Open Mic "Notes Federated Login"

transcript

IBM Collaboration Solutions

Open MicDate: 11-09-2015

IBM Notes Federated Login

Open Mic Team

Niraj V Jani - IBM ICS Support engineer Presenter

Javed F Batliwala - IBM ICS Support engineer Presenter

Ranjit Rai - IBM ICS SWAT Focusing on entire Notes/Domino

Jayavel Rajendran - IBM ICS SWAT Focusing on entire Notes/Domino

Hansraj Mali - IBM ICS SWAT Focusing on Notes/Domino

Narendra Nesarikar – IBM ICS Support Facilitator for Open Mics

IBM Notes Federated Login introduction

Different Components

• Federation Identity Provider• Windows Domain Environment• IdP Catalog (IdPCat.nsf)• Notes Client User Environment with Domino Home Mail Server• ID Vault

Deployment Requirements

Implementation

General Troubleshooting

References

Agenda

IBM Notes Federated Login Introduction

Provides a single sign-on experience when starting up the Notes client or iNotes

SSO between Notes, iNotes and windows domain environment and many other supported/compatible Identify Providers.

Eliminates regular Notes or iNotes password prompt.

Reduces the administrative cost for maintaining multiple directories.

Uses cryptographic mechanisms instead of passwords to improve security and minimize cost

Reduces user data redundancy

The SAML IdP takes responsibility to authenticate the Notes user.

Users' IDs must be stored in an ID vault

Notes client users' ID file contents are stored in memory on the client after being downloaded from the ID vault.

You can enable Notes shared Login for offline usage as an alternate login capability.

Works well with Notes client running on Citrix Environment.

Different Components

Federation Identity Provider

Currently Supported with IBM Notes/Domino 9.0.x Microsoft® ADFS 2.0 integrated with Active Directory IBM Tivoli Federated Identity Manager (TFIM, IBM Security Identity Manager).

Series of Action NFL uses Security Assertion Markup Language (SAML) authentication The Notes embedded browser contacts the SAML identity provider (IdP) for

authentication IdP is configured to use transparent Kerberos-based authentication to avoid

password prompt. The SAML IdP creates a SAML assertion for the authenticated user The SAML assertion contains the user's email address. The Notes embedded browser retrieves the SAML assertion The Notes client passes the assertion to the Notes id vault The Notes id vault cryptographically verifies the user's SAML assertion If valid, the vault server finds the user's unlocked id file in the vault, and downloads

the id for use by Notes. The user can now use the Notes client.

Contd...

Windows Domain Environment Requires Active Directory Configuration Active Directory Federation Service 2.0 (ADFS) is used as Identity Provider Client computer where the user is logging into Windows and running the browser or

Notes client ADFS does the job of user authentication via Kerberos Authentication

Contd...

IdP Catalog (IdPCat.nsf) A Database needs to be created on Domino Server hosting ID Vault Use idpcat.ntf template and database name must be IdPCat.nsf If using unix the filename must be all lower case Special database that contains trusted identity providers and their certificates. An IdP config document is created and IdP configuration is imported The Admin creating the document must be listed in the following fields on the server

Full Access Administrators Administrators Sign or run unrestricted methods and operations

Imports FederationMetadata.xml file exported from ADFS. This builds trust. The idpcat.nsf must not be enabled for document locking. Prevent attacks by deploying a very restrictive ACL on idpcat. This is why this highly

sensitive information is not in the directory.

Contd...

Notes Client Environment with Domino Home mail server Notes Client Standard 9.0/9.0.x needs to be installed Domino Server 9.0/9.0.x Needs to be installed and should have HTTP enabled SSL needs to be enabled on Domino Server If the ID vault server is separate, it does not need to have SSL enabled ID Vault should be hosted on Domino server Security Policy for ID Vault should be configured and applied to Notes users Session Authentication should be set to SAML 2.0 under Server document Exported copy of an SSL internet certificate from Federation Identity ( TIFM/ADFS 2.0

) must be imported in Domino Directory and should be cross certified to create an internet cross certificate.

Roaming users You need administrative deploy.nsf to install certificates for new or roaming users Roaming must be enabled and should be working fine for enabling NFL Deploy.nsf provides required certificate whenever required in order to download ID

file from ID Vault.

Contd...

ID Vault Standard ID Vault configuration should be done on Domino Server Proper security policy should be created for ID Vault and should be pushed to the users All user Ids must be harvested to the ID Vault Database Identity Provider Configuration information should be updated under ID Vault

Deployment Requirements

IBM Notes Client 9.x onwards IBM Domino Server 9.x onwards Microsoft Windows Active Directory Domain Configuration Active Directory Federation Services 2.0 ( ADFS 2.0 ) Configuration IBM Notes Client machine as a part of Windows Domain environment

Implementation – ADFS 2.0 Configuration Run the ADFS console by selecting Start->Administrative Tools-> AD FS 2.0 Management Navigate to the Relying Party Trusts folder From the menu, select Action > Add Relying Party Trust

Contd...

Right-click the new Relying Party Trust, and select Properties

Contd...

Particularly if you have used a Domino metadata import file, check the Endpoints tab. The Domino server uses the POST Binding, which should appear in the list of SAML Assertion Consumer Endpoints. Domino server does not use an Artifact Binding, so if it exists in the list, you can remove it.

Contd...Use the URL to download FederationMetaData from ADFS server (https://ADFSservername/FederationMetaData/2007-06/FederationMetaData.xml)

Implementation – Importing SSL Internet Certificate in Domino Directory

Contd...

Implementation – Creating cross certificate in Domino Directory

Contd...

Implementation – Importing FederationMetadata.xml in IdPCat.nsf

Implementation – Creating Certificate in IdPCat.nsf

Go to server notes.ini and add below lines

SAMLAuthVersion=2SAMLUrl=https://instructor.test.comSAMLPublicKeyHash=7IE7P9VjPxtAG6yR1SyeKw==SAMLCompanyName=TEST SAML

Restart Domino server

Contd...

Use Export command to export your key from server.id.

certmgmt export saml xml idp.xml

Note: You no needs to import in idpdocument from import button else it will corrupt your federation key file. You can keep the file in your server data directory.

Implementation – ID Vault and IdP Configuration in ID Vault

Implementation – Security Policy for ID Vault and NFL

Implementation – Verifying that NFL is enabled for the client

General Troubleshooting

Before turning on SAML authentication: Make sure the Web server is functioning properly for session authentication Make sure SSL is deployed properly (if required)

You can use fiddler or firebug for network trace.

Test the Single sign-on service URL to make sure the IdP is functioning, independent of Domino. Is the user properly prompted by the IdP (if password prompt required)? If Integrated Windows Authentication (SPNEGO/Kerberos), use klist to see Kerberos ticket

for the user to the SAML IdP. Check the HTTP post with SAML assertion.

If you face errors creating SAML certificate under IdP Configuration document in IdPCat.nsf database, you can check below things first

Certificate creation and metadata export use an agent in idpcat. Refer hidden field named "NotesError" in IdP config document as it is helpful to diagnose

error "You are not authorized to perform that function"

Check permissions in server document security tab. "Cannot accept internet certificate because the certificate is already in the ID file”

Use a different certifier name.

Contd...

Debug Parameters

Client Side debugs DEBUG_CONSOLE=1 ==> To verify if NFL is enabled. DEBUG_CLOCK=32 ==> To verify if NFL is enabled. DEBUG_OUTFILE=c:\temp\debugout.txt ==> To verify if NFL is enabled. DEBUGGINGWCTENABLED=4294967295 ==> To verify if NFL is enabled. CONSOLE_LOG_ENABLED=1 ==> To verify if NFL is enabled. DEBUG_DYNCONFIG=1 ==> To verify if NFL is enabled. DEBUG_TRUST_MGMT=1 ==> To verify if NFL is enabled. DEBUG_IDV_TRACE=1 ==> To diagnose ID Vault Operations SECURE_LOG=2 ==> To diagnose ID Vault Operations DEBUG_BSAFE_IDFILE_LOCKED=8 ==> To diagnose ID Vault Operations DEBUG_ROAMING=4 ==> For Roaming Users STX9=2 ==> To verify if NFL is enabled.

Server Side debugs DEBUG_SAML=31 ==> To Troubleshoot SAML errors at server level DEBUG_OUTFILE=c:\temp\debugserver.txt DEBUG_MMFILE=1 ==> To verify any problems with In-Memory ID file.

Contd...

Sample output of DEBUG_SAML=31

Limitations:

No support with Traveler devicesCannot work with Notes Single Login serviceCurrent support with 2 IDPs (ADFS and TIFM)

References

Notes Federated Login:http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Security_Assertion_Markup_Language_lprSAMLrpr_Notes_Federated_Login

Cookbooks:http://www-01.ibm.com/support/docview.wss?uid=swg21614543

Questions?

Press *1 on your telephone to ask a question.

Visit our Support Technical Exchange page or our Facebook page for details on future events.

To help shape the future of IBM software, take this quality survey and share your opinion of IBM software used within your organization: https://ibm.biz/BdxqB2

44IBM Collaboration Solutions Support page http://www.facebook.com/IBMLotusSupport

IBM Collaboration Solutions Supporthttp://twitter.com/IBM_ICSSupport

Open Mic "Notes Federated Login"

Technology