On across your environment as well as how to successfully utilize directory information across all of the Connections applications.
How often do you hear that the business is discussing moving mail platforms because “our users want X” where X is nothing to do with the server and everything to do with the client UI. Domino remains the best mail server available but often user dissatisfaction drives a move and that comes from being asked to use the wrong client or from a bad deployment. If you’re using Domino you have an ever expanding range of clients to choose from browsers, iNotes, Verse, Traveler with iOS integration, Android applications, POP3 and IMAP. Come to this session to learn how to find the right client to fit the business and keep your Domino infrastructure.
This presentation is from IBM's New Way to Learn 2016 partner enablement. The topic is an introduction to Single Sign-On within products in the IBM Collaboration Solutions brand.
Connections Directory Integration: A Tour Through Best Practices for Directo...Gabriella Davis
Presentation from Connections 2015 with Terri Warren
In this directory, data integration and single sign on session, we'll explore best practices for successful integration of social software with your existing directory data. Learn how to utilize Single Sign On across your environment as well as how to successfully utilize directory information across all of the Connections applications.
The Notes/Domino Application Development Competitive Advantage - IamLUGJohn Head
presented by @johnhead and @davidvia
Some organizations are neglecting or under-utilizing one of the greatest IT assets in their portfolio today - the Notes/Domino application platform. Some are even considering re-coding Domino applications in other languages and development tools. In this session we present the business case and technical merits of Notes and Domino in direct comparison to other tools such as Microsoft SharePoint. Based on data collected from real-world engagements we will demonstrate the positive return on investment of the Notes platform. We will also discuss PSC’s “Application Modernization” strategy and how it helps move customers from merely maintaining Notes applications to increasing their value with XPages and advanced collaboration functionality.
Partitioning IBM Connections Cloud AdministrationMaurice Teeuwe
This presentation covers the basics around Partitioning your Connections Cloud organization. As tutorial #1 of 2. A recent new feature introduced by IBM in the cloud. It explains how to manually perform the setup as well as show how you perform activities in bulk via the integration server. Great content for all you Connections Cloud Admins out there. Highlevel as well as technical deep. Have fun!
And do not forget to check the actual demo on https://youtu.be/OPKtBdQfsUk
IBM Connect 2016: 1402 - Getting Technically Cozy with IBM Connections Cloud ...David Simpson
From setting up your development environment to shipping a great new app for your IBM Connections Cloud instance, this session shows you how to achieve all that and more. We define and review a baseline project with basic scaffold code, including a structured layout, events, modules, package conventions, functional skeletons for streams, embedded experiences, apps interactions, native UI/UX dialogs, buttons, and more. We review best practice tips and "gotcha" areas, and provide detailed examples.
Full code samples available at:
https://github.com/dvdsmpsn/ibm-connect-2016-examples/
An introduction to IBM Watson Work Services and Workspace development. Focuses on API usage and building cognitive, conversational applications with Watson Work.
From IBM Connected 2015
Connections 5 introduces us to a new model of access - the external user. Originally designed to have limited rights within your Connections environment, the security surrounding external user access is deliberately very restrictive. To achieve appropriate access for the external user, we must tell Connections how to identity an external user by flagging either an LDAP attribute or a new LDAP source. In this session we’ll discuss the options for external user configuration, how to manage registration and passwords as well as how everyone in your Connections world can work together.
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
An introduction to the OAuth 2.0 protocol for developers and information on how to register apps in on-prem IBM Connections and IBM Connections Cloud. A narrated recording of the demo is available on Youtube here >> http://www.youtube.com/watch?v=Sqt8KZ0jnC4
IBM Connections 4.5 Integration - From Zero To Social Hero - 2.0 - with Domin...Frank Altenburg
This document describes how to integrate IBM Connections 4.5 with IBM Lotus Domino iNotes, with IBM Sametime for Online Awareness and Business Card. How to install the IBM Connections Portlets for WebSphere Portal 8.0 and how to configure them. Adding the search integration and community content on pages. The Sametime Advanced integration and Quickr Integration is not included in this version.
API & Custom Widgets coming in XCC next - Web Content and Custom App Extensio...TIMETOACT GROUP
There‘s an API for that..., built custom widgets, integrate applications into your Intranet with IBM Connections and XCC - Web Content and Custom App Extension for IBM Connections. See http://connections-apps.com/xcc for more information.
IBM Connections enables you to connect and socialize with colleagues, find experts, and quickly share and organize information to get work done. As a developer, you can leverage the IBM Connections data to provide a better experience for your users. In this session, you learn what features you can extend, leverage and use to build a compelling experience. The session highlights how best to extend and work with the IBM Connections Cloud.
Updated file adds pointers to other sessions throughout the week.
General introduction to the Darwino platform, and how to enhance your existing IBM Domino/Notes applications, providing a mobile UI, deploying to the cloud, and leveraging IBM Watson services
The Notes/Domino Application Development Competitive Advantage - IamLUGJohn Head
presented by @johnhead and @davidvia
Some organizations are neglecting or under-utilizing one of the greatest IT assets in their portfolio today - the Notes/Domino application platform. Some are even considering re-coding Domino applications in other languages and development tools. In this session we present the business case and technical merits of Notes and Domino in direct comparison to other tools such as Microsoft SharePoint. Based on data collected from real-world engagements we will demonstrate the positive return on investment of the Notes platform. We will also discuss PSC’s “Application Modernization” strategy and how it helps move customers from merely maintaining Notes applications to increasing their value with XPages and advanced collaboration functionality.
Partitioning IBM Connections Cloud AdministrationMaurice Teeuwe
This presentation covers the basics around Partitioning your Connections Cloud organization. As tutorial #1 of 2. A recent new feature introduced by IBM in the cloud. It explains how to manually perform the setup as well as show how you perform activities in bulk via the integration server. Great content for all you Connections Cloud Admins out there. Highlevel as well as technical deep. Have fun!
And do not forget to check the actual demo on https://youtu.be/OPKtBdQfsUk
IBM Connect 2016: 1402 - Getting Technically Cozy with IBM Connections Cloud ...David Simpson
From setting up your development environment to shipping a great new app for your IBM Connections Cloud instance, this session shows you how to achieve all that and more. We define and review a baseline project with basic scaffold code, including a structured layout, events, modules, package conventions, functional skeletons for streams, embedded experiences, apps interactions, native UI/UX dialogs, buttons, and more. We review best practice tips and "gotcha" areas, and provide detailed examples.
Full code samples available at:
https://github.com/dvdsmpsn/ibm-connect-2016-examples/
An introduction to IBM Watson Work Services and Workspace development. Focuses on API usage and building cognitive, conversational applications with Watson Work.
From IBM Connected 2015
Connections 5 introduces us to a new model of access - the external user. Originally designed to have limited rights within your Connections environment, the security surrounding external user access is deliberately very restrictive. To achieve appropriate access for the external user, we must tell Connections how to identity an external user by flagging either an LDAP attribute or a new LDAP source. In this session we’ll discuss the options for external user configuration, how to manage registration and passwords as well as how everyone in your Connections world can work together.
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
An introduction to the OAuth 2.0 protocol for developers and information on how to register apps in on-prem IBM Connections and IBM Connections Cloud. A narrated recording of the demo is available on Youtube here >> http://www.youtube.com/watch?v=Sqt8KZ0jnC4
IBM Connections 4.5 Integration - From Zero To Social Hero - 2.0 - with Domin...Frank Altenburg
This document describes how to integrate IBM Connections 4.5 with IBM Lotus Domino iNotes, with IBM Sametime for Online Awareness and Business Card. How to install the IBM Connections Portlets for WebSphere Portal 8.0 and how to configure them. Adding the search integration and community content on pages. The Sametime Advanced integration and Quickr Integration is not included in this version.
API & Custom Widgets coming in XCC next - Web Content and Custom App Extensio...TIMETOACT GROUP
There‘s an API for that..., built custom widgets, integrate applications into your Intranet with IBM Connections and XCC - Web Content and Custom App Extension for IBM Connections. See http://connections-apps.com/xcc for more information.
IBM Connections enables you to connect and socialize with colleagues, find experts, and quickly share and organize information to get work done. As a developer, you can leverage the IBM Connections data to provide a better experience for your users. In this session, you learn what features you can extend, leverage and use to build a compelling experience. The session highlights how best to extend and work with the IBM Connections Cloud.
Updated file adds pointers to other sessions throughout the week.
General introduction to the Darwino platform, and how to enhance your existing IBM Domino/Notes applications, providing a mobile UI, deploying to the cloud, and leveraging IBM Watson services
First event of this Montreal Cloud Computing Meetup: http://www.meetup.com/IBM-Cloud-Computing-Montreal
Hands-on learning on Bluemix for Cloud Computing. We'll be sharing tips, tricks, and ideas that will help you build your next app (web, mobile, analytique, cognitive, IoT, etc...).
Agenda
• Overview of some IBM Bluemix capabilities (DevOps & IoT)
• Group discussion (come with questions!)
• Networking (Food and drink provided)
Come prepared:
• Sign up for your free Bluemix account at https://ibm.biz/Meetup_Montreal (do it head of time to have your account ready for the meetup)
• Bring your own device (laptop, tablet) if you want to test Bluemix yourself during the meetup.
Realizing Great Customer Experiences with Adobe® LiveCycle® ES3Craig Randall
Focusing on user experience can improve the value of the enterprise applications you deliver. In this session about the new architectural changes in the next release of LiveCycle ES as well as the new features in our servers, client runtimes and tools that will allow you to build, deploy and measure excellent customer experiences.
IBM Collaboration Mobile Strategy and a New Way To workLuis Benitez
How can your data and analytics platforms and strategies keep up with a workplace that is ever more mobile and social? IBM can support not only your emerging data and analytics strategies, but connect them with the social and mobile tools people use every day. In this session, you will learn how an IBM collaborative mobile strategy can extend and transform your enterprise. You will see how mobile applications like IBM Connections and IBM Verse can drive employee productivity while they are on the go, by enabling them to use mobile social apps that tap into your enterprise data and analytics platforms.
Are you looking for a better strategy to retire your legacy Lotus Notes applications and migrate them seamlessly to the cloud?
Office 365 & Azure brings best of both the worlds together to simplify and enhance the cloud experience. Office 365 with Azure allows more flexibility and greater business agility. It helps leveraging familiar tools for simple deployment, and user experiences as well as a leaner, controlled model for enterprises. Migration of legacy applications to the cloud gets you and your enterprise out of the business of hosting, supporting and maintaining the applications on your infrastructure.
Aqeel Haider, Vice President of Technology Solutions, WinWire Technologies shares an in-depth view of WinWire’s capabilities to retire and re-platform legacy Lotus applications to Office 365 & Azure.
Webinar Agenda:
An overview of WinWire’s approach in performing an assessment of legacy Lotus Notes applications
How to classify multiple Lotus Notes applications and our methodology around archiving, replacing, or consolidation of such applications
From Our Experience – Lessons Learnt
Optimizing your new application in the cloud
http://www.opitz-consulting.com/go/3-5-898
Smartphones haben unsere Welt im Schnellgang erobert. Die Tablets folgen nicht minder schnell nach. Was fasziniert uns so daran? Welche neuen Möglichkeiten bieten sich für das Business? Welchen Einfluss wird das allgegenwärtige HTML5 haben? Wie bekomme ich mobile Lösungen architektonisch optimal in meine SOA-Landschaft integriert, und welche Vorteile gewinne ich bei der Prozessautomatisierung? Diese Session liefert sowohl einen Überblick als auch Antworten für eine neue Klasse von Architekturfragen.
Die SOA-Experten Torsten Winterberg und Guido Schmutz hielten diesen Fachvortrag bei der DOAG Konferenz und Ausstellung am 20.11.2013 in Nürnberg.
--
Über uns:
Als führender Projektspezialist für ganzheitliche IT-Lösungen tragen wir zur Wertsteigerung der Organisationen unserer Kunden bei und bringen IT und Business in Einklang. Mit OPITZ CONSULTING als zuverlässigem Partner können sich unsere Kunden auf ihr Kerngeschäft konzentrieren und ihre Wettbewerbsvorteile nachhaltig absichern und ausbauen.
Über unsere IT-Beratung: http://www.opitz-consulting.com/go/3-8-10
Unser Leistungsangebot: http://www.opitz-consulting.com/go/3-8-874
Karriere bei OPITZ CONSULTING: http://www.opitz-consulting.com/go/3-8-5
Similar to Domino/Notes 9.0 upgrade to take advantage of NFL, WFL and CORS technologies (20)
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Domino/Notes 9.0 upgrade to take advantage of NFL, WFL and CORS technologies
1. Domino/Notes 9.0 upgrade to
take advantage of NFL,WFL and
CORS technologies
Andrew Luder | Director/Developer | NotesTools Pty Ltd
notestools.com.au
2. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
About Me
• Started my business NotesTools Pty Ltd 5 years ago initially providing formal
business support to OpenNTF project “DominoDefrag”. Have expanded
business to provide wider range of products and services.
• IBM R8.5 Certified Application Developer with over 15 years experience in
providing Lotus Domino/Notes/Sametime infrastructure and application
development services to Australian government primarily:
– Department of Defence (DOD)
– Department of Health, Therapeutic Goods Administration (TGA).
• Just completed a R901 Domino and Notes upgrade project @ TGA.
• Many years experience in providing open source solutions such as
"DominoDefrag“ (2009) and "R5 Database Manager“ (2004) to the Lotus Notes
community
• I was given public recognition in May 2010 with "DominoDefrag“, where it was
honored by OpenNTF as project of the month and then Bruce Elgort / Nicklas
Heidloff later presented it at Lotusphere 2011 in Orlando as a featured project.
3. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Presentation Coverage
• My experience from a 6 month project @ TGA to upgrade all infrastructure to
Domino/Notes 9.0.1 to extend the life of its Domino web and Notes application
environment by providing Single Sign On (SSO) and data sharing capabilities.
Briefly cover:
– Background
– Business and Technology Goals
– Terminology and Infrastructure
• Fill in the knowledge gaps when implementing technologies such as:
– Microsoft's Active Directory Federation Services (ADFS)
– Notes Federated Login (NFL)
– Web Federated Login (WFL) – only Web SAML SSO
– Cross Origin Resource Sharing (CORS)
– Providing Domino web services to other consumers such as Microsoft Dynamics
Customer Relationship Management System (CRM)
– Securely consume Internet Information Services (IIS) web services with Domino
Java Agents
4. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Background
• Over the past decade most Commonwealth departments and agencies have
moved their mail from Domino to Exchange not considering impact on existing
Domino business apps.
• A lot of money has been wasted in attempts to get business apps across to
SharePoint / ?.NET cause a migration tool or external auditor said so…
• Most Commonwealth work places still have their business apps running off
v6.5/7.0/8.0/8.5 Domino infrastructure and thankfully Domino just works when
that next Windows upgrade comes round!
• TGA was one of the last Domino mail places migrated to Exchange last year
and the quick “one-size fits all” Microsoft approach would NOT work because
our revenue is generated from public Domino web and internal Notes client
business apps…
• So given Government spending constraints and the need to ensure business
continuity to keep generating money there’s not much room to reinvent the
wheel. So how do you leverage your existing Domino apps???
5. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Business Goals
• Provide a new customer TGA Business Services (TBS) Microsoft dashboard
portal to compliment existing eBusiness Services (eBS) Domino work portal
• Keep existing Domino business applications
• Provide employees with one set of authentication credentials (Internal users)
• Provide customers with one set of authentication credentials (DMZ users)
• Ensure Commonwealth password complexity rules
• Stream line customer account management and directories
• Share data seamlessly between Domino and Microsoft systems
• Share code between Domino and Microsoft systems
6. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Technology Goals
• Upgrade Domino and Notes environments to R901 to support Single Sign On
(SSO) capabilities using Microsoft Active Directory Federation Services (ADFS)
on Windows 2012 R2.
• Implement Notes Federated Login (NFL) for the Notes 901 client using ADFS
and Integrated Windows Authentication (IAW) / SPNEGO.
• Implement Web Federated Login (WFL) for Domino 901 web site using ADFS
SAML Web SSO
• Implement Domino web Cross-Origin Resource Sharing (CORS) solution using
IBM HTTP stack and ADFS SAML Web SSO.
• Implement internal web services for data exchange between Domino and
Microsoft systems using IAW / SPNEGO.
• Implement external Domino java agents for secure data exchange with internal
Microsoft web services.
• Implement Team Foundation Server (TFS) solution to branch manage code in
Domino XML (DXL) and share code with all developers easily
• Move customer account management functionality from Domino into CRM
7. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Terminology Acronyms
• ADFS - Active Directory Federation Services
• CORS – Cross Origin Resource Sharing
• IdP – Identity Provider
• IWA – Integrated Windows Authentication (uses SPNEGO)
• NFL – Notes Federated Login
• WFL – Web Federated Login (only use SAML Web SSO)
• SAML - Security Assertion Markup Language
• SP – Service Provider
• SPNEGO – Simple and Protected GSSAPI Negotiation Mechanism
• TLS – Transport Layer Security
Some terms explained through presentation, but I aim to fill in the gaps from what I
experienced wasn’t available from the standard materials.
8. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Terms - Active Directory Federation Services (ADFS)
• Active Directory Federation Services (ADFS) is a software component
developed by Microsoft that can be installed on Windows Server operating
systems to provide users with single sign-on access to systems and
applications located across organisational boundaries. It uses a claims-based
access control authorisation model to maintain application security and
implement federated identity.
• In ADFS, identity federation is established between two organisations by
establishing trust between two security realms. A federation server on one side
(the Accounts side) authenticates the user through the standard means
in Active Directory Domain Services and then issues a token containing a series
of claims about the user, including its identity.
Source: http://en.wikipedia.org/wiki/Active_Directory_Federation_Services
• Domino v9.0.1 supports ADFS as an Identity Provider (IdP).
• The Windows 2012 R2 ADFS service (v3.0) provides support for the SAML 2.0
protocol. TGA has also customized its ADFS service login page to look like…..
9. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Terms – ADFS - TBS Login Page for AD credentials
10. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Terms - Security Assertion Markup Language (SAML)
• Security Assertion Markup Language (SAML) is an XML-based, open-standard
data format for exchanging authentication and authorisation data between
parties, in particular, between an identity provider and a service provider. SAML
is a product of the OASIS Security Services Technical Committee. SAML dates
from 2001; the most recent major update of SAML was published in 2005, but
protocol enhancements have steadily been added through additional, optional
standards. The single most important requirement that SAML addresses is web
browser single sign-on (SSO).
Source: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
• Domino v9.0.1 supports the secure SAML 2.0 protocol version.
11. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Terms – Cross Origin Resource Sharing (CORS)
• Cross-origin resource sharing (CORS) is a mechanism that allows many
resources (e.g., fonts, JavaScript, etc.) on a web page to be requested from
another domain outside the domain from which the resource originated. In
particular, JavaScript’s AJAX calls can use the XMLHttpRequest mechanism.
• Such “cross-domain” requests would otherwise be forbidden by web browsers,
per the same-origin security policy. CORS defines a way in which the browser
and the server can interact to determine whether or not to allow the cross-origin
request. It is more useful than only allowing same-origin requests, but it is more
secure than simply allowing all such cross-origin requests.
Source: http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
• TGA has implemented a secure CORS solution where through a web browser
the TBS site makes “cross-domain” requests to the eBS site to obtain JSON
data. This is done seamlessly using the client’s ADFS Login credentials.
12. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Infrastructure - SAML Federated Identity Architecture
• SAML Identity Provider (IdP) .
– ADFS 3.0 service creating the SAML 2.0 assertion
• Service Provider (SP).
– Domino 9.0.x service processing the SAML 2.0 assertion
• Clients used for accessing services.
– Web Browser / Notes 9.0.x standard client embedded browser
13. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Infrastructure - TGA Internal and DMZ Domains
• Domino & Notes 9.0.x resources authenticate using ADFS services inside new
Windows 2012 R2 Internal and DMZ Active Directory domains. There is one
domain in each forest.
• Notes Federated Login (NFL) and Integrated Windows Authentication (IAW) -
SPNEGO authentication used for Notes client and Domino web service
technologies in the Internal AD Domain.
• Web Federated Login (WFL - ADFS SAML SSO) used for Cross Origin
Resource Sharing (CORS) between the Domino and ASP.NET web sites and
client browser access to them.
• DMZ Domino Java agents securely consume internal IIS restful web services
14. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Infrastructure - TGA Internal ADFS & Domino
• Upgraded Domino & Notes 9.0.x Windows 2008 R2 domain resources
authenticate using new Windows 2012 R2 domain ADFS services by way of
two-way transitive trusts between these AD forests.
15. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Infrastructure - TGA DMZ ADFS & Domino
• Upgraded Domino 9.0.x server and ADFS web service are in the DMZ Windows
2012 R2 AD domain and use the same security token service (STS) which in
this case is ADFS v3.0.
• Each web site has a separate relying party (RP) configured within ADFS, one
configured with the use of WS-Fed (Business Portal) https://business.tga.gov.au
and one configured to use SAML 2.0 (eBS Domino) https://www.ebs.tga.gov.au
Authenticated Public
Users
Active
Directory
External Users
Business Portal eBS Domino
SAML 2.0
HTTPS
AD FS 3.0
Business Relying
Party
eBS Relying Party
WS-Fed
16. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Notes Federated Login (NFL)
• Notes Federated Login (NFL) is a federated-identity authentication process that
uses using the Security Assertion Markup Language (SAML) standard to relieve
Notes client users of the need to enter a Notes password.
• Users' IDs must be stored in an ID vault whose Domino server is configured
with host names for identity provider (IdP) partnership with Microsoft’s Active
Directory Federation Services (ADFS). Notes client users' ID file contents are
stored in memory on the client after being downloaded from the ID vault.
• Good reference materials are:
– Andy Pedisich/Rob Axelrod - “Connect 2014 SSO Materials” (‘show100.ppt’)
http://www.andypedisich.com/blogs/andysblog.nsf/dx/connect2014resources.htm
– Jane Marcus -“Intro to Notes Federated Login (SAML)” (26 Mar 14) http://www-
01.ibm.com/support/docview.wss?uid=swg27041524
– Gabriella Davis - “A Technical Guide To Deploying Single Sign On” (26 May 14)
http://www.slideshare.net/gabturtle/sso-tech
– Walter Tobin - "Security Assertion Markup Language (SAML) NFL“ (27Aug13) http://www-
10.lotus.com/ldd/dominowiki.nsf/dx/Security_Assertion_Markup_Language_lprSAMLrpr_Notes
_Federated_Login
17. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL - Process Diagram
Source: Jane Marcus presentation
18. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL - ADFS - Installation on member server
• Install the ADFS service on a member server. When I installed on a domain
controller I had lots of intermittent problems getting the ADFS service to
consistently start. Found the best places for services in a small environment
were:
– Domain controller -> Certificate Services, Domain Services and Domain Name
Services (DNS).
– Member server -> ADFS and IIS.
19. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL- ADFS - Site name in DNS
• Create the ADFS web site name as a host name (A) record and not a CNAME
is DNS. I could not get NFL to work using a CNAME.
20. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL - ADFS - Create Domino Friendly Certificate Template
• The ADFS service certificate needs to be created with a modified Windows
2012 R2 CA certificate template including the “Signature of proof of origin
(nonrepudiation)” Key Usage extension. Otherwise, certificate will not import
into the Domino Directory for cross certification with the ID Vault certificate.
21. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL – ADFS - Certificate Permission
• Ensure the ADFS service account has full control to the ADFS service
certificate otherwise will not run properly.
22. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL – ADFS - Extended Protection PowerShell
• Extended Protection needs to be turned off through PowerShell so Integrated
Windows Authentication (IWA) works. This is on by default to prevent “man-in-
the-middle” (MITM) attacks, but is low risk in internal networks and needs to be
off for IWA to work. Use PowerShell command:
– Set-ADFSProperties –ExtendedProtectionTokenCheck None
• Restart the ADFS service
23. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL – ADFS - Supported User Agents PowerShell
• Add “Mozilla/5.0” to the list of Supported User Agents in PowerShell. This is
what the internal Notes 9.0.1 standard client browser engine identifies itself as
to ADFS. Use PowerShell commands:
– Set-AdfsProperties -WIASupportedUserAgents("Mozilla/5.0","MSIE 6.0", "MSIE
7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "MSIE 11.0","Trident/7.0", "MSIPC",
"Windows Rights Management Client")
– Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
24. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL – Domino - ID Vault and IDP Cat Names
• ID Vault config name needs to match IDP catalogue name. An ID Vault name
such as “vault.home.net.local” does not need to be DNS resolvable and the
vault Domino server not need the HTTP task running.
25. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL – Domino - Explicit Policy for Notes 9 Users
• Create Explicit ADFS policy rather than Organisational (found easier to manage
if was Citrix user)
26. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL - Domino - Push cross-certificates using security policy
• Use security policy to push the ID vault user creation certificate and ADFS
cross-certificate to Notes 9.0.1 client.
• Do not use the ‘Deploy.nsf’ technique mentioned in some NFL presentations. I
have not managed to get it to work properly yet and raised a PMR.
27. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL-Domino - Compliment with Notes Shared Login (NSL)
• Define NFL in combination with Notes Shared Login (NSL) in security policy to
allow ID Vault off-line Notes client use. NSL does not work with Citrix users.
• Go to the “Notes Shared Login” tab and then make sure following values set:
– Enable Notes shared login with operating system: "Yes"
– How to apply this setting: "Set value whenever modified"
28. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL – Domino - Federated Logon security policy settings
• Go to the “Federated Login” tab and then make sure following values set:
– Enable Notes Federated login with SAML IdP: "Yes"
– How to notify users when enabled : "System dialog"
29. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL – Domino - Federated Logon security policy settings
• Go to the “Federated Login” tab and then make sure following values set:
– Enable Notes Federated login with SAML IdP: "Yes"
– How to notify users when enabled : "System dialog"
30. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL – Domino - ID Vault security policy settings
• Go to the “ID Vault” tab, make sure following values set:
– Allow Notes-based programs to use the Notes ID Vault: "Yes"
– Allow automatic ID downloads: "Yes"
31. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL – Domino - ID Vault Password Reset Authority
• Make sure Password Reset Authority Notes administrators / helpdesk users
defined so can reset user passwords in ID Vault
32. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL – Notes – Do NOT install AD Sync service
• Do not install the Notes Single Login Feature (old Notes AD synchronization
service) as not compatible with either NFL or NSL
33. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL – Notes - C:ProgramDataIBMNotesDatanotes.ini
• The Notes 9 standard client multi-user Notes INI should at least contain the
following settings:
[Notes]
KitType=1
SharedDataDirectory=C:ProgramDataIBMNotesDataShared
InstallType=6
InstallMode=1
NotesProgram=c:Program Files (x86)IBMNotes
ConfigFile=C:ProgramDataIBMNotesconfig.txt
34. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL – Notes - C:ProgramDataIBMNotesconfig.txt
• The Notes 9.0.x standard client multi-user config file should at least contain the
following settings:
UserName=%USERNAME%
Domino.Name=THUNDERSTRUCK/ACDC
Domino.Server=1
Domino.Port=TCP/IP
AdditionalServices=-1
• Notes Federated Login user can't use common name to set up Notes client
when ‘deploy.nsf’ is used. Believe this extends to my use of %Username% too
and have raised PMR.
Related technote: http://www-01.ibm.com/support/docview.wss?uid=swg21628894
35. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL – Notes - User Creation
• Create Notes users as roaming, with ID in vault and assign an Explicit Notes 9
ADFS policy.
• For Notes initial setup to work using NFL ensure the Domino Directory person
document created with:
– The “ShortName” field value matching AD common name value from
%USERNAME% in the config file
– The “InternetAddress” field value matches the AD user object mail attribute value
36. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL – Notes - Multi-user setup process
• The initial client setup process requires for each computer:
1. Initial ID vault default password interaction with user
2. NFL downloads user.ID from vault once with messages
3. NSL is applied to user.ID in the
C:Users%username%AppDataLocalIBMNotesData folder with status bar
message notifying applied and on restart no password required
37. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
NFL – Notes - Client quick fix process for helpdesk
• The Notes standard 9.0.x client quick fix process for helpdesk:
– To set default password in ID vault for user (if not password)
– Simply remove “C:Users%username%AppDataLocalIBMNotesData” folder and
let rebuild
38. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Web Federated Login (WFL) - SAML Web SSO
• Web Federated Login (WFL) - SAML Web SSO is a federated-identity
authentication process that uses the SAML standard to relieve Domino web
client users of the need to enter a HTTP password.
• The Domino service provider (SP) is configured in partnership with the ADFS
identity provider (IdP) to ensure clients only require an Active Directory (AD)
user name and password to access Domino web resources.
• Good material references are:
– Andy Pedisich/Rob Axelrod “Connect 2014 SSO Materials” (‘show100.ppt’)
http://www.andypedisich.com/blogs/andysblog.nsf/dx/connect2014resources.htm
– Yvonne Devlin – “Web Federated Login (SAML) with iNotes & IAW” (21 May 14)
http://www-01.ibm.com/support/docview.wss?uid=swg27041552
39. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
WFL- SAML Web SSO Process Diagram
Source: Yvonne Devline presentation
40. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
WFL – SHA-256 Certificate Purchase
• Purchase SHA-256 (typically RSA) issued certificates from vendor such as Verisign for
public facing ADFS, IIS and Domino web service sites. SHA-1 has limited life till end of
2016.
41. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
WFL – SHA-256 Certificate Domino Configuration
• Configure SHA-256 certificates with either Domino 9.01 FP3 IF2 or IBM HTTP Server to
use TLS 1.2 with FIPS140-2 support (turns off RC4 ciphers) to mitigate vulnerabilities
such as POODLE (which stands for "Padding Oracle On Downgraded Legacy
Encryption")
• In the Domino service IBM HTTP Apache ‘domino.config’ file add the following:
Listen 0.0.0.0:443
## IPv6 support:
#Listen [::]:443
<VirtualHost x.x.x.x:443>
ServerName ASP.NET website FQDN
SSLEnable
## Simply turn off RC4 ciphers by enabling FIPS140-2 support ... http://www-01.ibm.com/support/docview.wss?uid=swg21701072
SSLFIPSEnable
SSLProtocolDisable SSLv2 SSLv3 TLSv10 TLSv11
# Enable strict CBC padding
SSLAttributeSet 471 1
42. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
WFL – SHA-256 Certificate Test
• Go to https://www.ssllabs.com/ssltest to test website SHA-256 certificates and
configuration. Better chance of getting A+/-
43. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
WFL – Another Useful Claim Rule Attribute
• Commonly the AD user object Mail attribute (E-Mail-Addresses) is used as the
LDAP attribute to map to the Domino Directory person document
InternetAddress (Name ID) when creating a Claim Rule for a Relying Trust
Party with Domino in ADFS.
• Another useful LDAP attribute to use in Claim Rules is the User-Principal-Name
(UPN) for uniquely identifying users. E.g. AD UPN = andrew.luder@addomain
44. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
WFL – Single Log Out ADFS SSOLifeTime PowerShell
• With the introduction of the ADFS SAML SSO session the concept of the old
Domino 30 minutes idle session time is now defunct. Also to “logout” properly
prior requires the browser closed as Domino 9.0.x currently does not support
single logout for ADFS SAML 2.0.
• The life time of the SAML session token ADFS issues to Domino has a hard
set limit of 480 minutes specified by the SSOLifeTime property. The PowerShell
command: Set-AdfsProperties –SSOLifeTime x sets this
45. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
WFL – Single Log Out Domino SAML Session
• Given the ADFS SSOLifeTime 480 minute limit, it was pointless to have Domino
set to 30 mins as this was upsetting functionality of XPage web applications
particularly freezing sometimes after 30 mins of activity or idleness.
• Ensure Domino SAML single server session expiration matches ADFS
SSOLifeTime default of 480 mins
46. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
WFL – Single Log Out ADFS & Domino Time Differences
• In practice both the ADFS 3.x and Domino 9.x services should be using the
same time servers. As a rule to ensure Domino can deal with a session time
difference use the following SAML Notes INI parameters:
– SAML_NotOnOrAfterSkewInMinutes=10
– SAML_NotBeforeSkewInMinutes=10
• This will ensure Domino can handle ADFS time variations of 10 minutes either
way to the 8 hours given to Domino session cookies
47. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Cross Origin Resource Sharing (CORS)
• CORS aims to have two websites (sites, pages, APIs etc.) agree on what kind
of resources and types of requests one website will provide to another. Both
must agree exactly on what is being shared and how.
• There’s a few parties who need to participate to enable CORS – the two parties
involved, of course, and the user’s browser. Both sites need to request and
respond to each other in an expected manner, and browsers need to be aware
of, and in some cases make special requests to ensure CORS works correctly.
• In essence, what happens is that both websites agree on how resources will be
shared. The requesting site must be known as an “allowed origin” by the site
providing the resources. The response also must contain headers which
contain scope for acceptable resource sharing, e.g. naming allowable methods
(e.g. GET, PUT) and whether credentials are supported. Browsers themselves
are the last key – they must respect the restrictions established by the
requesting site and the resource site.
Source: http://sanderstechnology.com/2014/getting-to-know-cross-origin-resource-
sharing-cors
48. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
CORS – TGA Background Part 1
• In the early stages of the development and deployment of the ASP.NET
Business Portal, as most of the data associated with external users resided
within the existing Domino 9.0.x web application (eBusinessServices – eBS),
there was an early need to be able to consume Domino as a data provider.
• Under the claims-based design approach, both the new Business Portal and the
eBS Domino web sites had the ability to authenticate external users to produce
SAML or WS-Fed claims. In theory, one site could make HTTPS requests
across the domain, as the sites would exist within the same domain.
49. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
CORS – TGA Background Part 2
• This introduced a need to support CORS (modern web browsers support) to get
menu, news and application JSON data from the eBS Domino 9.0.x web site
across to the new ASP.NET Business portal.
50. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
CORS – TGA Problem Domain
• The initial problem was getting an ASP.NET based web site, using Windows
Identity Framework (WIF) and WS-Federation to be able to make a valid
HTTPS GET request of the existing Domino 9.x web site, which uses SAML 2.0
claims.
• Domino provides JSON responses to requests to views which it defines and
hosts. In theory, a valid request should produce a response containing the
requested data in JSON format.
• The “single sign on” approach, whereby a user could authenticate to both
existing and new web sites with a single set of credentials, and only be
prompted once per session was working.
• Require to use SAML Web SSO authenticated CORS. Only evidence of
successful Domino/IBM HTTP stack CORS usage is anonymous data
exchange. NO Pre-flight request required when anonymous.
– E.g. Header always set Access-Control-Allow-Origin “*”
51. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
CORS – TGA Errors and Pre-flight Issues
• The first time a cross-site request was made (and subsequent attempts) the
browser JavaScript console logged the following error:
XMLHttpRequest cannot load
https://<DOMINO_SERVER>/.....nsf/?ReadViewEntries&outputformat=json... The
request was redirected to
'https://<ADFS_SERVER>/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=https://
://<ASP.NET_SERVER>', which is disallowed for cross-origin requests that require
preflight.
• With the following failed pre-flight information recorded against the network
traffic…
52. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
CORS – So what’s a Pre-flight Request?
• In some cases, a browser might make a special type of request known as an
OPTIONS request, which is sort of like an initial handshake before performing
the actual request specified (e.g. a GET request).
• In essence, an OPTIONS request attempts to determine what supported
methods and other information is available from a resource sharing server. In
browser terms, this is known as a “pre-flight” request and is often attempted
automatically by the browser.
• The first time a cross-site request might fail (and in subsequent attempts) the
browser’s JavaScript console might log something similar to the following error:
XMLHttpRequest cannot load
https://<DOMINO_SERVER>/.nsf?ReadViewEntries&outputformat=json. The request
was redirected to ‘https://<ASP.NET_SERVER>’, which is disallowed for cross-origin
requests that require preflight.
Source: http://sanderstechnology.com/2014/getting-to-know-cross-origin-resource-
sharing-cors
53. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
CORS – Domino Pre-flight solution parameters
• The solution was to solve the CORS pre-flight issue which was preventing
successful cross-site OPTIONS request prior to the GET request.
• Domino needed the ability to respond to an anonymous HTTP OPTIONS
request with a HTTP status code of 200 in order for pre-flight to succeed, in
accordance with the W3C preflight-request standard
https://dvcs.w3.org/hg/cors/raw-file/tip/Overview.html#preflight-request
54. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
CORS – Domino Pre-flight IBM HTTP Apache solution
• The solution was to get the Domino 9.0.x IBM HTTP Apache stack to respond
with a 200 SUCCESS on every OPTIONS request from the ASP.NET site.
• This meant loading the rewrite module in the ‘Domino.config” file by
uncommenting:
LoadModule rewrite_module modules/mod_rewrite.so
• Adding following lines to the 443 virtual host section in the ‘Domino.config’ file:
#CORS Support Start – Response Headers
Header always set Access-Control-Allow-Origin "https://<ASP.NET_SERVER>"
Header always set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type,
Accept,Access-Control-Request-Headers,Access-Control-Allow-Methods,Access-Control-Allow-Origin,Access-
Control-Allow-Credentials"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT, HEAD"
Header always Set Access-Control-Allow-Credentials "true"
# Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
#CORS Support End
55. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
CORS – Client / Query Request Chrome Results
• Once Domino 9.0.x was configured to respond with a Status of 200 for
OPTIONS requests, CORS began to work as expected. The validation of
claims, however, seemed to only work with Chrome when using a simple AJAX
JavaScript query like below:
var DominoQuery = function()
{
var url = 'https://<Domino_Server>/.nsf?ReadViewEntries&outputformat=json….';
$.ajax(url, {
type: "GET",
contentType: "application/json; charset=utf-8",
success: function(data, status, xhr) {
alert(data);
},
xhrFields: {
withCredentials: true
},
crossDomain: true
});
}
56. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
CORS – Client / Query Request Other Browser Results
• In Internet Explorer 11 and Firefox 30 another solution was to explicitly
authenticate to Domino by programmatically creating an iFrame and having the
user authenticate first before making a query. This approach worked when
using a little more complicated JavaScript XMLHttpRequest.
• See http://caniuse.com/#feat=cors below for CORS browser support
57. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
CORS – Completed Business Portal
• Successfully used CORS and WFL (Domino Web SSO) to get menu, news and
application JSON data from Domino 9.0.x for the new ASP.NET Business portal
58. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
CORS – Domino IBM HTTP Apache Future
• IBM plans to remove support for IBM HTTP Server (IHS) in a future Domino
maintenance release now that native Domino TLS 1.2 functionality has been
added to the product. IBM HTTP Server proved a good solution for Domino
customers who needed better security functionality over the native Domino
HTTP protocol on a Windows server platform. However, that solution is limited
in scope since it covers only HTTPS and Windows.
Source http://www-01.ibm.com/support/docview.wss?uid=swg21697303
• TGA will use keep using the Domino 9.0.1 IBM HTTP stack for CORS capability
for foreseeable future. Alternative proxy server solution may be considered.
59. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Web Services – Consumer Domino 9.0.x Java Setup
• During the TGA upgrade project some DMZ Domino client agents were
developed in Java to securely (use HTTPS) consume internal IIS web services
for AD account creation.
• Domino needed IIS root CA X509 public key of the IIS site certificate installed in
its Java key store CACERTS file using iKeyMan utility.
60. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Web Services – Consumer Domino 9.0.x Java Experience
• Domino 9.0.x uses a slightly older edition of Java (v1.6) which does not support
a HTTPS TLS feature called ‘Server Name Indicator’ (SNI). As IIS server hosts
multiple websites (all with own HTTPS bindings and services), Domino is not
able to complete a TLS handshake successfully and receives an incorrect
certificate resulting in a Domino console “host name does not match” error
when the Java service consumer agent runs.
• The solution is to use a wildcard certificate as the default site HTTPS binding on
the internal IIS web server, “Require Server Name Indication” unticked and the
“Host name” field left blank resulting in Domino consumer Java agent client flow
below.
61. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Web Services – Consumer Domino 9.0.x Java Patching
• Use a “DominoJVMLibSecurityjava.pol” file to cover different security
requirements for running Java agents to the standard “java.policy”. See
technote https://www-304.ibm.com/support/docview.wss?uid=swg21679242 .
• Back up “DominoJVMLibSecuritycacerts” key store and “java.policy” files
prior to patching as can get lost. Copy back in after patching activity such as
below. See blog http://linqed.eu/2014/06/25/considering-a-domino-upgrade-
beware-of-custom-java-security-policies/
62. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Web Services – Provider Domino 9.0.x Setup
• During the TGA upgrade project some internal web services providers were
developed in Domino to be consumed by Microsoft Dynamics Customer
Relationship Management System (CRM) so it could update corresponding
documents in Domino Directory after its own account updates.
• Internal Domino 9.0.x servers were set up to use SPNEGO SSO for HTTP
authentication such that CRM would use its AD service account to seamlessly
communicate with Domino. The CRM service account needs to by identified in
the Domino Directory and only requires Reader access to the database where
the Service Providers reside.
63. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Web Services – Provider Domino 9.0.x Experience
• Found the Domino Notes INI Setting
WIDE_SEARCH_FOR_KERBEROS_NAMES=1 caused lots of problems for
CRM when it and the service account "svc_crm@ADDOMAIN" was specified in
person document Kerberos field under the Administration tab. Just used
ShortName with this setting off and works fine.
• Ensure “HTTP persistent connections” set to Disabled in server document.
When enabled CRM would hang consuming Domino services.
64. June 11th & 12th, Melbourne, AustraliaMeet.Share.Learn.Connect @AusLUG #@Inform2015
Code Management - Team Foundation Server (TFS)
• Quick mention! To share code in the TGA project team and branch manage
code properly it was required for the developers to:
– Export each Domino database into a corresponding On-Disk Project (ODP) in
Domino XML (DXL) format using the Domino Designer 9.0.x Source Control
functionality. Also used AGECOM DXL Import / Export utilities to assist. See
https://www.agecom.com.au/
– Branch manage ODP in TFS 2013 using Microsoft Team Explorer Everywhere
Eclipse Plugin @ http://www.microsoft.com/en-au/download/details.aspx?id=40785