IBM Collaboration Solutions

Open MicDate: 11-09-2015

IBM Notes Federated Login

2IBM Corporation ©2015

Open Mic Team

Niraj V Jani - IBM ICS Support engineer Presenter

Javed F Batliwala - IBM ICS Support engineer Presenter

Ranjit Rai - IBM ICS SWAT Focusing on entire Notes/Domino

Jayavel Rajendran - IBM ICS SWAT Focusing on entire Notes/Domino

Hansraj Mali - IBM ICS SWAT Focusing on Notes/Domino

Narendra Nesarikar – IBM ICS Support Facilitator for Open Mics

3IBM Corporation ©2015

IBM Notes Federated Login introduction

Different Components

• Federation Identity Provider• Windows Domain Environment• IdP Catalog (IdPCat.nsf)• Notes Client User Environment with Domino Home Mail Server• ID Vault

Deployment Requirements

Implementation

General Troubleshooting

References

Q/A

Agenda

4IBM Corporation ©2015

IBM Notes Federated Login Introduction

Provides a single sign-on experience when starting up the Notes client or iNotes

SSO between Notes, iNotes and windows domain environment and many other supported/compatible Identify Providers.

Eliminates regular Notes or iNotes password prompt.

Reduces the administrative cost for maintaining multiple directories.

Uses cryptographic mechanisms instead of passwords to improve security and minimize cost

Reduces user data redundancy

The SAML IdP takes responsibility to authenticate the Notes user.

Users' IDs must be stored in an ID vault

Notes client users' ID file contents are stored in memory on the client after being downloaded from the ID vault.

You can enable Notes shared Login for offline usage as an alternate login capability.

Works well with Notes client running on Citrix Environment.

5IBM Corporation ©2015

Different Components

Federation Identity Provider

Currently Supported with IBM Notes/Domino 9.0.x Microsoft® ADFS 2.0 integrated with Active Directory IBM Tivoli Federated Identity Manager (TFIM, IBM Security Identity Manager).

Series of Action NFL uses Security Assertion Markup Language (SAML) authentication The Notes embedded browser contacts the SAML identity provider (IdP) for

authentication IdP is configured to use transparent Kerberos-based authentication to avoid

password prompt. The SAML IdP creates a SAML assertion for the authenticated user The SAML assertion contains the user's email address. The Notes embedded browser retrieves the SAML assertion The Notes client passes the assertion to the Notes id vault The Notes id vault cryptographically verifies the user's SAML assertion If valid, the vault server finds the user's unlocked id file in the vault, and downloads

the id for use by Notes. The user can now use the Notes client.

6IBM Corporation ©2015

Contd...

Windows Domain Environment Requires Active Directory Configuration Active Directory Federation Service 2.0 (ADFS) is used as Identity Provider Client computer where the user is logging into Windows and running the browser or

Notes client ADFS does the job of user authentication via Kerberos Authentication

7IBM Corporation ©2015

Contd...

IdP Catalog (IdPCat.nsf) A Database needs to be created on Domino Server hosting ID Vault Use idpcat.ntf template and database name must be IdPCat.nsf If using unix the filename must be all lower case Special database that contains trusted identity providers and their certificates. An IdP config document is created and IdP configuration is imported The Admin creating the document must be listed in the following fields on the server

Full Access Administrators Administrators Sign or run unrestricted methods and operations

Imports FederationMetadata.xml file exported from ADFS. This builds trust. The idpcat.nsf must not be enabled for document locking. Prevent attacks by deploying a very restrictive ACL on idpcat. This is why this highly

sensitive information is not in the directory.

8IBM Corporation ©2015

Contd...

Notes Client Environment with Domino Home mail server Notes Client Standard 9.0/9.0.x needs to be installed Domino Server 9.0/9.0.x Needs to be installed and should have HTTP enabled SSL needs to be enabled on Domino Server If the ID vault server is separate, it does not need to have SSL enabled ID Vault should be hosted on Domino server Security Policy for ID Vault should be configured and applied to Notes users Session Authentication should be set to SAML 2.0 under Server document Exported copy of an SSL internet certificate from Federation Identity ( TIFM/ADFS 2.0

) must be imported in Domino Directory and should be cross certified to create an internet cross certificate.

Roaming users You need administrative deploy.nsf to install certificates for new or roaming users Roaming must be enabled and should be working fine for enabling NFL Deploy.nsf provides required certificate whenever required in order to download ID

file from ID Vault.

9IBM Corporation ©2015

Contd...

ID Vault Standard ID Vault configuration should be done on Domino Server Proper security policy should be created for ID Vault and should be pushed to the users All user Ids must be harvested to the ID Vault Database Identity Provider Configuration information should be updated under ID Vault

10IBM Corporation ©2015

Deployment Requirements

IBM Notes Client 9.x onwards IBM Domino Server 9.x onwards Microsoft Windows Active Directory Domain Configuration Active Directory Federation Services 2.0 ( ADFS 2.0 ) Configuration IBM Notes Client machine as a part of Windows Domain environment

11IBM Corporation ©2015

Implementation – ADFS 2.0 Configuration Run the ADFS console by selecting Start->Administrative Tools-> AD FS 2.0 Management Navigate to the Relying Party Trusts folder From the menu, select Action > Add Relying Party Trust

12IBM Corporation ©2015

Contd...

13IBM Corporation ©2015

Contd...

14IBM Corporation ©2015

Contd...

15IBM Corporation ©2015

Contd...

16IBM Corporation ©2015

Contd...

17IBM Corporation ©2015

Contd...

18IBM Corporation ©2015

Contd...

19IBM Corporation ©2015

Contd...

20IBM Corporation ©2015

Contd...

21IBM Corporation ©2015

Contd...

22IBM Corporation ©2015

Contd...

23IBM Corporation ©2015

Contd...

24IBM Corporation ©2015

Contd...

25IBM Corporation ©2015

Contd...

Right-click the new Relying Party Trust, and select Properties

26IBM Corporation ©2015

Contd...

Particularly if you have used a Domino metadata import file, check the Endpoints tab. The Domino server uses the POST Binding, which should appear in the list of SAML Assertion Consumer Endpoints. Domino server does not use an Artifact Binding, so if it exists in the list, you can remove it.

27IBM Corporation ©2015

Contd...Use the URL to download FederationMetaData from ADFS server (https://ADFSservername/FederationMetaData/2007-06/FederationMetaData.xml)

28IBM Corporation ©2015

Implementation – Importing SSL Internet Certificate in Domino Directory

29IBM Corporation ©2015

Contd...

30IBM Corporation ©2015

Contd...

31IBM Corporation ©2015

Implementation – Creating cross certificate in Domino Directory

32IBM Corporation ©2015

Contd...

33IBM Corporation ©2015

Contd...

34IBM Corporation ©2015

Implementation – Importing FederationMetadata.xml in IdPCat.nsf

35IBM Corporation ©2015

Implementation – Creating Certificate in IdPCat.nsf

Go to server notes.ini and add below lines

SAMLAuthVersion=2SAMLUrl=https://instructor.test.comSAMLPublicKeyHash=7IE7P9VjPxtAG6yR1SyeKw==SAMLCompanyName=TEST SAML

Restart Domino server

36IBM Corporation ©2015

Contd...

Use Export command to export your key from server.id.

certmgmt export saml xml idp.xml

Note: You no needs to import in idpdocument from import button else it will corrupt your federation key file. You can keep the file in your server data directory.

37IBM Corporation ©2015

Implementation – ID Vault and IdP Configuration in ID Vault

38IBM Corporation ©2015

Implementation – Security Policy for ID Vault and NFL

39IBM Corporation ©2015

Implementation – Verifying that NFL is enabled for the client

40IBM Corporation ©2015

General Troubleshooting

Before turning on SAML authentication: Make sure the Web server is functioning properly for session authentication Make sure SSL is deployed properly (if required)

You can use fiddler or firebug for network trace.

Test the Single sign-on service URL to make sure the IdP is functioning, independent of Domino. Is the user properly prompted by the IdP (if password prompt required)? If Integrated Windows Authentication (SPNEGO/Kerberos), use klist to see Kerberos ticket

for the user to the SAML IdP. Check the HTTP post with SAML assertion.

If you face errors creating SAML certificate under IdP Configuration document in IdPCat.nsf database, you can check below things first

Certificate creation and metadata export use an agent in idpcat. Refer hidden field named "NotesError" in IdP config document as it is helpful to diagnose

error "You are not authorized to perform that function"

Check permissions in server document security tab. "Cannot accept internet certificate because the certificate is already in the ID file”

Use a different certifier name.

41IBM Corporation ©2015

Contd...

Debug Parameters

Client Side debugs DEBUG_CONSOLE=1 ==> To verify if NFL is enabled. DEBUG_CLOCK=32 ==> To verify if NFL is enabled. DEBUG_OUTFILE=c:\temp\debugout.txt ==> To verify if NFL is enabled. DEBUGGINGWCTENABLED=4294967295 ==> To verify if NFL is enabled. CONSOLE_LOG_ENABLED=1 ==> To verify if NFL is enabled. DEBUG_DYNCONFIG=1 ==> To verify if NFL is enabled. DEBUG_TRUST_MGMT=1 ==> To verify if NFL is enabled. DEBUG_IDV_TRACE=1 ==> To diagnose ID Vault Operations SECURE_LOG=2 ==> To diagnose ID Vault Operations DEBUG_BSAFE_IDFILE_LOCKED=8 ==> To diagnose ID Vault Operations DEBUG_ROAMING=4 ==> For Roaming Users STX9=2 ==> To verify if NFL is enabled.

Server Side debugs DEBUG_SAML=31 ==> To Troubleshoot SAML errors at server level DEBUG_OUTFILE=c:\temp\debugserver.txt DEBUG_MMFILE=1 ==> To verify any problems with In-Memory ID file.

42IBM Corporation ©2015

Contd...

Sample output of DEBUG_SAML=31

Limitations:

No support with Traveler devicesCannot work with Notes Single Login serviceCurrent support with 2 IDPs (ADFS and TIFM)

43IBM Corporation ©2015

References

Notes Federated Login:http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Security_Assertion_Markup_Language_lprSAMLrpr_Notes_Federated_Login

Cookbooks:http://www-01.ibm.com/support/docview.wss?uid=swg21614543

44IBM Corporation ©2015

Questions?

Press *1 on your telephone to ask a question.

Visit our Support Technical Exchange page or our Facebook page for details on future events.

To help shape the future of IBM software, take this quality survey and share your opinion of IBM software used within your organization: https://ibm.biz/BdxqB2

44IBM Collaboration Solutions Support page http://www.facebook.com/IBMLotusSupport

IBM Collaboration Solutions Supporthttp://twitter.com/IBM_ICSSupport