Date post: | 12-May-2015 |
Category: |
Technology |
Upload: | gabriella-davis |
View: | 1,781 times |
Download: | 5 times |
CONFIGURING A SINGLE SIGN ON EXPERIENCE FOR YOUR NOTES CLIENTSGabriella Davis [email protected] The Turtle Partnership
BACKGROUND
Hopefully you saw my presentation yesterday ?
we talked about the difference between Single Sign On options
Today we are going to look at the technical components to get your Notes, iNotes and Traveler clients logging with minimal fuss
WHO AM I?
Gab Davis
Administrator, Problem Solver, Stubborn Fixer of Things
Working with IBM technologies and all the things surrounding and integrating with those
Based in London, about half the time
SOME HOW TO’S…. (FROM EASY TO HARD)
Notes Shared Logon
Configure LDAP Authentication
Configure Kerberos / SPNEGO / IWA for single sign on
Configure SAML
NOTES SHARED LOGON
WHAT DOES IT DO?
Removes the password from your Notes ID
No password - no problem
!
Isn’t that a huge security problem?
NOTES SHARED LOGON EXAMPLE
1 2 3 4 5
USER LAUNCHES NOTES & IS PROMPTED
FOR THE VAULTED ID PASSWORD
NOTES DOWNLOADS THE VAULTED
ID TO THE FILE SYSTEM
EVERY TIME THE USER LOGS
INTO NOTES FROM THAT
MACHINE, THE ID WITH NO
PASSWORD IS DECRYPTED
FOR USE
NOTES REMOVES THE
ID’S PASSWORD & ENCRYPTS THE ID WITH THE USER’S WINDOWS
CREDENTIALS
STEPS
USER LOGS INTO
WINDOWS
WHAT DOES IT NEED?
ID Vault
Simple authentication, no smartcards, dual passwords, retina scans etc
Windows OS
HOW DO I SET IT UP?
Start with an ID Vault (you know how to do that right?)
There’s no client side configuration at all
Use the security policy to enable Notes Shared Logon
Machine formula to restrict NSL to secured machines
MACHINE SPECIFIC FORMULA
@GetMachineInfo([Keyword];”text string where required”)
IsLaptop boolean return True if machine is a laptop, otherwise false
IsDesktop boolean return True if machine is NOT a laptop, otherwise false
IsMultiUser boolean return True if machine has Notes client installed as Multi-User, otherwise false
HasDesigner boolean return True if machine has Designer client installed, otherwise false
HasAdmin boolean return True if machine has Admin client installed, otherwise false
IsStandard boolean return True if machine is running Standard Notes client, otherwise false http://www-01.ibm.com/support/docview.wss?uid=swg21501673
WHAT DOESN’T IT DO
No password sync from Notes to Domino HTTP
No Citrix
No USB data
No Roaming profiles (well you can roam if you don’t roam)
more. http://bit.ly/1t50Adx
LDAP AUTHENTICATION
WHAT DOES IT DO?
It’s not SSO but it can be single password
No password synchronisation
Login to any HTTP services including Traveler using an LDAP password (such as AD)
Remove Domino HTTP Password entirely if you want
Works from anywhere, any device
LDAP AUTHENTICATION EXAMPLE
1 2 3 4 5
DOMINO CHECK IF THE PASSWORD
MATCHES THE HTTP
PASSWORD IN THE
PERSON DOCUMENT
ON FAILURE TO MATCH DOMINO
FORWARDS THE CREDENTIALS TO THE LDAP
SERVER SPECIFIED IN DIRECTORY ASSISTANCE
DOMINO USES THE
CREDENTIALS IT WAS SENT TO
GRANT THE USER ACCESS
TO THE SERVICE /
APPLICATION
THE LDAP SERVER
VERIFIES THE CREDENTIALS AND PASSES
BACK TO DOMINO THE
UNIQUE USER ID THAT IT
VALIDATED
STEPS
USER TRIES TO LOG INTO
INOTES USING THEIR LDAP
(AD) PASSWORD
WHAT DOES IT NEED?
A LDAP server
A directory assistance document wherever you want to authenticate
for Traveler this would just be on the Traveler server
MSSO
An attribute in LDAP that contains the user’s hierarchical name
Keeping the attribute in sync…(TDI will do that easily)
HOW DO I SET IT UP?
LDAP attribute containing
Notes DN
Filter LDAP search to
restrict
KERBEROS / SPNEGO / IWA
WHAT DOES IT DO?
Uses the token generated by Active Directory to authenticate Domino access
Using MSSO Domino generates its own token for onwards authentication on other platforms
SPNEGO EXAMPLE FOR DOMINO
1 2 3 4 5
ACTIVE DIRECTORY GENERATES
SPNEGO TOKEN
USER TRIES TO ACCESS
DOMINO WEBSITE
BROWSER SENDS
SPNEGO TOKEN TO DOMINO
ALONG WITH USER NAME
DOMINO CONTACTS
ACTIVE DIRECTORY
TO VALIDATE TOKEN AND
RETRIEVE THE USER’S NAME
STEPS
USER LOGS INTO
WINDOWS
WHAT DOES IT NEED?
An Active Directory domain for the user to login to
SSO or MSSO
A kerberos name mapped in the Domino person document
A windows client (3rd party support for other OS)
An IE browser (3rd party support for other browsers)
HOW DO I SET IT UP?
• Ensure the clocks on the AD and Domino servers are in sync (use the same time server..)
• Run Domino using a specific service account not local system
• Enable Active Directory in Directory Assistance
! AD domain. Must match
the LDAP tab
HOW DO I SET IT UP?OR if you don’t want to use Directory Assistance then
Set notes.ini on the Domino server
WIDE_SEARCH_FOR_KERBEROS_NAMES=1
manually set in each person document
On the Administration tab of each person document add the user’s Kerberos name in the format
name (case sensitive) + domain (must be in caps)
HOW DO I SET IT UP?
Create a SPN (service principal name) in Active Directory representing every Domino hostname your user’s will access
The SPN authorisation account should match the account running Domino
To get a SPN command run the program “domspnego” and give the output to your AD administrator
setspn -a http://[hostname] [account]
Create multiple SPNs for multiple servers or hostnames
IN SUMMARY
Enable SSO in Domino
Enable AD Directory Assistance with single sign on for Windows (IWA - Internet Web Authentication)
Full Text Index Domino directory
Run domspnego to generate setspn output
Run setspn on Active Directory domain controller
SAML & NOTES
WHAT DOES IT DO?
One single authentication challenge for access to multiple systems
Including a vaulted Notes ID
Identity Provider initial authentication can use many methods from passwords, multiple passwords, custom forms, smart cards and more
Supports multiple client and server operating systems
No passwords to compromise or intercept
SAML EXAMPLE
28
1 2 3 4 5
USER ATTEMPTS TO LOG IN TO A
WEBSITE
USER IS REDIRECTED TO IDENTITY PROVIDER
IDENTITY PROVIDER REQUESTS
AUTHENTICATION OR (IF USER IS LOGGED
IN) RETURNS CREDENTIALS
USER IS REDIRECTED
BACK TO ORIGINAL SITE
WITH SAML ASSERTION ATTACHED
ORIGINAL SITE USES ITS SAML
SERVICE PROVIDER TO CONFIRM SAML
ASSERTION AND GRANT ACCESS
STEPS
DEFINITIONS
IdP - Identity Provider (SSO)
ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012)
SAML 2.0 only
can be combined with SPNEGO
Enhances Integrated Windows Authentication (IWA)
TFIM (Tivoli Federated Identity Manager)
SAML 1.1 and 2.0
DEFINITIONS
SP - Service Provider
IBM Domino (web federated login)
IBM WebSphere
IBM Notes (requires ID Vault) (notes federated login)
MORE DEFINITIONS
IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
Assertions have three roles
Authentication
Authorisation
Retrieving Attributes
WHAT DOES IT NEED?
An Identity Provider - currently IBM support ADFS and TFIM
Other IdPs may work but aren’t officially support so check with IBM first
ID Vault configured for federated logins
A partnership between the ID Vault server and the Identity Provider
An SSL certificate generated by a well known authority
WHAT DOES IT NEED?
An attribute in your Identity Provider that matches a unique user identity in Domino
An IdP Catalog in Domino (idpcat.nsf)
At least one IdP configuration document to be used by your Domino server(s)
A security policy that can be applied to your federating users
WHERE DO WE START?
You’ll need to install ADFS 2.0 if using Active Directory
You’ll need to have an IIS server with a SSL certificate
You’ll need an ID Vault
You’ll need a security policy in Domino
You’ll need an idpcat database based on the template idpcat.ntf
SIMPLE RIGHT? !
…… YOU’LL NEED TIME AND PATIENCE
FROM ADFS TO DOMINOBrowse to https://<adfshostname>/FederationMetadata/2007-06/FederationMetadata.xml and save the file
DOMINO IDP CONFIGURATIONCreate the configuration document in your idpcat.nsf database
Import the XML file you just savedfrom ADFS
ENABLE CLIENT SETTINGS
The FederationMetadata.xml is attached from your previous step
DOMINO TO ADFS
Creating a certificate to give to ADFS containing information about your Domino server
Multiple servers / URLs mean multiple documents
DOMINO TO ADFS CERTIFICATE
When the “create certificate” button is clicked a new certificate is saved in the document and an idp.xml file for ADFS created
ADFS TRUSTING DOMINOADFS needs to know about each Domino server / URL and you use the Idp.xml for that
ADD RELYING PARTY TRUST
BROWSE TO THE IDP.XML
ADDING RELYING PARTY
MAPPING ADFS NAMES TO DOMINO
MAPPING MUST BE UNIQUE
DOMINO SECURITY POLICY
Enabled Federated Login under Password Management
CONFIGURE THE ID VAULT
MORE…
The browser has to recognise the certificate being used by ADFS
ADFS has to recognise the certificate used by Domino
Domino has to recognise the certificate used by ADFS
Basically everything needs to talk to each other and be happy there’s not man in the middle intrusion
SUMMARY
If you’re not using SPNEGO then you should , it’s very simple to set up
SAML is where single sign on needs to be
There are plenty of 3rd party tools and services that will help with any “uniqueness” in your environment (want SPNEGO but have Linux or Mac machines for instance)
Don’t just think about Domino and its services, think about everything your business uses and will be using
IBM is slow to support new Identity Providers and to support SAML in their products (Connections, Sametime etc) so if in doubt, start with a PMR
HOW TO FIND METwitter, blogs, Instagram, Facebook and more
[email protected] GabriellaDavis (skype) http://turtleblog.info
gabturtle on twitter and elsewhere