IBM Domino WEB Federated Login

Transcription

1 IBM Domino WEB Federated Login Open Mic Date: IBM Collaboration Solutions

2 Open Mic Team Irfan Jaffery - IBM ICS Support engineer Presenter Deepankar Panda - IBM ICS Support engineer Presenter Ranjit Rai - IBM ICS SWAT Focusing on entire Notes/Domino Jayavel Rajendran - IBM ICS SWAT Focusing on entire Notes/Domino Hansraj Mali - IBM ICS SWAT Focusing on Notes/Domino Narendra Nesarikar IBM ICS Support Facilitator for Open Mics 2

3 Agenda IBM Web Federated Login introduction Different Components A web browser client for all inotes users Federation Identity Provider Windows Domain Environment IdP Catalog (IdPCat.nsf) Domino Web Server running inotes functioning as the Home Mail Server for INotes client users server ID Vault Deployment Requirements Implementation General Troubleshooting References Q/A 3

4 IBM Web Federated Login Introduction Provides a single sign-on experience when starting up the Notes client or inotes SSO between Notes, inotes and windows domain environment and many other supported/compatible Identity Providers. Eliminates regular inotes password prompt. Reduces the administrative cost for maintaining multiple directories. Uses cryptographic mechanisms instead of passwords to improve security and minimize cost The SAML IdP takes responsibility to authenticate the Notes user. Users' IDs must be stored in an ID vault 4

5 Different Components Federation Identity Provider Currently Supported with IBM Notes/Domino 9.0.x Microsoft ADFS 2.0 integrated with Active Directory IBM Tivoli Federated Identity Manager (TFIM, IBM Security Identity Manager). Domino web server authentication process using SAML 5

6 6

7 Windows Domain Environment Requires Active Directory Configuration Active Directory Federation Service 2.0 (ADFS) is used as Identity Provider Client computer where the user is logging into Windows and running the browser ADFS does the job of user authentication via Kerberos Authentication 7

8 IdP Catalog (IdPCat.nsf) A Database needs to be created on Domino Server hosting ID Vault Use idpcat.ntf template and database name must be IdPCat.nsf If using unix the filename must be all lower case Special database that contains trusted identity providers and their certificates. An IdP config document is created and IdP configuration is imported The Admin creating the document must be listed in the following fields on the server Full Access Administrators Administrators Sign or run unrestricted methods and operations Imports FederationMetadata.xml file exported from ADFS. This builds trust. The idpcat.nsf must not be enabled for document locking. Prevent attacks by deploying a very restrictive ACL on idpcat. This is why this highly sensitive information is not in the directory. 8

9 inotes User Environment with Domino Home mail server Web Browser Domino Server 9.0/9.0.x Needs to be installed and should have HTTP enabled SSL needs to be enabled on Domino Server If the ID vault server is separate, it does not need to have SSL enabled ID Vault should be hosted on Domino server Security Policy for ID Vault should be configured and applied to inotes users Session Authentication should be set to SAML 2.0 under Server document Exported copy of an SSL internet certificate from Federation Identity ( TIFM/ADFS 2.0 ) must be imported in Domino Directory and should be cross certified to create an internet cross certificate. 9

10 ID Vault Standard ID Vault configuration should be done on Domino Server Proper security policy should be created for ID Vault and should be pushed to the users All user Ids must be harvested to the ID Vault Database Identity Provider Configuration information should be updated under ID Vault 10

11 Deployment Requirements IBM Domino Server 9.x onwards Confirm your inotes user has been added to the vault and can access their ID for encrypting/decrypting mails Microsoft Windows Active Directory Domain Configuration Active Directory Federation Services 2.0 ( ADFS 2.0 ) Configuration If using ADFS or implementing SSL with TFIM then confirm that you can access your server through HTTPs Client machine should be part of Windows Domain environment 11

12 Implementation ADFS 2.0 Configuration Run the ADFS console by selecting Start->Administrative Tools-> AD FS 2.0 Management Navigate to the Relying Party Trusts folder From the menu, select Action > Add Relying Party Trust Note: We have to follow the below step twice. We need to have 2 Relying Partry Trusts inotes configuration on the IdP ID Vault configuration on the IdP 12

13 13

14 14

15 15

16 16

17 17

18 18

19 19

20 20

21 21

22 22

23 23

24 24

25 25

26 Right-click the new Relying Party Trust, and select Properties 26

27 Particularly if you have used a Domino metadata import file, check the Endpoints tab. The Domino server uses the POST Binding, which should appear in the list of SAML Assertion Consumer Endpoints. Domino server does not use an Artifact Binding, so if it exists in the list, you can remove it. 27

28 This is property window for ID Vault Configuration on the IDP. 28

29 Use the URL to download FederationMetaData from ADFS server ( 29

30 Implementation Importing SSL Internet Certificate in Domino Directory 30

31 31

32 32

33 Implementation Creating cross certificate in Domino Directory 33

34 34

35 35

36 Creating a configuration document in the idpcat.nsf database contd... The IdP Catalog application (idpcat.nsf) must exist on the Domino server that hosts the ID vault whether or not that is the same computer that runs inotes. You will always have two IdP config documents for any inotes server supporting WebFederated Login. One IdP config document is for the inotes server with SAML authentication, and this document must reside in the IdP Catalog application on the inotes server. The second IdP config document is for the inotes server interface with the ID vault, and this document must reside in the IdP Catalog application on the ID vault server. The documents are similar, but differ in a few important fields. 36

37 Implementation Importing FederationMetadata.xml in IdPCat.nsf inotes Server with SAML Authentication 37

38 Implementation Creating Certificate in IdPCat.nsf Go to server notes.ini and add below lines SAMLAuthVersion=2 SAMLUrl= SAMLPublicKeyHash=7IE7P9VjPxtAG6yR1SyeKw== SAMLCompanyName=TEST SAML Restart Domino server 38

39 Implementation Importing FederationMetadata.xml in IdPCat.nsf inotes Server Inteface with the ID Vault 39

40 40

41 Implementation ID Vault and IdP Configuration in ID Vault 41

42 42

43 43

44 Integrated Windows Authentication (IWA) IWA is not necessary for SAML configuration Stops an inotes user from being prompted for a password once they log on to their machine The following need to be in the same Windows Active Directory domain ADFS server Client computer where the user is logging into Windows and running the browser or Notes client The record for the user who is being authenticated via IWA Step 1: Create the ADFS Kerberos identity The Windows administrator logged into the Windows domain creates the ADFS Kerberos identity. This identity must be mapped to the Active Directory user that represents the ADFS HTTP server instance. setspn -a HTTP/instructor.test.com instructor$ setspn -a HTTP/Instructor instructor$ setspn -L Instructor$ 44

45 Step 2: Set up the browser for the Windows client inotes user Under Internet Options Local Intranet Sites add your ADFS URL 45

46 General Troubleshooting Before turning on SAML authentication: Make sure the Web server is functioning properly for session authentication Make sure SSL is deployed properly You can use fiddler or firebug for network trace. Test the Single sign-on service URL to make sure the IdP is functioning, independent of Domino. Is the user properly prompted by the IdP (if password prompt required)? If Integrated Windows Authentication (SPNEGO/Kerberos), use klist to see Kerberos ticket for the user to the SAML IdP. Check the HTTP post with SAML assertion. If you face errors creating SAML certificate under IdP Configuration document in IdPCat.nsf database, you can check below things first Certificate creation and metadata export use an agent in idpcat. Refer hidden field named "NotesError" in IdP config document as it is helpful to diagnose error "You are not authorized to perform that function" Check permissions in server document security tab. "Cannot accept internet certificate because the certificate is already in the ID file Use a different certifier name. 46

47 Sample output of DEBUG_SAML=31 Limitations: No support with Traveler devices Cannot work with Notes Single Login service Current support with 2 IDPs (ADFS and TIFM) 47

48 References Web Federated Login: ated_login_for_inotes_using_saml_t.dita 48

49 Questions? Visit our Support Technical Exchange page or our Facebook page for details on future events. To help shape the future of IBM software, take this quality survey and share your opinion of IBM software used within your organization: IBM Collaboration Solutions Support page IBM Collaboration Solutions Support