CONFIGURING A SINGLE SIGN ON EXPERIENCE FOR YOUR NOTES CLIENTSGabriella Davis gabriella@turtlepartnership.com The Turtle Partnership

BACKGROUND

Hopefully you saw my presentation yesterday ?

we talked about the difference between Single Sign On options

Today we are going to look at the technical components to get your Notes, iNotes and Traveler clients logging with minimal fuss

WHO AM I?

Gab Davis

Administrator, Problem Solver, Stubborn Fixer of Things

Working with IBM technologies and all the things surrounding and integrating with those

Based in London, about half the time

SOME HOW TO’S…. (FROM EASY TO HARD)

Notes Shared Logon

Configure LDAP Authentication

Configure Kerberos / SPNEGO / IWA for single sign on

Configure SAML

NOTES SHARED LOGON

WHAT DOES IT DO?

Removes the password from your Notes ID

No password - no problem

!

Isn’t that a huge security problem?

NOTES SHARED LOGON EXAMPLE

1 2 3 4 5

USER LAUNCHES NOTES & IS PROMPTED

FOR THE VAULTED ID PASSWORD

NOTES DOWNLOADS THE VAULTED

ID TO THE FILE SYSTEM

EVERY TIME THE USER LOGS

INTO NOTES FROM THAT

MACHINE, THE ID WITH NO

PASSWORD IS DECRYPTED

FOR USE

NOTES REMOVES THE

ID’S PASSWORD & ENCRYPTS THE ID WITH THE USER’S WINDOWS

CREDENTIALS

STEPS

USER LOGS INTO

WINDOWS

WHAT DOES IT NEED?

ID Vault

Simple authentication, no smartcards, dual passwords, retina scans etc

Windows OS

HOW DO I SET IT UP?

Start with an ID Vault (you know how to do that right?)

There’s no client side configuration at all

Use the security policy to enable Notes Shared Logon

Machine formula to restrict NSL to secured machines

MACHINE SPECIFIC FORMULA

@GetMachineInfo([Keyword];”text string where required”)

IsLaptop boolean return True if machine is a laptop, otherwise false

IsDesktop boolean return True if machine is NOT a laptop, otherwise false

IsMultiUser boolean return True if machine has Notes client installed as Multi-User, otherwise false

HasDesigner boolean return True if machine has Designer client installed, otherwise false

HasAdmin boolean return True if machine has Admin client installed, otherwise false

IsStandard boolean return True if machine is running Standard Notes client, otherwise false http://www-01.ibm.com/support/docview.wss?uid=swg21501673

WHAT DOESN’T IT DO

No password sync from Notes to Domino HTTP

No Citrix

No USB data

No Roaming profiles (well you can roam if you don’t roam)

more. http://bit.ly/1t50Adx

LDAP AUTHENTICATION

WHAT DOES IT DO?

It’s not SSO but it can be single password

No password synchronisation

Login to any HTTP services including Traveler using an LDAP password (such as AD)

Remove Domino HTTP Password entirely if you want

Works from anywhere, any device

LDAP AUTHENTICATION EXAMPLE

1 2 3 4 5

DOMINO CHECK IF THE PASSWORD

MATCHES THE HTTP

PASSWORD IN THE

PERSON DOCUMENT

ON FAILURE TO MATCH DOMINO

FORWARDS THE CREDENTIALS TO THE LDAP

SERVER SPECIFIED IN DIRECTORY ASSISTANCE

DOMINO USES THE

CREDENTIALS IT WAS SENT TO

GRANT THE USER ACCESS

TO THE SERVICE /

APPLICATION

THE LDAP SERVER

VERIFIES THE CREDENTIALS AND PASSES

BACK TO DOMINO THE

UNIQUE USER ID THAT IT

VALIDATED

STEPS

USER TRIES TO LOG INTO

INOTES USING THEIR LDAP

(AD) PASSWORD

WHAT DOES IT NEED?

A LDAP server

A directory assistance document wherever you want to authenticate

for Traveler this would just be on the Traveler server

MSSO

An attribute in LDAP that contains the user’s hierarchical name

Keeping the attribute in sync…(TDI will do that easily)

HOW DO I SET IT UP?

LDAP attribute containing

Notes DN

Filter LDAP search to

restrict

KERBEROS / SPNEGO / IWA

WHAT DOES IT DO?

Uses the token generated by Active Directory to authenticate Domino access

Using MSSO Domino generates its own token for onwards authentication on other platforms

SPNEGO EXAMPLE FOR DOMINO

1 2 3 4 5

ACTIVE DIRECTORY GENERATES

SPNEGO TOKEN

USER TRIES TO ACCESS

DOMINO WEBSITE

BROWSER SENDS

SPNEGO TOKEN TO DOMINO

ALONG WITH USER NAME

DOMINO CONTACTS

ACTIVE DIRECTORY

TO VALIDATE TOKEN AND

RETRIEVE THE USER’S NAME

STEPS

USER LOGS INTO

WINDOWS

WHAT DOES IT NEED?

An Active Directory domain for the user to login to

SSO or MSSO

A kerberos name mapped in the Domino person document

A windows client (3rd party support for other OS)

An IE browser (3rd party support for other browsers)

HOW DO I SET IT UP?

• Ensure the clocks on the AD and Domino servers are in sync (use the same time server..)

• Run Domino using a specific service account not local system

• Enable Active Directory in Directory Assistance

! AD domain. Must match

the LDAP tab

HOW DO I SET IT UP?OR if you don’t want to use Directory Assistance then

Set notes.ini on the Domino server

WIDE_SEARCH_FOR_KERBEROS_NAMES=1

manually set in each person document

On the Administration tab of each person document add the user’s Kerberos name in the format

name (case sensitive) + domain (must be in caps)

HOW DO I SET IT UP?

Create a SPN (service principal name) in Active Directory representing every Domino hostname your user’s will access

The SPN authorisation account should match the account running Domino

To get a SPN command run the program “domspnego” and give the output to your AD administrator

setspn -a http://[hostname] [account]

Create multiple SPNs for multiple servers or hostnames

IN SUMMARY

Enable SSO in Domino

Enable AD Directory Assistance with single sign on for Windows (IWA - Internet Web Authentication)

Full Text Index Domino directory

Run domspnego to generate setspn output

Run setspn on Active Directory domain controller

SAML & NOTES

WHAT DOES IT DO?

One single authentication challenge for access to multiple systems

Including a vaulted Notes ID

Identity Provider initial authentication can use many methods from passwords, multiple passwords, custom forms, smart cards and more

Supports multiple client and server operating systems

No passwords to compromise or intercept

SAML EXAMPLE

28

1 2 3 4 5

USER ATTEMPTS TO LOG IN TO A

WEBSITE

USER IS REDIRECTED TO IDENTITY PROVIDER

IDENTITY PROVIDER REQUESTS

AUTHENTICATION OR (IF USER IS LOGGED

IN) RETURNS CREDENTIALS

USER IS REDIRECTED

BACK TO ORIGINAL SITE

WITH SAML ASSERTION ATTACHED

ORIGINAL SITE USES ITS SAML

SERVICE PROVIDER TO CONFIRM SAML

ASSERTION AND GRANT ACCESS

STEPS

DEFINITIONS

IdP - Identity Provider (SSO)

ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012)

SAML 2.0 only

can be combined with SPNEGO

Enhances Integrated Windows Authentication (IWA)

TFIM (Tivoli Federated Identity Manager)

SAML 1.1 and 2.0

DEFINITIONS

SP - Service Provider

IBM Domino (web federated login)

IBM WebSphere

IBM Notes (requires ID Vault) (notes federated login)

MORE DEFINITIONS

IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions

Assertions have three roles

Authentication

Authorisation

Retrieving Attributes

WHAT DOES IT NEED?

An Identity Provider - currently IBM support ADFS and TFIM

Other IdPs may work but aren’t officially support so check with IBM first

ID Vault configured for federated logins

A partnership between the ID Vault server and the Identity Provider

An SSL certificate generated by a well known authority

WHAT DOES IT NEED?

An attribute in your Identity Provider that matches a unique user identity in Domino

An IdP Catalog in Domino (idpcat.nsf)

At least one IdP configuration document to be used by your Domino server(s)

A security policy that can be applied to your federating users

WHERE DO WE START?

You’ll need to install ADFS 2.0 if using Active Directory

You’ll need to have an IIS server with a SSL certificate

You’ll need an ID Vault

You’ll need a security policy in Domino

You’ll need an idpcat database based on the template idpcat.ntf

SIMPLE RIGHT? !

…… YOU’LL NEED TIME AND PATIENCE

FROM ADFS TO DOMINOBrowse to https://<adfshostname>/FederationMetadata/2007-06/FederationMetadata.xml and save the file

DOMINO IDP CONFIGURATIONCreate the configuration document in your idpcat.nsf database

Import the XML file you just savedfrom ADFS

ENABLE CLIENT SETTINGS

The FederationMetadata.xml is attached from your previous step

DOMINO TO ADFS

Creating a certificate to give to ADFS containing information about your Domino server

Multiple servers / URLs mean multiple documents

DOMINO TO ADFS CERTIFICATE

When the “create certificate” button is clicked a new certificate is saved in the document and an idp.xml file for ADFS created

ADFS TRUSTING DOMINOADFS needs to know about each Domino server / URL and you use the Idp.xml for that

ADD RELYING PARTY TRUST

BROWSE TO THE IDP.XML

ADDING RELYING PARTY

MAPPING ADFS NAMES TO DOMINO

MAPPING MUST BE UNIQUE

DOMINO SECURITY POLICY

Enabled Federated Login under Password Management

CONFIGURE THE ID VAULT

MORE…

The browser has to recognise the certificate being used by ADFS

ADFS has to recognise the certificate used by Domino

Domino has to recognise the certificate used by ADFS

Basically everything needs to talk to each other and be happy there’s not man in the middle intrusion

SUMMARY

If you’re not using SPNEGO then you should , it’s very simple to set up

SAML is where single sign on needs to be

There are plenty of 3rd party tools and services that will help with any “uniqueness” in your environment (want SPNEGO but have Linux or Mac machines for instance)

Don’t just think about Domino and its services, think about everything your business uses and will be using

IBM is slow to support new Identity Providers and to support SAML in their products (Connections, Sametime etc) so if in doubt, start with a PMR

HOW TO FIND METwitter, blogs, Instagram, Facebook and more

gabriella@turtlepartnership.com GabriellaDavis (skype) http://turtleblog.info

gabturtle on twitter and elsewhere