SlideShare a Scribd company logo

IBM Single Sign-On

Download as PPTX, PDF
V
Van Staub, MBA

This document provides an overview of different techniques for implementing single sign-on (SSO): - LTPA is IBM's default SSO mechanism, using a Base64 encoded token containing user identity and expiration time. - SAML resolves domain boundaries using cookies and requires additional software, using XML assertion tokens between an identity provider and service provider. - OAuth allows external apps to access user data in Connections by obtaining a token after the user logs into Connections. - SPNEGO provides SSO by logging into Windows and accessing IBM software without additional logins. External security managers can also manage access to protected resources across applications.

1 of 32
Introduction to Single Sign-On Worldwide Business Partner Technical Enablement 2016 Van Staub – North America Embedded Solution Agreement Technical Sales 1
Agenda • General Idea • SSO techniques • LTPA • SAML • OAuth • SPNEGO • External Authentication Managers
Definitions • Single Sign-On (SSO): not having to login again (or for a while) • Authentication: the user’s identity, who they are • Authorization: what the user has access to
General Idea • a set of servers will share something secret – the key • after successful user login, a cookie is placed on the user’s browser – the token • the cookie is encrypted with the key • the cookie identifies the user • participating servers will look for the cookie/token/something to authenticate the user
Browser Cookies • cookies are valid for a domain or host • http://machine-name/resource • http://192.168.1.2/resource • http://portal.ibmcollabcloud.com/… • expires “At end of session” • where are my cookies?
LTPA • Lightweight Third Party Authentication • IBM’s default SSO mechanism • a Base64 encoded token that includes the following information: • a realm value • user identity – the distinguished name from the directory • expiration time ZoXfr6CuP1wYHSzjcxSGyli rmzQrshpWMFInqcvNPHG PyCa4frfg63tdlR96gPGkL2 B1vf1gi9WaJoCL9/UrYR+n xUuhUGFUDZ4QgPLQjCM MdIRfCIg6y6dW6Nu4I/oSL LMU5VUsXkBbAc1t//5u1X XsNY54Ttp/4xSjW32RnhW ovmRLPdL8BXZVHl11wDJ 8u9v7K2XxU7wPDIIxe14Ab hXaeK88ZD+q2d0QVGiUIe rT5EriBozIUF2cM3/v5v4Aat j80OruDUdgBwK/XJ5BKMi KscKq+/oxb6ij4hA58udIvm Fim0xkRGnlbUTmCPcjQho VnqHctMFdLF/e0uPyiklQpk m/5uY1TFL5Lihv5SY=
WebSphere SSO Settings • Open WAS Console and go to Security -> Global Security -> Single Sign- on (SSO) • specify most inclusive domain name needed • defaults seen are most often sufficient
Configuring WebSphere SSO 1. Export LTPA key from source WebSphere server 2. For each additional server, import token the password is only used when you export/import • Open WAS Console and go to Security -> Global Security -> LTPA
Configuring Domino SSO 1. create web SSO configuration document 2. import LTPA key file that was export from WebSphere 3. configure/verify the realm LtpaToken or LtpaToken2 newer servers are more likely defaultWIMFileBasedRealm
Pitfalls • expiration time is relative to the server that created the LTPAToken2 • session timeouts are not the same as LTPAToken2 expiration • different directories …
Dual Directory • dual directory describes when the same user has different distinguished names • solution is to map the names WebSphere Portal Domino DN: uid=duser1,cn=users,dc=ibm,dc=com cn: Domino User1 uid: duser1 mail: duser1@acme.com DN: CN=Dom User1,O=ibm cn: Dom User1 uid: duser1 mail: duser1@acme.com WebSphere Portal Domino DN: uid=duser1,cn=users,dc=ibm,dc=com cn: Domino User1 uid: duser1 mail: duser1@acme.com notesdn: CN=Dom User1,O=ibm UserName: Dom User1/ibm UserName: uid=duser1/cn=users/dc=ibm/dc=com cn: Dom User1 uid: duser1 mail: duser1@acme.com
Dual Directory (Option 1) 1. add LDAP distinguished name to person document 2. swap the comma delimiter for a slash
Dual Directory (Option 1) 1. ensure the web SSO document has “Map names in LTPA tokens” 2. add the other distinguished name to the LTPA user name field
Dual Directory (Option 2) 1. create directory assistance document 2. add the external directory’s attribute that contains the Domino distinguished name
Dual Directory (Option 2) 1. ensure the $DN value is used to add the LDAP distinguished name into the LTPAToken
LTPA Resources Understanding single sign-on (SSO) between IBM WebSphere Portal and IBM Lotus Domino http://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal- domino/ vanstaub.me http://vanstaub.me/category/cognos
SAML • SAML stands for Security Assertion Markup Language • resolves domain boundary using cookies • requires additional software: Tivoli Federated Identity Manager, Active Directory Federation Service, etc. • uses XML based assertion tokens used in between an Identity Provider (IdP) and a Service Provider (SP). • SAML 2.0 is the latest version – not compatible with 1.1 and 1.0
SAML • See yesterday’s NWTL topic Active Directory Single Sign-On • Install and configure Active Directory Federation Service 2.0 with WebSphere Portal
Connections Cloud SAML
Connections Cloud SAML 1.1 Encrypted XML Connections Cloud SAML 1.1 IdP My SAML SP entityID My identity http://vanstaub.me/1277
Connections Cloud SAML • SAML registration form • requires PMR to provide either manual information (SAML 1.1) or the SAML 2.0 metadata
WebSphere SAML • WebSphere is SAML SP ready – not IdP • supports SAML 2.0 IdP initiated SSO our old friend, the
Connections On-Prem SAML • “IBM supports SAML 2.0 implementations within IBM Connections on a case-by-case basis depending on your unique environment and deployment.”
SAML Resources Understanding the WebSphere Application Server SAML Trust Association Interceptor http://www.ibm.com/developerworks/websphere/techjournal/1307_lansche/1307_lansc he.html Step by step guide to implement SAML 2.0 for Portal 8.5 https://developer.ibm.com/digexp/docs/docs/customization-administration/step-step- guide-implement-saml-2-0-portal-8-5/ Front Side SAML SSO with microsoft product (ADFS -> WAS SAML TAI) https://www.ibm.com/developerworks/community/blogs/8f2bc166-3bdc-4a9d-bad4- 3620dbb3e46c/entry/Front_Side_SAML_SSO_with_microsoft_product_ADFS_WAS_S AML_TAI?lang=en Enabling Federated Identity or Integration Server for use with IBM Connections Cloud http://www-01.ibm.com/support/docview.wss?uid=swg21626501 AD + SAML + Kerberos + IBM Notes and Domino = SSO! http://www.andypedisich.com/blogs/andysblog.nsf/dx/robs-saml-presentation-from- mwlug-has-been-posted.htm vanstaub.me http://vanstaub.me/?s=saml
OAuth • Is OAuth SSO? Maybe - authorization. 1. external app asks for Connections data 2. you log in to Connections 3. Connections sends the external app a token 4. external app uses the token to access your data
OAuth Connections Cloud 3rd Party Application User’s Browser
OAuth Resources Connection Allowing third-party applications access to data via the OAuth2 protocol https://www.ibm.com/support/knowledgecenter/SSYGQH_5.5.0/admin/admin/c_admin_ common_oauth.dita Connections Cloud Using OAuth for API Authorization https://www- 10.lotus.com/ldd/appdevwiki.nsf/xpAPIViewer.xsp?lookupName=API+Reference#action =openDocument&res_title=Open_Authorization_sbt&content=apicontent Developing an IBM SmartCloud for Social Business application https://www.ibm.com/developerworks/lotus/documentation/developingsmartcloudapp/ Building an IBM OAuth Consumer in PHP http://vanstaub.me/679
SPNEGO • Simple and Protected GSS-API Negotiation Mechanism • login in to Windows, SSO to IBM Software – pretty simple
SPNEGO Resources Step-by-Step guide to Configure Single sign-on for HTTP requests using SPNEGO web authentication https://www-10.lotus.com/ldd/portalwiki.nsf/dx/Step-by- Step_guide_to_Configure_Single_sign- on_for_HTTP_requests_using_SPNEGO_web_authentication BP104 Simplifying The S’s: Single Sign-On, SPNEGO and SAML (2014) http://www.idonotes.com/IdoNotes/IdoConnect2013.nsf/dx/bp104-simplifying-the-ss- single-sign-on-spnego-and-saml-2014.htm
External Security Managers • a server that manages access to ”protected” resources • IBM Security Access Manager, CA Siteminder for example Directory and Policy Server ESM Application
Things to Consider • the LTPA token is still very relevant • after SAML is done, LTPA is still used • after SPNEGO is done, LTPA is still used • OAuth applies more to developers than users • External Security Managers do more than just authenticate
Thank You 32

Recommended

Active Directory Single Sign-On with IBM
Active Directory Single Sign-On with IBMActive Directory Single Sign-On with IBM
Active Directory Single Sign-On with IBM
Van Staub, MBA
 
Authentication
AuthenticationAuthentication
Authentication
primeteacher32
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
Frank Victory
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
15 Security & Privacy Tips for Social Media Safety
15 Security & Privacy Tips for Social Media Safety15 Security & Privacy Tips for Social Media Safety
15 Security & Privacy Tips for Social Media Safety
Chad Warner
 
What is Network Security?
What is Network Security?What is Network Security?
What is Network Security?
Faith Zeller
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Authentication methods
Authentication methodsAuthentication methods
Authentication methods
sana mateen
 

Recommended

Active Directory Single Sign-On with IBM
Active Directory Single Sign-On with IBMActive Directory Single Sign-On with IBM
Active Directory Single Sign-On with IBM
Van Staub, MBA
 
Authentication
AuthenticationAuthentication
Authentication
primeteacher32
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorization
Frank Victory
 
Ipsec
IpsecIpsec
Ipsec
Rupesh Mishra
 
15 Security & Privacy Tips for Social Media Safety
15 Security & Privacy Tips for Social Media Safety15 Security & Privacy Tips for Social Media Safety
15 Security & Privacy Tips for Social Media Safety
Chad Warner
 
What is Network Security?
What is Network Security?What is Network Security?
What is Network Security?
Faith Zeller
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Authentication methods
Authentication methodsAuthentication methods
Authentication methods
sana mateen
 
What is SSO? An introduction to Single Sign On
What is SSO? An introduction to Single Sign OnWhat is SSO? An introduction to Single Sign On
What is SSO? An introduction to Single Sign On
Riddhi Sood
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
Ishan A B Ambanwela
 
Security in Windows operating system
Security in Windows operating systemSecurity in Windows operating system
Security in Windows operating system
abdullah roomi
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.ppt
ImXaib
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
IGZ Software house
 
User authentication
User authenticationUser authentication
User authentication
CAS
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
Network attacks
Network attacksNetwork attacks
Network attacks
Manjushree Mashal
 
Password Policy and Account Lockout Policies
Password Policy and Account Lockout PoliciesPassword Policy and Account Lockout Policies
Password Policy and Account Lockout Policies
anilinvns
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
Coder Tech
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
Apurv Singh Gautam
 
firewall and its types
firewall and its typesfirewall and its types
firewall and its types
Mohammed Maajidh
 
Firewall
FirewallFirewall
Firewall
Saurabh Chauhan
 
Network security policies
Network security policiesNetwork security policies
Network security policies
Usman Mukhtar
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
Dr.Florence Dayana
 
Security vulnerability
Security vulnerabilitySecurity vulnerability
Security vulnerability
A. Shamel
 
Network Security
Network SecurityNetwork Security
Network Security
Manoj Singh
 
IBM Social Business Toolkit
IBM Social Business ToolkitIBM Social Business Toolkit
IBM Social Business Toolkit
Van Staub, MBA
 
IBM Digital Experience Theme Customization
IBM Digital Experience Theme CustomizationIBM Digital Experience Theme Customization
IBM Digital Experience Theme Customization
Van Staub, MBA
 

More Related Content

What's hot

What is SSO? An introduction to Single Sign On
What is SSO? An introduction to Single Sign OnWhat is SSO? An introduction to Single Sign On
What is SSO? An introduction to Single Sign On
Riddhi Sood
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
Ishan A B Ambanwela
 
Security in Windows operating system
Security in Windows operating systemSecurity in Windows operating system
Security in Windows operating system
abdullah roomi
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.ppt
ImXaib
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
IGZ Software house
 
User authentication
User authenticationUser authentication
User authentication
CAS
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
Network attacks
Network attacksNetwork attacks
Network attacks
Manjushree Mashal
 
Password Policy and Account Lockout Policies
Password Policy and Account Lockout PoliciesPassword Policy and Account Lockout Policies
Password Policy and Account Lockout Policies
anilinvns
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
Coder Tech
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
Apurv Singh Gautam
 
firewall and its types
firewall and its typesfirewall and its types
firewall and its types
Mohammed Maajidh
 
Firewall
FirewallFirewall
Firewall
Saurabh Chauhan
 
Network security policies
Network security policiesNetwork security policies
Network security policies
Usman Mukhtar
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
Dr.Florence Dayana
 
Security vulnerability
Security vulnerabilitySecurity vulnerability
Security vulnerability
A. Shamel
 
Network Security
Network SecurityNetwork Security
Network Security
Manoj Singh
 

What's hot (20)

What is SSO? An introduction to Single Sign On
What is SSO? An introduction to Single Sign OnWhat is SSO? An introduction to Single Sign On
What is SSO? An introduction to Single Sign On
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
 
Security in Windows operating system
Security in Windows operating systemSecurity in Windows operating system
Security in Windows operating system
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Transport layer security.ppt
Transport layer security.pptTransport layer security.ppt
Transport layer security.ppt
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
 
User authentication
User authenticationUser authentication
User authentication
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
Network attacks
Network attacksNetwork attacks
Network attacks
 
Password Policy and Account Lockout Policies
Password Policy and Account Lockout PoliciesPassword Policy and Account Lockout Policies
Password Policy and Account Lockout Policies
 
Firewall and Types of firewall
Firewall and Types of firewallFirewall and Types of firewall
Firewall and Types of firewall
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
 
firewall and its types
firewall and its typesfirewall and its types
firewall and its types
 
Firewall
FirewallFirewall
Firewall
 
Network security policies
Network security policiesNetwork security policies
Network security policies
 
Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
 
Security vulnerability
Security vulnerabilitySecurity vulnerability
Security vulnerability
 
Network Security
Network SecurityNetwork Security
Network Security
 

Viewers also liked

IBM Social Business Toolkit
IBM Social Business ToolkitIBM Social Business Toolkit
IBM Social Business Toolkit
Van Staub, MBA
 
IBM Digital Experience Theme Customization
IBM Digital Experience Theme CustomizationIBM Digital Experience Theme Customization
IBM Digital Experience Theme Customization
Van Staub, MBA
 
IBM Watson Work Services Development
IBM Watson Work Services DevelopmentIBM Watson Work Services Development
IBM Watson Work Services Development
Van Staub, MBA
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
Programming Talents
 
Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAML
Clément OUDOT
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
Mike Schwartz
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPS
Ashish Jain
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
Mike Schwartz
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
Oliver Mueller
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
Anil Saldanha
 
Single sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancySingle sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancy
Devam Shah
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSO
Ajit Dadresa
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On Considerations
Venkat Gattamaneni
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best Practices
Salesforce Developers
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Craig Dickson
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
Huy Pham
 

Viewers also liked (20)

IBM Social Business Toolkit
IBM Social Business ToolkitIBM Social Business Toolkit
IBM Social Business Toolkit
 
IBM Digital Experience Theme Customization
IBM Digital Experience Theme CustomizationIBM Digital Experience Theme Customization
IBM Digital Experience Theme Customization
 
IBM Watson Work Services Development
IBM Watson Work Services DevelopmentIBM Watson Work Services Development
IBM Watson Work Services Development
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAML
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPS
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
Single sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancySingle sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancy
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSO
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On Considerations
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best Practices
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
 
SäKerhet I Molnen
SäKerhet I MolnenSäKerhet I Molnen
SäKerhet I Molnen
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
 

Similar to IBM Single Sign-On

A Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM ConnectionsA Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM Connections
ICON UK EVENTS Limited
 
A hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connectionsA hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connections
Sharon James
 
DACHNUG50 Roadmap.pdf
DACHNUG50 Roadmap.pdfDACHNUG50 Roadmap.pdf
DACHNUG50 Roadmap.pdf
DNUG e.V.
 
IBM Connect Switzerland - Der entspannte Administrator
IBM Connect Switzerland - Der entspannte AdministratorIBM Connect Switzerland - Der entspannte Administrator
IBM Connect Switzerland - Der entspannte Administrator
Klaus Bild
 
Practical solutions for connections administrators lite
Practical solutions for connections administrators litePractical solutions for connections administrators lite
Practical solutions for connections administrators lite
Sharon James
 
The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...
Wannes Rams
 
The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...
Klaus Bild
 
MS LAPS protection: portal for secure access to local admin passwords
MS LAPS protection: portal for secure access to local admin passwordsMS LAPS protection: portal for secure access to local admin passwords
MS LAPS protection: portal for secure access to local admin passwords
Nikolay Klendar
 
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-ReloadedCollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
Christoph Adler
 
CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
panagenda
 
SharePoint on demand with System Center - Matija Blagus
SharePoint on demand with System Center - Matija BlagusSharePoint on demand with System Center - Matija Blagus
SharePoint on demand with System Center - Matija Blagus
SPC Adriatics
 
PACLUG sametime presentation
PACLUG sametime presentationPACLUG sametime presentation
PACLUG sametime presentation
amhiggins
 
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
SolarWinds
 
Mobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best PracticesMobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best Practices
Andrew Ferrier
 
Social Connections 13 - Troubleshooting Connections Pink
Social Connections 13 - Troubleshooting Connections PinkSocial Connections 13 - Troubleshooting Connections Pink
Social Connections 13 - Troubleshooting Connections Pink
Nico Meisenzahl
 
Best ofmms scsm - iaas
Best ofmms scsm - iaasBest ofmms scsm - iaas
Best ofmms scsm - iaas
Dieter Wijckmans
 
Best ofmms scsm - iaas
Best ofmms scsm - iaasBest ofmms scsm - iaas
Best ofmms scsm - iaas
Kenny Buntinx
 
The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...
Klaus Bild
 
Dutch Lotus User Group 2009 - Domino Tuning Presentation
Dutch Lotus User Group 2009 - Domino Tuning PresentationDutch Lotus User Group 2009 - Domino Tuning Presentation
Dutch Lotus User Group 2009 - Domino Tuning Presentation
Vladislav Tatarincev
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
CloudVillage
 

Similar to IBM Single Sign-On (20)

A Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM ConnectionsA Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM Connections
 
A hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connectionsA hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connections
 
DACHNUG50 Roadmap.pdf
DACHNUG50 Roadmap.pdfDACHNUG50 Roadmap.pdf
DACHNUG50 Roadmap.pdf
 
IBM Connect Switzerland - Der entspannte Administrator
IBM Connect Switzerland - Der entspannte AdministratorIBM Connect Switzerland - Der entspannte Administrator
IBM Connect Switzerland - Der entspannte Administrator
 
Practical solutions for connections administrators lite
Practical solutions for connections administrators litePractical solutions for connections administrators lite
Practical solutions for connections administrators lite
 
The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...
 
The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...
 
MS LAPS protection: portal for secure access to local admin passwords
MS LAPS protection: portal for secure access to local admin passwordsMS LAPS protection: portal for secure access to local admin passwords
MS LAPS protection: portal for secure access to local admin passwords
 
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-ReloadedCollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
 
CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
 
SharePoint on demand with System Center - Matija Blagus
SharePoint on demand with System Center - Matija BlagusSharePoint on demand with System Center - Matija Blagus
SharePoint on demand with System Center - Matija Blagus
 
PACLUG sametime presentation
PACLUG sametime presentationPACLUG sametime presentation
PACLUG sametime presentation
 
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
 
Mobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best PracticesMobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best Practices
 
Social Connections 13 - Troubleshooting Connections Pink
Social Connections 13 - Troubleshooting Connections PinkSocial Connections 13 - Troubleshooting Connections Pink
Social Connections 13 - Troubleshooting Connections Pink
 
Best ofmms scsm - iaas
Best ofmms scsm - iaasBest ofmms scsm - iaas
Best ofmms scsm - iaas
 
Best ofmms scsm - iaas
Best ofmms scsm - iaasBest ofmms scsm - iaas
Best ofmms scsm - iaas
 
The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...
 
Dutch Lotus User Group 2009 - Domino Tuning Presentation
Dutch Lotus User Group 2009 - Domino Tuning PresentationDutch Lotus User Group 2009 - Domino Tuning Presentation
Dutch Lotus User Group 2009 - Domino Tuning Presentation
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
 

Recently uploaded

National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 

Recently uploaded (20)

National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 

IBM Single Sign-On

  • 1. Introduction to Single Sign-On Worldwide Business Partner Technical Enablement 2016 Van Staub – North America Embedded Solution Agreement Technical Sales 1
  • 2. Agenda • General Idea • SSO techniques • LTPA • SAML • OAuth • SPNEGO • External Authentication Managers
  • 3. Definitions • Single Sign-On (SSO): not having to login again (or for a while) • Authentication: the user’s identity, who they are • Authorization: what the user has access to
  • 4. General Idea • a set of servers will share something secret – the key • after successful user login, a cookie is placed on the user’s browser – the token • the cookie is encrypted with the key • the cookie identifies the user • participating servers will look for the cookie/token/something to authenticate the user
  • 5. Browser Cookies • cookies are valid for a domain or host • http://machine-name/resource • http://192.168.1.2/resource • http://portal.ibmcollabcloud.com/… • expires “At end of session” • where are my cookies?
  • 6. LTPA • Lightweight Third Party Authentication • IBM’s default SSO mechanism • a Base64 encoded token that includes the following information: • a realm value • user identity – the distinguished name from the directory • expiration time ZoXfr6CuP1wYHSzjcxSGyli rmzQrshpWMFInqcvNPHG PyCa4frfg63tdlR96gPGkL2 B1vf1gi9WaJoCL9/UrYR+n xUuhUGFUDZ4QgPLQjCM MdIRfCIg6y6dW6Nu4I/oSL LMU5VUsXkBbAc1t//5u1X XsNY54Ttp/4xSjW32RnhW ovmRLPdL8BXZVHl11wDJ 8u9v7K2XxU7wPDIIxe14Ab hXaeK88ZD+q2d0QVGiUIe rT5EriBozIUF2cM3/v5v4Aat j80OruDUdgBwK/XJ5BKMi KscKq+/oxb6ij4hA58udIvm Fim0xkRGnlbUTmCPcjQho VnqHctMFdLF/e0uPyiklQpk m/5uY1TFL5Lihv5SY=
  • 7. WebSphere SSO Settings • Open WAS Console and go to Security -> Global Security -> Single Sign- on (SSO) • specify most inclusive domain name needed • defaults seen are most often sufficient
  • 8. Configuring WebSphere SSO 1. Export LTPA key from source WebSphere server 2. For each additional server, import token the password is only used when you export/import • Open WAS Console and go to Security -> Global Security -> LTPA
  • 9. Configuring Domino SSO 1. create web SSO configuration document 2. import LTPA key file that was export from WebSphere 3. configure/verify the realm LtpaToken or LtpaToken2 newer servers are more likely defaultWIMFileBasedRealm
  • 10. Pitfalls • expiration time is relative to the server that created the LTPAToken2 • session timeouts are not the same as LTPAToken2 expiration • different directories …
  • 11. Dual Directory • dual directory describes when the same user has different distinguished names • solution is to map the names WebSphere Portal Domino DN: uid=duser1,cn=users,dc=ibm,dc=com cn: Domino User1 uid: duser1 mail: duser1@acme.com DN: CN=Dom User1,O=ibm cn: Dom User1 uid: duser1 mail: duser1@acme.com WebSphere Portal Domino DN: uid=duser1,cn=users,dc=ibm,dc=com cn: Domino User1 uid: duser1 mail: duser1@acme.com notesdn: CN=Dom User1,O=ibm UserName: Dom User1/ibm UserName: uid=duser1/cn=users/dc=ibm/dc=com cn: Dom User1 uid: duser1 mail: duser1@acme.com
  • 12. Dual Directory (Option 1) 1. add LDAP distinguished name to person document 2. swap the comma delimiter for a slash
  • 13. Dual Directory (Option 1) 1. ensure the web SSO document has “Map names in LTPA tokens” 2. add the other distinguished name to the LTPA user name field
  • 14. Dual Directory (Option 2) 1. create directory assistance document 2. add the external directory’s attribute that contains the Domino distinguished name
  • 15. Dual Directory (Option 2) 1. ensure the $DN value is used to add the LDAP distinguished name into the LTPAToken
  • 16. LTPA Resources Understanding single sign-on (SSO) between IBM WebSphere Portal and IBM Lotus Domino http://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal- domino/ vanstaub.me http://vanstaub.me/category/cognos
  • 17. SAML • SAML stands for Security Assertion Markup Language • resolves domain boundary using cookies • requires additional software: Tivoli Federated Identity Manager, Active Directory Federation Service, etc. • uses XML based assertion tokens used in between an Identity Provider (IdP) and a Service Provider (SP). • SAML 2.0 is the latest version – not compatible with 1.1 and 1.0
  • 18. SAML • See yesterday’s NWTL topic Active Directory Single Sign-On • Install and configure Active Directory Federation Service 2.0 with WebSphere Portal
  • 20. Connections Cloud SAML 1.1 Encrypted XML Connections Cloud SAML 1.1 IdP My SAML SP entityID My identity http://vanstaub.me/1277
  • 21. Connections Cloud SAML • SAML registration form • requires PMR to provide either manual information (SAML 1.1) or the SAML 2.0 metadata
  • 22. WebSphere SAML • WebSphere is SAML SP ready – not IdP • supports SAML 2.0 IdP initiated SSO our old friend, the
  • 23. Connections On-Prem SAML • “IBM supports SAML 2.0 implementations within IBM Connections on a case-by-case basis depending on your unique environment and deployment.”
  • 24. SAML Resources Understanding the WebSphere Application Server SAML Trust Association Interceptor http://www.ibm.com/developerworks/websphere/techjournal/1307_lansche/1307_lansc he.html Step by step guide to implement SAML 2.0 for Portal 8.5 https://developer.ibm.com/digexp/docs/docs/customization-administration/step-step- guide-implement-saml-2-0-portal-8-5/ Front Side SAML SSO with microsoft product (ADFS -> WAS SAML TAI) https://www.ibm.com/developerworks/community/blogs/8f2bc166-3bdc-4a9d-bad4- 3620dbb3e46c/entry/Front_Side_SAML_SSO_with_microsoft_product_ADFS_WAS_S AML_TAI?lang=en Enabling Federated Identity or Integration Server for use with IBM Connections Cloud http://www-01.ibm.com/support/docview.wss?uid=swg21626501 AD + SAML + Kerberos + IBM Notes and Domino = SSO! http://www.andypedisich.com/blogs/andysblog.nsf/dx/robs-saml-presentation-from- mwlug-has-been-posted.htm vanstaub.me http://vanstaub.me/?s=saml
  • 25. OAuth • Is OAuth SSO? Maybe - authorization. 1. external app asks for Connections data 2. you log in to Connections 3. Connections sends the external app a token 4. external app uses the token to access your data
  • 27. OAuth Resources Connection Allowing third-party applications access to data via the OAuth2 protocol https://www.ibm.com/support/knowledgecenter/SSYGQH_5.5.0/admin/admin/c_admin_ common_oauth.dita Connections Cloud Using OAuth for API Authorization https://www- 10.lotus.com/ldd/appdevwiki.nsf/xpAPIViewer.xsp?lookupName=API+Reference#action =openDocument&res_title=Open_Authorization_sbt&content=apicontent Developing an IBM SmartCloud for Social Business application https://www.ibm.com/developerworks/lotus/documentation/developingsmartcloudapp/ Building an IBM OAuth Consumer in PHP http://vanstaub.me/679
  • 28. SPNEGO • Simple and Protected GSS-API Negotiation Mechanism • login in to Windows, SSO to IBM Software – pretty simple
  • 29. SPNEGO Resources Step-by-Step guide to Configure Single sign-on for HTTP requests using SPNEGO web authentication https://www-10.lotus.com/ldd/portalwiki.nsf/dx/Step-by- Step_guide_to_Configure_Single_sign- on_for_HTTP_requests_using_SPNEGO_web_authentication BP104 Simplifying The S’s: Single Sign-On, SPNEGO and SAML (2014) http://www.idonotes.com/IdoNotes/IdoConnect2013.nsf/dx/bp104-simplifying-the-ss- single-sign-on-spnego-and-saml-2014.htm
  • 30. External Security Managers • a server that manages access to ”protected” resources • IBM Security Access Manager, CA Siteminder for example Directory and Policy Server ESM Application
  • 31. Things to Consider • the LTPA token is still very relevant • after SAML is done, LTPA is still used • after SPNEGO is done, LTPA is still used • OAuth applies more to developers than users • External Security Managers do more than just authenticate