The ID Vault Feature Across IBM Products August 5, 2015 Amy Knox, Paco Pascua, Patrick Legaspi, Prince Mendoza, Paul Johnson, Quervin Lloyd Buco, Russell Norberg Powered by IBM SmartCloud Meetings
Who We Are...
Overall Agenda Introduction and Overture (Amy Knox) ID Vault and the Domino Server (Paco Pascua and Patrick Legaspi) 7 Common Scenarios, Tips ID Vault and inotes (Paul Johnson) Configuration, Federated Login ID Vault and Traveler (Quervin Lloyd Buco) Usage, Configuration and Troubleshooting ID Vault and the Notes Client (Prince Mendoza) Background, Notes Shared Login, Notes Federated Login ID Vault in the IBM SmartCloud Notes Environment (Russell Norberg) Usage, Configuration and Troubleshooting Additional Resource links (all products) Additional Slides on ID Vault and Federated Login Q&A
Introduction and Overture We live in an integrated world ID vault is a great security tool leveraged by multiple IBM products: Notes/Domino inotes and Traveler IBM SmartCloud Notes ID Vault provides this functionality: Secure, server-based repository for user ID files Simplified provisioning of ID files Automatic synchronization of a user's id file in the environment Simple-to-use tool for resetting passwords Easy administration of the user ids' vault settings, via a Domino security policy Automatic decryption of encrypted mail in web-based mail databases
Introduction and Overture Our goal is to: Look at ID Vault feature implementation within these products, different perspectives See how it fits together Start the conversation about integration of products and features Our expectation is NOT to cover all aspects of ID vault, interoperability, and integration, within the next 45 minutes! We hope to cover all we can We hope to introduce you to some new content We hope to provide you with some troubleshooting techniques and tips We hope to provide you with some must gather info, when opening support tickets Please use the Web chat for: OR Asking questions to our panel of experts, during the presentation Informing us of a specific topic you might like to see us expand on in a future Open mic
Introduction and Overture Resources for Background and Configuration of the ID Vault: IBM Admin Help Creating an ID vault Open Mic (2012) Notes/Domino ID Vault Lotus Domino Security: NSL, Web SSO, Notes ID vault Open Mic (2011) Lotus Notes ID Vault ID Vault Overview and Best Practices ID Vault Interoperability Open Mic Webcast: Intro to Notes Federated Login (SAML) Open Mic Webcast: Configuring an IBM Domino Web server to use SAMLbased single sign-on Open Mic Webcast: Web Federated Login (SAML) with inotes & Integrated Windows Authentication IBM Domino Wiki ID Vault Resources
ID Vault and the Domino Server Paco Pascua and Patrick Legaspi Software Engineers - IBM Domino Server Powered by IBM SmartCloud Meetings
Agenda ID Vault and the Domino Server 7 Common Scenarios a Domino Administrator can experience with the ID vault A Few Tips ID Vault and the Domino Server 8
Common Scenarios a Domino Administrator can experience with the ID vault Scenario 1: Admin created a vault replica on the secondary server using the File>Replication>New replica method. Admin can extract and reset passwords on the primary vault server; however on the secondary server, admin is getting the error note item not found. Resulting behavior: Unable to extract id from secondary server Explanation/solution: When creating a replica of the ID vault, Admin must use the Manage Vault replica tool, to add a vault replica server 9
Common Scenarios a Domino Administrator can experience with the ID vault Scenario 2: Admin is using an 8.5 Admin Client to Manage an Id vault on 9.x server but the manage button is grayed out Resulting Behavior: Unable to manage Id vault Explanation/Solution: ID vault hosted on 9.x servers can only be managed from a Domino Administrator Client version 9.x http://www-01.ibm.com/support/docview.wss? uid=swg21642144 10
Common Scenarios a Domino Administrator can experience with the ID vault Scenario 3: User can't request for a new set of keys via the File>Security>User Security option Resulting Behavior: Unable to Roll over user keys Explanation/Solution: Users whose ids are uploaded to the vault cannot initiate a key rollover. ID vault is designed to lessen user intervention during the key roll-over process. Users whose ids are uploaded to the vault can only be rolled over via a (Security) policy 11
Common Scenarios a Domino Administrator can experience with the ID vault Scenario 4: Domino vault Admin wants to allow additional administrators the ability to manage the ID vault. The names of the persons the admin wants to add are not available in the list of potential vault administrators Resulting Behavior: Unable to add new Administrators to the vault Explanation/Solution: Users should be in LocalDomainAdmin group, in order for them to be added as a vault administrator 12
Common Scenarios a Domino Admininstrator can experience with the ID vault Scenario 5: Admin is trying to add a vault replica server but is not able to lookup the name of the server Resulting Behavior: Server is not on the list of Available servers. Explanation /Solution: Do a refresh server action via the Domino Administrator client: Administration menu Refresh server List All domains 13
Common Scenarios a Domino Administrator can experience with the ID vault Scenario 6: Admin removed a server from the vault replica server list. After removing the server via the manage tool, the id vault database still appears on the files tab of the server. Resulting behavior: A Replica of the ID Vault database is still present on the old vault replica server Explanation: The Manage id vault only removes the server from the vault replica server list. It does not delete the id vault database itself 14
Common Scenarios a Domino Admininstrator can experience with the ID vault Scenario 7: Admin is trying to setup an id vault. When running the command 'show idvault', an error is returned that No policy settings uses <vault name> Resulting behavior: Unable to implement ID vault Explanation/Solution: A "/" is required when specifying the name of the vault on the Security settings document. Check the Security settings ID vault tab, and ensure the Vault name has a / preceding it 15
A Few Tips: ID Vault and the Domino Server If you make manual changes to the Domino server's vault db, run updall -R on it: Deleting a user doc manually Re-activating a user (change from inactive to active) Did you know there is a hidden view ($IDVaults) in the Domino Directory? Can view the Vault Name, Administration Server, and Vault Server List If a user's ID is not is in the ID vault: Check that the user is using Lotus Notes 8.5 or higher ( Help menu About IBM Lotus Notes ) Look through client and server log.nsf "Security Events" view for errors or potential clues Check that the user has been assigned to an ID vault by a policy: Run "Policy Synopsis" Check that the user has authenticated with his/her home server, downloading the updated policy Review the user's local names.nsf, ($Policies) view, for the effective policy of the user Check that the vault trust certificates have been created and exist in the directory: In Domino Administrator client: "People & Groups" tab --> "Certificates" Check that a vault trust certificate has been issued by the user's certifier or ancestor to the vault.
A Few Tips: ID Vault and the Domino Server Server-Side Debug Parameters for ID Vault: Set ID vault notes.ini variables to capture additional information Info is logged into the server's console.log Domino Server: DEBUG_IDV_CONNECT=1 DEBUG_IDV_TRUSTCERT=1 DEBUG_IDV_UPDATE=1
ID Vault and inotes Paul Johnson Staff Software Engineer - IBM WebCore Powered by IBM SmartCloud Meetings
ID Vault and inotes Configuring ID Vault and inotes 19
Configuring ID Vault and inotes Usage: ID Vault provides inotes users with seamless access to their Notes ID, allowing them to sign and encrypt mail If ID Vault is not in use, the ID must be imported into the mail file or added to the mail when the user is first registered. 20
Configuring ID Vault and inotes Steps to enable/use: 1) Enable encryption in inotes through the Domino server configuration 2) Set a security policy enabling ID Vault with inotes 3) If users do not already have the Notes ID in the mail file, ID Vault automatically adds it to the mail file Nothing has to be done by end users to get ID Vault enabled for inotes! 21
Configuring ID Vault and inotes The IBM inotes tab on the Server Configuration document has settings to enable the use of Notes IDs for encryption, plus other options related to IDs and passwords To use the Notes ID in inotes, Encrypted mail support must be enabled 22
Configuring ID Vault and inotes When Encrypted mail support is enabled, options for the Notes ID are available Domino server (mail) configuration document inotes tab: 23
Configuring ID Vault and inotes Enabling the ability for users of the server to change the internet password is also set on the Domino Server configuration document inotes tab 24
Configuring ID Vault and inotes ID Vault can be used with inotes when a security policy is set for the user enabling Notes-based programs to use the Notes ID Vault 25
Configuring ID Vault and inotes ID-Specific security settings are found on the Password Management tab of the security settings document 26
Configuring ID Vault and inotes Via the Security settings/policy, users can be granted the authority to change the internet password. If enabled, ensure that the server also allows this in its server configuration document inotes tab. 27
Configuring ID Vault and inotes The internet password can be kept synchronized with the Notes password. NOTE: Synchronization is one directional Notes password changes result in the internet password changing, but not vice versa. 28
Configuring ID Vault and inotes When Update Internet Password is set and a change is detected to the Notes ID password, the adminp request Change HTTP Password in Domino Directory is created. This changes the contents of the field HTTP Password on the person document This request is processed by the Administration server, and is immediate - usually within less than a minute. Replication then updates other servers. 29
Configuring ID Vault and inotes When ID vault is enabled for an inotes user, the inotes preferences security tab provides options for working with the Notes ID 30
Configuring ID Vault and inotes The Notes ID info button will display details of the Notes ID, including information on password expiration and the ID vault in use 31
Configuring ID Vault and inotes If ID Vault is enabled by policy when a user is registered, the user's ID is added automatically to the ID vault. 32
Configuring ID Vault and inotes Several of the options in the inotes preferences may seem confusing to users when ID Vault is in use. If desired, they can be disabled in the server configuration if everyone is vaulted. Disabling = hidden from users The ID is automatically retrieved from vault if it is not present, so the delete button does nothing useful If the ID is vaulted, there is no reason for a user to import the Notes ID. The ID in use needs to be the ID from the vault. Leaving these enabled and visible does no harm either 33
Configuring ID Vault and inotes If both internet password changes and password synching are enabled, there will be a single Change password button. 34
Configuring ID Vault and inotes If internet password changes are enabled, but password synching is not set, there will be buttons for changing both passwords. 35
ID Vault and Traveler Quervin Lloyd Buco Software Engineer - IBM Traveler Powered by IBM SmartCloud Meetings
Agenda ID Vault and Traveler Background and Configuration Mail Encryption on IBM Traveler ID Vault Limitations on IBM Traveler 37
Background and Configuration Domino ID Vault serves in the same capacity for IBM Traveler as inotes: Mail encryption/ decryption: ID file present in the mail file allows mobile devices to partake in encrypted mail ID file uploaded automatically to the mail file via a Security Policy ID file can also be manually uploaded to the mail file 38
Background and Configuration Use the same steps for implementing the ID Vault for IBM Traveler users as inotes users: On the security policy assigned to the Traveler users, ensure that the Allow Notes-based programs to use the Notes ID Vault setting is set to YES 39
Mail Encryption on IBM Traveler Encrypting and decrypting Domino mail from mobile devices is achieved through the following: IOS devices IBM Traveler Companion; IBM Verse for ios Android IBM Verse for Android Blackberry Built-in mail app Windows Phone IBM Traveler Companion for Windows Phone 40
Mail Encryption on IBM Traveler Encryption and decryption of Notes-encrypted mail is handled at the Traveler server layer and the data is then sent to the device in clear-text like in inotes. As such, SSL is recommended to be enabled on the Traveler server to ensure email travels via a secure channel. While Traveler allows encryption/decryption of mail over HTTP, this is not recommended. 41
ID Vault Limitations on IBM Traveler ID Vault and IBM Traveler across multiple domains ID Vault is only limited for a single domain. Enhancement Request #YDEN8FFERA ID vault is currently not supported across domains The Traveler server and mail servers must be in the same domain for ID Vault to work in encrypting/decrypting mail over IBM Traveler. If Traveler and the Domino mail servers are in different domains, the Notes ID file must be uploaded on the user's mail file. Either it is already stored on the user's mail file, or the user can manually upload the Notes ID file via the Traveler servlet webpage 42
ID Vault Limitations on IBM Traveler Policy to change the Notes password every n # of days does not work if Traveler server is in another domain OR if the current domain does not have an ID Vault configuration Scenario: Enabling "Check passwords on Notes id file" on Domino servers (including Traveler) and creating a policy for a password change after n days will work for Notes and inotes, but when user gets an encrypted mail and wants to decrypt this via Traveler, he can use his old password from the notes.id uploaded on his mailfile. It appears Traveler still allows the user to use the old notes id password even though he has already changed his notes id password per the expiration date set on the policy settings. 43
ID Vault Limitations on IBM Traveler Policy to change the Notes password every n # of days does not work if Traveler server is in another domain OR if the current domain does not have an ID Vault configuration (continued) This is working as designed. The user would re-upload the ID file to change the password or use the Traveler change password option for the notes id file that is currently uploaded in the user's mail file. For it to be automatic, one would need to use the ID Vault The uploaded notes id file via the Traveler servlet is completely separated from the notes id managed via the Domino policy. This means that as long as the password entered by the user matches the one stored in the notes.id file on the mail file, then the encryption/ decryption will work. The end user can upload a new id file at any time. In short, the solution is to use an ID vault to effectively manage the notes id and conform with the password policies enforced to the users. 44
ID Vault and the Notes Client Prince Mendoza Software Engineer - IBM Notes Client Powered by IBM SmartCloud Meetings
Agenda ID Vault and the Notes Client Introduction and Background: Notes Client and the ID Vault Notes Client, Notes Shared Login, and ID Vault Notes Client, Notes Federated Login, and ID Vault Comparison: NSL vs. NFL and the ID Vault Troubleshooting ID Vault on the Notes Client 46
Introduction and Background: Notes Client and the ID Vault Harvesting (Uploading) ID files: Upload of User ID happens through the Notes client after the policy has been applied: Within 8 hours (average of 4), ID automatically uploaded to the ID vault. Tip: To force an ID file upload, switch ID to the same ID (*Useful for testing purposes) ID Harvested while user is running Notes (OR Harvested from mail file when user performs a secure mail operation on inotes, Traveler, or Blackberry device) You can also manually upload an ID using ID vault C-APIs Synchronizing ID files: Changes made in one copy of the ID file will resync immediately with the ID in the vault Other clients will periodically poll the ID vault for changes - once every 8 hours User Client Password Experience (Sample Scenario): 1) User changes password on a desktop client, triggering an immediate resynchronization with the ID vault 2) User goes to another computer and uses the new password. 3) The password is first checked against local ID. If it does not match, it is then checked against the vault. 4) ID files are resynchronized, if necessary Summary: When a user changes ID, switches IDs, or provides a new password, the client attempts synchronization immediately; otherwise, client will communicate with the vault every 8 hours. 47
Introduction and Background: Notes Client and the ID Vault How does the Notes Client know which Vault server to communicate with? Here is the high level summary of the exchange between Notes client and Domino server: 1. (Login/authentication) User connects to server in home server cluster. 2. Home/mail server (or clustermate) provides a list of available vault servers (in random order): 3. Client connects to first available ID vault server in list. The server name is cached in the Notes.ini variable IDVaultLastServer 4. This server is used for two weeks. 5. Afterwards, the cache is cleared and a new ID vault server is randomly selected again (for load balancing). 48
Introduction and Background: Notes Client and the ID Vault A Few More Details: Notes client does not have direct access to the ID vault; however, nserver.exe acts as a proxy between the client and the vault Notes client versions prior to 8.5 work fine in an environment with the ID vault, but do not take advantage of the features provided by the ID vault. If the password on an ID file is changed on a pre-notes 8.5 client, the password change, along with any further changes to the local ID file, will not be recognized by the vault. You must change the password on a Release 8.5 or later Notes client. ID vault also works with the Roaming user feature, as long as the ID file does not roam The ID Vault plays an important role in the implementation of certain Notes/Domino security features such as the Notes Shared Login and Notes Federated Login Notes Shared Login (NSL) and Notes Federated Login (NFL) are both single sign-on solutions that allow passwordless access to Notes client while maintaining security Notes Single Logon, another SSO solution introduced in an earlier release, is not supported with ID Vault. If you would like to use the ID vault, please use the Notes Shared Login (NSL) feature instead. Standalone IBM tool to remove ID from the Personal Address Book 49
Notes Client, Notes Shared Login (NSL), and ID Vault NSL Strips password from the Notes ID file, then locks and encrypts it Password reset must be done at the server level (Vault password reset tool) Notes ID does not contain any password; hence, you cannot synchronize your Internet password with your Notes password NSL is supported with Notes Basic and Standard clients NSL is supported with Notes Browser Plugin Works regardless if user is online/offline ID vault is supported in a Citrix environment, but NSL is not NSL does not require ID Vault, but was designed at the same time as ID vault and intended to work well with it NSL, ID vault, and Roaming User feature (file server OR Domino roaming) can work together, when the id roams via the ID Vault. NOTE: Not supported if user.id is stored in user's personal names.nsf 50
Notes Client, Notes Federated Login (NFL), and ID Vault How it Works: During NFL enablement, Notes Client interact with ID Vault by sending a SAML token to ID vault to get an unlocked ID file Notes Client sends SAML assertion to ID vault server via Notes RPC channel ID vault server returns user's unlocked ID file via Notes RPC channel The unlocked ID file contents are stored in memory on the client after being downloaded from the ID vault Other Details: NFL not supported with roaming user feature NFL not supported on the Notes Basic client; thus, Domino Administrator may not work immediately TIP: Launch the Notes client first, then the Domino Administrator client NFL not yet supported with Notes Browser Plugin NFL is supported in a Citrix environment User needs to be online Requires ID Vault NOTE: Neither NSL nor NFL work if Notes Single Logon service is running on a user's machine For NFL: just disabling the Notes Single Logon will not work. The Notes Single Logon feature must be uninstalled. 51
Notes Client, Notes Federated Login (NFL), and ID Vault Common Question: if a user is set up for NFL on PC A then moves to another PC B, will he/she get prompted for a password? If so, will it require the ID Vault password? Explanation: For every machine, user will be prompted for a password at least once If the user is trying to setup a new Notes client, he will not get prompted for ID vault password in the setup process. (If the IdP is configured to use form-based login, he may get prompted for IdP username/password. If the IdP is configured to use kerberos login, the user will not get prompted at all). If the Notes client is already setup as a Vault user (on the PC the user did not use before), he will need to input ID vault password to login Notes before Notes Federated Login is enabled, because the policy will only be pushed down after user is authenticated. However, with deploy.nsf that contains Notes cert and internet cross cert, you can avoid the password prompt You can't use deploy.nsf on an existing installation, it needs to be used on an fresh install. You will need to create new install packages in order to make use of the deploy.nsf. 52
Comparison: NSL vs. NFL and the ID Vault Features Notes Shared Login Notes Federated Login Support for Notes Basic mode Support for Roaming ID Support for Citrix Environment Support for Notes Browser Plugin Requires ID Vault User needs to be online 53
Troubleshooting ID Vault-Related issues on the Notes Client Client Quick check: Is the local ID uploaded to the vault? File Security User Security:
Troubleshooting ID Vault-Related issues on the Notes Client Debug parameters added to Notes client notes.ini file, unless otherwise indicated: General Debug parameters to enable: CONSOLE_LOG_ENABLED=1 LogStatusBar=1 DEBUG_DYNCONFIG=1 Debug parameters for ID vault: DEBUG_IDV_CONNECT=1 DEBUG_IDV_TRACE=1 DEBUG_IDV_TRUSTCERT=1 DEBUG_IDV_UPDATE=1 DEBUG_IDVAULT_SERVER_SELECTION=1 Debug for Notes Shared Login: DEBUGNSL=1 Debug for Notes Federated Login Client-side: ---------------------------------------------------------NFL Debug for the Domino Server: Debug_Console=1 Debug_Clock=32 DEBUG_CONSOLE=1 DEBUGGINGWCTENABLED=4294967295 DEBUG_TRUST_MGMT=1 DEBUG_IDV_TRACE=1 DEBUG_ROAMING=4 DEBUG_BSAFE_IDFILE_LOCKED=8 STX9=2 --------------------------------------------------------DEBUG_SAML = 31
Troubleshooting ID Vault-Related issues on the Notes Client What to gather, when opening a support ticket: Local client/domino server LOG.NSF (SECURITY EVENTS) Local client/domino server console.log Local client Contacts database (names.nsf) Local client notes.ini Domino server's Domino Domain Monitoring database (DDM.NSF) Screen shots of all related policy docs (desktop, roaming, security, etc.) OR copy of Domino directory (Domino server names.nsf) with policy docs, Vault trust cert docs, user person doc List (or screen shot) of server-side ID Vault settings *If you suspect the root cause is a policy-related issue, please refer to the information in this Troubleshooting Policies Open Mic Additional Information requested: Notes client version Domino server version Policy Synopsis results for affected user Which security feature(s) are being used? How is the feature not working? Has it ever worked before? Is the problem happening to a single or multiple users? Which error message is encountered and at what point: Popup? Error in Status bar?
ID Vault in SmartCloud Notes Russell Norberg Staff Software Engineer - IBM Verse Support and IBM Connections Cloud IBM Collaboration Solutions Powered by IBM SmartCloud Meetings
Agenda ID Vault and SmartCloud Notes ID Vault setup in the IBM SmartCloud Notes environment ID Vault management in the IBM SmartCloud Notes environment Troubleshooting ID Vault issues in the IBM SmartCloud Notes environment 58
ID Vault setup in the IBM SmartCloud Notes environment Two IBM SmartCloud Notes environment options: Service-only = all users' data on IBM managed servers Hybrid = combination of on-premises Domino servers and IBM managed servers Two types of administrators: IBM Administrator manages the ID Vault, cloud-based mail files, and cloud-based environment off-site Customer administrator local company administrator, who can execute some basic tasks related to users Three potential implementations: Users previously in an on-prem environment that had an ID vault, then migrated to the cloud Users previously in an on-prem environment WITHOUT an ID vault, then migrated to the cloud Users registered originally in a cloud service-only environment (never on-prem, no prior vault) 59
ID Vault setup in the IBM SmartCloud Notes environment In cases where ID Vault in use in the cloud service environment, and user mail data stored on IBM managed servers: 1) IBM creates the new ID Vault database and Policy with Security settings document Users migrated from on-premises to SCN are stored there 2) Action item: The customer Admin creates an ID Vault trust Certificate *Best practice: upload User ID files into the mail database before migrating users 3) The User ID file is harvested from Notes clients during authentication OR 4) The Customer Administrator can manually upload the User ID directly to the SCN ID Vault using the Admin UI web client IBM SCN \ Users \ Upload Notes ID File action 5) At this point, the on-premises ID Vault can be removed, deleted, or archived *EXCEPTION: Hybrid users need an ID file for encrypted documents in custom applications. Users switch to the on-prem id when they need to use such applications. Setting up an additional IBM Notes client to SCN without the User ID (TN# 1572382) 60
ID Vault Management in IBM SmartCloud Notes The customer administrator can: Reset user passwords Upload a user ID to the SCN ID Vault using the Admin UI web client Hybrid environments: manage password quality in the on-premises security policy documents The customer administrator cannot directly access the ID Vault or the Policy document in the IBM-managed environment Best practice: The customer administrator should use separate Policy documents for onpremises vs. service-only users 61
Troubleshooting ID Vault issues in IBM SCN Although the Customer Administrator does not have access to the server implementation, he/she can access users' Notes client and any local mail replica(s) and perform the following investigations: For suspected issues related to ID Vault OR ID file synch : 1.) Check local notes.ini settings for server name and last synch time: IDVAULT_STAMP1=<datetime> IDVaultLastServer=<servername> *is this a current date/time, or old> *is this value present? Is it a known IDV server? 2.) Review local Notes client log.nsf for any errors: Miscellaneous Events view Security Events view 3.) Use Notespeek to verify that the User ID was uploaded to the mail database 62
Troubleshooting ID Vault issues in IBM SCN 4.) Review the ($Policies) document in user's local names.nsf to verify the SCN Policy is present: a.) Hold down ctrl+shift key, then open local names.nsf b.) Open the ($Policies) view c.) Search for a document with Effective policy for <username> and PolicySecurity d.) Right-click on the PolicySecurity doc Document Properties. e.) Go to the second tab (Fields tab) Search for VTName field on left. *TIP: Take a screen shot if you plan to open a Support ticket 63
Troubleshooting ID Vault issues in IBM SCN 5.) Manually sync with the ID Vault: File Security User Security: "ID Vault Sync" button 64
Troubleshooting ID Vault issues in IBM SCN 6.) Client-side debug: Add these parameters to local client notes.ini for the affected user: DEBUG_IDV_API=1 DEBUG_IDV_CONNECT=1 DEBUG_IDV_TRACE=1 DEBUG_IDV_SERVER_SELECTION=1 debug_threadid=1 console_log_enabled=1 7.) What to provide to support, if you need to open a PMR related to ID Vault in the SCN environment: Enable the above debug parameters and collect the following files from the local user's Notes client: a.) local log.nsf b.) local names.nsf c.) local user notes.ini for Vault Notes.ini d.) local client console.log (in \notes\data\ibm_technical_support folder) 65
ID Vault across Products High Level Example of OnPrem Environment Notes client users connect internally via NRPC inotes clients connect via HTTPS Domino server with ID vault config Domino server with Traveler Service HTTPS RPC names. nsf vault.nsf Mobile devices connect via HTTPS Domino mail server(s)
ID Vault across Products High Level Example of Hybrid Environment SmartCloud Notes users connect to their Cloud mail server with SCN vaulted id Notes client users connect internally via NRPC inotes clients connect via HTTPS IBM SmartCloud Infrastructure with ID vault Migrated SCN Users can connect to OnPrem servers, access encrypted data in custom apps Domino server with ID vault config HTTPS RPC names. nsf vault.nsf Mobile devices connect via HTTPS Domino server with Traveler Service Domino mail server(s)
Additional Resources: ID Vault - All Products 68
Additional Resources Domino Server and ID vault ID vault overview FAQ http://www-10.lotus.com/ldd/dominowiki.nsf/dx/12162008022843pmnekqt7.htm Notes/Domino ID Vault http://www-01.ibm.com/support/docview.wss?uid=swg27024285&aid=5 Open Mic webcast: ID Vault overview Best Practices http://www-01.ibm.com/support/docview.wss?uid=swg27037703 Open Mic Webcast Replay: ID Vault in Lotus Notes/Domino http://www-01.ibm.com/support/docview.wss?uid=swg27024285 69
Additional Resources ID Vault and Notes client Comparison between Notes Single Logon and Notes Shared Login URL: http://www-01.ibm.com/support/docview.wss?uid=swg21437726 Details on exception allowing support of Notes Single Logon feature for roaming users URL: http://www-01.ibm.com/support/docview.wss?rs=0&uid=swg21474626 ID Vault - Implementation, Security and Troubleshooting - for IBM Notes and Domino URL: http://www.slideshare.net/bccffm/id-vault-implementation-security-and-troubleshootingfor-ibm-notes-and-domino Open Mic Q&A: ID Vault & Notes Shared Login - 20 October 2010 URL: http://www-01.ibm.com/support/docview.wss?uid=swg27021224 Open Mic Q&A: Lotus Notes ID Vault - May 19th, 2011 URL: http://www.ibm.com/support/docview.wss?uid=swg27021719 Open Mic Webcast: Intro to Notes Federated Login (SAML) - 26 March 2014 (Q&A, presentation, audio recording) URL: http://www.ibm.com/support/docview.wss?uid=swg27041524 Some administrators should not be enabled for Notes federated login URL: http://www-01.ibm.com/support/docview.wss?uid=swg21628867 70
Additional Resources ID Vault and Notes client ID vault and Notes shared login FAQ URL: http://www-10.lotus.com/ldd/dominowiki.nsf/dx/id-vault-and-notes-shared-login-faq Securing your Notes ID vault server URL: http://www-10.lotus.com/ldd/dominowiki.nsf/dx/securing-your-notes-id-vault-server Security Assertion Markup Language (SAML) Notes Federated Login URL: http://www10.lotus.com/ldd/dominowiki.nsf/dx/security_assertion_markup_language_lprsamlrpr_no tes_federated_login Upgrading from Notes client single logon to Notes shared login URL: http://www10.lotus.com/ldd/dominowiki.nsf/dx/upgrading_from_notes_client_single_logon_to_notes_ shared_login 71
Additional References ID Vault and Traveler Traveler and ID Vault across multiple domains - http://www-01.ibm.com/support/docview.wss? uid=swg21643495 Configuring Traveler Companion on Apple Devices - https://www304.ibm.com/support/knowledgecenter/ssyrpw_9.0.1/appleviewencyptedmail.html IBM Traveler Companion for Windows Phone FAQ - https://www304.ibm.com/support/knowledgecenter/ssyrpw_9.0.1/appleviewencyptedmail.html How do I process encrypted mail on a Blackberry Device - https://www304.ibm.com/support/knowledgecenter/ssyrpw_9.0.1/bb_encryptedmail.dita 72
Additional Resource Links - ID Vault and SmartCloud Notes Open Mic: What is IBM SmartCloud Notes Hybrid? Uploading an ID to the Vault (SCN) Issuing a Vault Trust certificate (SCN) Setting up an additional IBM Notes client to SCN without the User ID Managing Notes Ids (hybrid organizations only) Unable to connect to SCN after running the Notes client configuration tool What You Should Know Before You Change a SmartCloud Notes User's Name Common Q&A for IBM SmartCloud Notes Company Administrators ( password and vault issues ) 73
Press *1 on your telephone to ask a question. Visit our Support Technical Exchange page or our Facebook page for details on future events. To help shape the future of IBM software, take this quality survey and share your opinion of IBM software used within your organization: https://ibm.biz/bdxqb2 IBM Collaboration Solutions Support page http://www.facebook.com/ibmlotussupport IBM Collaboration Solutions Support http://twitter.com/ibm_icssupport 74
Backup Slides ID Vault and Federated Login 75
Federated Login and ID Vault What is Federated Login? Federation between a user's ID in a non-domino identity provider and the Notes ID Federated Login is implemented through SAML authentication Domino supports Active Directory (ADFS: Active Directory Federation Services) and Tivoli (TIFM: Tivoli Identity Federation Manager) Once logged into the identity provider, seamless access to the Notes ID No Notes ID password needed 76
Federated Login and ID Vault SAML authentication in Domino Requires Domino 9.0 SAML - Security Assertion Markup Language A SAML assertion is proof of authentication provided by a trusted identity provider (IdP) XML formatted certificate data Domino validates the SAML assertion against its IdP catalog and grants access based on the authentication with the identify provider 77
Federated Login and ID Vault Access to the ID Vault Configuring SAML authentication for Domino uses an IdP catalog entry for the Domino server(s) and a separate IdP catalog entry for the ID Vault The IdP has a relying party trust entry for Domino and another for ID Vault Authentication first takes place over HTTPS with the Domino server Once a user is authenticated, the ID is retrieved in the background from the ID Vault using the IdP catalog entry for the ID Vault No user intervention Does not require the HTTP task to be running on the ID Vault server 78
Federated Login and ID Vault Federated Login is enabled through a security policy: Federated Login tab is hidden if no ID Vault is defined on the ID Vault tab Enable Web Federated Login and Enable Notes Federated Login have Don't set value as the default for the How to Apply setting 79
Federated Login and ID Vault IdP Catalog entry for the ID Vault: Authentication first takes place over HTTPS with the Domino server Once authenticated, the ID is retrieved over NRPC from the ID Vault using the IdP catalog entry for the ID Vault Does not require the HTTP task to be running on the ID Vault 80
Federated Login and ID Vault IdP Catalog entry for the ID Vault: ID Vault's entry uses the same metadata from the Identity Provider as is used by Domino for authentication If the ID Vault is on the same Domino server as the authenticating Domino server, the ID Vault entry uses an alias host name in its configuration The alias is only needed when running vault on the same server that is authenticating users The ID vault on domino-server-name.domain.com would have its host name shown as vault.domino-server-name.domain.com in the IdP catalog This address is not actually used over HTTP, does not have to resolve in DNS Do not use an IP address in the configuration 81
Federated Login and ID Vault Configuring an ID Vault to work with Domino 1)Open the ID Vault Configuration view 2) Edit the document, and enter the host name that corresponds to the IdP Catalog entry for the ID Vault 82
Federated Login and ID Vault Identity Provider Configuration Separate Relying Party Trust configuration document for the ID Vault The identifier entry matches the host name listed in the Domino IdP catalog entry The URL is not actually used, but needs to look correct to the IdP, including use of https 83
Federated Login and ID Vault Identity Provider Configuration The IdP's endpoint is set to the actual Domino server name, not the vault alias Uses a URL pointing to names.nsf with the Argument?SAMLIDLogin Domino recognizes this login string as a SAML request for ID Vault access 84
Federated Login and ID Vault Web Federated Login 85
Federated Login and ID Vault Notes Federated Login 86