Presentation that I gave at Lotusphere 2011 with Jay Boyd. We talked about TDI, single sign on, and user management.

1. ID304 Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What you NEED to know! Jay Boyd | Lotus Connections Team Lead | IBM Luis Benitez | Social Software Product Manager | IBM

2. Who we are

3. Tweet Away

5. SSO

6. New User Life Cycle Options in 3.0

7. Q&A

8. Not ideal security... Photo credit: http://www.flickr.com/photos/fboyd/2494909325/

10. SSL (even forced!)

11. Forced Authentication

12. Filtering active content

13. MIME control

14. and... Photo credit: http://www.flickr.com/photos/juanpol/2704542/

16. SSO

17. New User Life Cycle Options in 3.0

18. Q&A

20. Improves usability

21. Great for adoption Photo credit: http://commons.wikimedia.org/wiki/File:Single_sign_on_aproaches.png

23. … with WebSphere apps (any doubt?)

24. … with Quickr J/D (go go Gadget docs)

25. … with Sametime (duh!)

26. … via Tivoli Access Manager 6.1.1

27. … via CA's Siteminder 6.0

30. LTPA (WebSphere default)

31. SPNEGO

32. TAM (Form Based Auth, Transparent Junctions, LTPA)

33. SiteMinder (FBA, ASA/WebAgent)

34. TAM/SPNEGO

35. Except with LTPA, authentication is forced, there is no anonymous access

37. Usually used to provide State in an otherwise Stateless protocol (HTTP)

41. Authentication Realm

44. Synchronized system time

45. Identical LDAP configuration (WAS Federated Repository)

46. Share the same LTPA keys

49. Verify Servers are within the same domain (or a subdomain)

50. Verify Servers imported the same LTPA Key

52. Simple Connections Deployment

53. Connections Enterprise Deployment

54. Single Sign On: TAM

56. TAM Form Based Auth, Transparent Junctions, LTPA

57. Yes, the configuration is complex and there are a ton of security realms

58. Yes, the Delete Action must be configured

59. TAM acts as a Reverse Proxy; don't forget to enable dynamicHosts in LotusConnections-config.xml

60. Cookies: PD-H-SESSION-ID & PD-S-SESSION-ID

63. Transparent Junction

65. Test with a browser - - feeds that require authentication should prompt for Basic Auth, never TAM Form Authentication ** double check your configuration settings with the Connections 3 Documentation **

66. Single Sign On: SiteMinder

70. Cookies: SMSESSION

71. Watch for PERL script to be posted that creates realms ** double check your configuration settings with the Connections 3 Documentation **

74. Single Sign On: SPNEGO

77. NTLM

79. On 1 st request browser gets back a 401, Headers indicate “Authorization: Negotiate”

80. If capable, Client & Server agree on protocol and on every subsequent request the client infrastructure generates a new security token that is included in the header

84. Obtaining Membership information from Communities (WCI)

85. Community Life Cycle

87. Interservice URL vs Service URL

88. LotusConnections-config.xml: customAuth element specifies authentication type

89. Connections Server to Server Communication & SSO

90. Connections Server to Server Communication & SSO

91. Connections Server to Server Communication & SSO – Alternative Inter Service Configuration

92. SSO: LotusConnections-config.xml

94. SSO

95. New User Life Cycle Options in 3.0

96. Q&A

99. Leave of Absence (Education, Military, etc)

100. Left the company

101. Etc

105. Supports two-way synchronization on LDAP attributes

109. Don't delete the data, let your TDI assembly line inactivate the user

111. Provides a framework for future unified commands

114. Profiles propagates the command to inactivate a user across all components

115. Administrator can re-activate users

119. [2010-12-21 07:34:31] CLFWY0242W: The synchronize command found that active member Benjamin Button [current external id: LDAP_ID , application id LC_ID ] could not be matched via external id, but could be matched via login or email to external id NEW_LDAP_ID . The member was not updated since this action was disabled by the command.

120. Review the information from HR systems about the user identified by external id NEW_LDAP_ID and determine if this entry matches Benjamin Button or if the person has left the company.

123. SSO

124. New User Life Cycle Options in 3.0

125. Q&A

127. SHOW202 Enterprise 2.0 Hero: A Beginner’s Guide to Installing IBM Lotus Connections 3.0 Monday, 4:30pm

128. SHOW203 Lotus Connections 3.0 – Enterprise Integration for Administrators Sunday, 4:00pm

129. BP105 Twelve MORE Things Your Mother Never Told You About Deploying IBM Lotus Connections 3.0 Thursday, 10am

130. BP114 IBM Lotus Connections Administration: From the Command Line to a Graphical UI Tuesday, 4:45pm

131. BP303 Social Comes to You: How to Bring IBM Lotus Connections to Your Application in Context! Wednesday, 11:15am

132. INV111 Making Decisions Collaboratively with Cognos Business Intelligence and IBM Lotus Connections Tuesday, 10am

133. AD303 Connecting Developers and Community with Rational Jazz and Lotus Connections Tuesday, 1:30pm

134. AD304 Customizing Lotus Connections 3.0 Tuesday 10am

135. ID301 What's New in IBM Lotus Connections 3.0 Monday, repeats on Tuesday, 11am

136. ID302 Best Practices for a Happy and Healthy IBM Lotus Connections Deployment! Tuesday, 1:30

137. ID303 Exceptional Work Experience - Integrating and Extending Lotus Connections, WebSphere Portal, Lotus Quickr, Lotus Notes, Lotus Sametime and ECM Monday, 11am

138. ID305 Build Large-scale Performing Enterprise Solutions for IBM Lotus Connections Tuesday, 4:45

139. ID306 Compliance and Moderation with Lotus Connections 3.0 Wednesday, 4:15

141. V3 Single Sign On: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Configuring_single_signon_lc3

142. All about security in v3: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Security_lc3

143. Configuring Siteminder with Lotus Connections 3.0: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Scenario_3_Setting_up_SiteMinder_Single_Sign-On_(SSO)_with_Lotus_Connections_3.0

145. Configuring IBM TAM with Lotus Connections 2.5: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/Configuring_IBM_Tivoli_Access_Manager_SSO_for_IBM_Lotus_Connections_2.5

146. Lotus Connections 2.5 Security Guidelines: http://www-10.lotus.com/ldd/lcwiki.nsf/dx/IBM_Lotus_Connections_2.5_secure_configuration_guidelines

147. Legal Disclaimer © IBM Corporation 2011. All Rights Reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. IBM, the IBM logo, Lotus, Lotus Connections, Lotus Notes, Notes, Domino, Quickr, Sametime, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. All references to Renovations refer to a fictitious company and are used for illustration purposes only.