Upload
ranjit-rai
View
681
Download
1
Embed Size (px)
Citation preview
IBM Collaboration Solutions
Open MicDate: 11-09-2015
IBM Notes Federated Login
2IBM Corporation ©2015
Open Mic Team
Niraj V Jani - IBM ICS Support engineer Presenter
Javed F Batliwala - IBM ICS Support engineer Presenter
Ranjit Rai - IBM ICS SWAT Focusing on entire Notes/Domino
Jayavel Rajendran - IBM ICS SWAT Focusing on entire Notes/Domino
Hansraj Mali - IBM ICS SWAT Focusing on Notes/Domino
Narendra Nesarikar – IBM ICS Support Facilitator for Open Mics
3IBM Corporation ©2015
IBM Notes Federated Login introduction
Different Components
• Federation Identity Provider• Windows Domain Environment• IdP Catalog (IdPCat.nsf)• Notes Client User Environment with Domino Home Mail Server• ID Vault
Deployment Requirements
Implementation
General Troubleshooting
References
Q/A
Agenda
4IBM Corporation ©2015
IBM Notes Federated Login Introduction
Provides a single sign-on experience when starting up the Notes client or iNotes
SSO between Notes, iNotes and windows domain environment and many other supported/compatible Identify Providers.
Eliminates regular Notes or iNotes password prompt.
Reduces the administrative cost for maintaining multiple directories.
Uses cryptographic mechanisms instead of passwords to improve security and minimize cost
Reduces user data redundancy
The SAML IdP takes responsibility to authenticate the Notes user.
Users' IDs must be stored in an ID vault
Notes client users' ID file contents are stored in memory on the client after being downloaded from the ID vault.
You can enable Notes shared Login for offline usage as an alternate login capability.
Works well with Notes client running on Citrix Environment.
5IBM Corporation ©2015
Different Components
Federation Identity Provider
Currently Supported with IBM Notes/Domino 9.0.x Microsoft® ADFS 2.0 integrated with Active Directory IBM Tivoli Federated Identity Manager (TFIM, IBM Security Identity Manager).
Series of Action NFL uses Security Assertion Markup Language (SAML) authentication The Notes embedded browser contacts the SAML identity provider (IdP) for
authentication IdP is configured to use transparent Kerberos-based authentication to avoid
password prompt. The SAML IdP creates a SAML assertion for the authenticated user The SAML assertion contains the user's email address. The Notes embedded browser retrieves the SAML assertion The Notes client passes the assertion to the Notes id vault The Notes id vault cryptographically verifies the user's SAML assertion If valid, the vault server finds the user's unlocked id file in the vault, and downloads
the id for use by Notes. The user can now use the Notes client.
6IBM Corporation ©2015
Contd...
Windows Domain Environment Requires Active Directory Configuration Active Directory Federation Service 2.0 (ADFS) is used as Identity Provider Client computer where the user is logging into Windows and running the browser or
Notes client ADFS does the job of user authentication via Kerberos Authentication
7IBM Corporation ©2015
Contd...
IdP Catalog (IdPCat.nsf) A Database needs to be created on Domino Server hosting ID Vault Use idpcat.ntf template and database name must be IdPCat.nsf If using unix the filename must be all lower case Special database that contains trusted identity providers and their certificates. An IdP config document is created and IdP configuration is imported The Admin creating the document must be listed in the following fields on the server
Full Access Administrators Administrators Sign or run unrestricted methods and operations
Imports FederationMetadata.xml file exported from ADFS. This builds trust. The idpcat.nsf must not be enabled for document locking. Prevent attacks by deploying a very restrictive ACL on idpcat. This is why this highly
sensitive information is not in the directory.
8IBM Corporation ©2015
Contd...
Notes Client Environment with Domino Home mail server Notes Client Standard 9.0/9.0.x needs to be installed Domino Server 9.0/9.0.x Needs to be installed and should have HTTP enabled SSL needs to be enabled on Domino Server If the ID vault server is separate, it does not need to have SSL enabled ID Vault should be hosted on Domino server Security Policy for ID Vault should be configured and applied to Notes users Session Authentication should be set to SAML 2.0 under Server document Exported copy of an SSL internet certificate from Federation Identity ( TIFM/ADFS 2.0
) must be imported in Domino Directory and should be cross certified to create an internet cross certificate.
Roaming users You need administrative deploy.nsf to install certificates for new or roaming users Roaming must be enabled and should be working fine for enabling NFL Deploy.nsf provides required certificate whenever required in order to download ID
file from ID Vault.
9IBM Corporation ©2015
Contd...
ID Vault Standard ID Vault configuration should be done on Domino Server Proper security policy should be created for ID Vault and should be pushed to the users All user Ids must be harvested to the ID Vault Database Identity Provider Configuration information should be updated under ID Vault
10IBM Corporation ©2015
Deployment Requirements
IBM Notes Client 9.x onwards IBM Domino Server 9.x onwards Microsoft Windows Active Directory Domain Configuration Active Directory Federation Services 2.0 ( ADFS 2.0 ) Configuration IBM Notes Client machine as a part of Windows Domain environment
11IBM Corporation ©2015
Implementation – ADFS 2.0 Configuration Run the ADFS console by selecting Start->Administrative Tools-> AD FS 2.0 Management Navigate to the Relying Party Trusts folder From the menu, select Action > Add Relying Party Trust
12IBM Corporation ©2015
Contd...
13IBM Corporation ©2015
Contd...
14IBM Corporation ©2015
Contd...
15IBM Corporation ©2015
Contd...
16IBM Corporation ©2015
Contd...
17IBM Corporation ©2015
Contd...
18IBM Corporation ©2015
Contd...
19IBM Corporation ©2015
Contd...
20IBM Corporation ©2015
Contd...
21IBM Corporation ©2015
Contd...
22IBM Corporation ©2015
Contd...
23IBM Corporation ©2015
Contd...
24IBM Corporation ©2015
Contd...
25IBM Corporation ©2015
Contd...
Right-click the new Relying Party Trust, and select Properties
26IBM Corporation ©2015
Contd...
Particularly if you have used a Domino metadata import file, check the Endpoints tab. The Domino server uses the POST Binding, which should appear in the list of SAML Assertion Consumer Endpoints. Domino server does not use an Artifact Binding, so if it exists in the list, you can remove it.
27IBM Corporation ©2015
Contd...Use the URL to download FederationMetaData from ADFS server (https://ADFSservername/FederationMetaData/2007-06/FederationMetaData.xml)
28IBM Corporation ©2015
Implementation – Importing SSL Internet Certificate in Domino Directory
29IBM Corporation ©2015
Contd...
30IBM Corporation ©2015
Contd...
31IBM Corporation ©2015
Implementation – Creating cross certificate in Domino Directory
32IBM Corporation ©2015
Contd...
33IBM Corporation ©2015
Contd...
34IBM Corporation ©2015
Implementation – Importing FederationMetadata.xml in IdPCat.nsf
35IBM Corporation ©2015
Implementation – Creating Certificate in IdPCat.nsf
Go to server notes.ini and add below lines
SAMLAuthVersion=2SAMLUrl=https://instructor.test.comSAMLPublicKeyHash=7IE7P9VjPxtAG6yR1SyeKw==SAMLCompanyName=TEST SAML
Restart Domino server
36IBM Corporation ©2015
Contd...
Use Export command to export your key from server.id.
certmgmt export saml xml idp.xml
Note: You no needs to import in idpdocument from import button else it will corrupt your federation key file. You can keep the file in your server data directory.
37IBM Corporation ©2015
Implementation – ID Vault and IdP Configuration in ID Vault
38IBM Corporation ©2015
Implementation – Security Policy for ID Vault and NFL
39IBM Corporation ©2015
Implementation – Verifying that NFL is enabled for the client
40IBM Corporation ©2015
General Troubleshooting
Before turning on SAML authentication: Make sure the Web server is functioning properly for session authentication Make sure SSL is deployed properly (if required)
You can use fiddler or firebug for network trace.
Test the Single sign-on service URL to make sure the IdP is functioning, independent of Domino. Is the user properly prompted by the IdP (if password prompt required)? If Integrated Windows Authentication (SPNEGO/Kerberos), use klist to see Kerberos ticket
for the user to the SAML IdP. Check the HTTP post with SAML assertion.
If you face errors creating SAML certificate under IdP Configuration document in IdPCat.nsf database, you can check below things first
Certificate creation and metadata export use an agent in idpcat. Refer hidden field named "NotesError" in IdP config document as it is helpful to diagnose
error "You are not authorized to perform that function"
Check permissions in server document security tab. "Cannot accept internet certificate because the certificate is already in the ID file”
Use a different certifier name.
41IBM Corporation ©2015
Contd...
Debug Parameters
Client Side debugs DEBUG_CONSOLE=1 ==> To verify if NFL is enabled. DEBUG_CLOCK=32 ==> To verify if NFL is enabled. DEBUG_OUTFILE=c:\temp\debugout.txt ==> To verify if NFL is enabled. DEBUGGINGWCTENABLED=4294967295 ==> To verify if NFL is enabled. CONSOLE_LOG_ENABLED=1 ==> To verify if NFL is enabled. DEBUG_DYNCONFIG=1 ==> To verify if NFL is enabled. DEBUG_TRUST_MGMT=1 ==> To verify if NFL is enabled. DEBUG_IDV_TRACE=1 ==> To diagnose ID Vault Operations SECURE_LOG=2 ==> To diagnose ID Vault Operations DEBUG_BSAFE_IDFILE_LOCKED=8 ==> To diagnose ID Vault Operations DEBUG_ROAMING=4 ==> For Roaming Users STX9=2 ==> To verify if NFL is enabled.
Server Side debugs DEBUG_SAML=31 ==> To Troubleshoot SAML errors at server level DEBUG_OUTFILE=c:\temp\debugserver.txt DEBUG_MMFILE=1 ==> To verify any problems with In-Memory ID file.
42IBM Corporation ©2015
Contd...
Sample output of DEBUG_SAML=31
Limitations:
No support with Traveler devicesCannot work with Notes Single Login serviceCurrent support with 2 IDPs (ADFS and TIFM)
43IBM Corporation ©2015
References
Notes Federated Login:http://www-10.lotus.com/ldd/dominowiki.nsf/dx/Security_Assertion_Markup_Language_lprSAMLrpr_Notes_Federated_Login
Cookbooks:http://www-01.ibm.com/support/docview.wss?uid=swg21614543
44IBM Corporation ©2015
Questions?
Press *1 on your telephone to ask a question.
Visit our Support Technical Exchange page or our Facebook page for details on future events.
To help shape the future of IBM software, take this quality survey and share your opinion of IBM software used within your organization: https://ibm.biz/BdxqB2
44IBM Collaboration Solutions Support page http://www.facebook.com/IBMLotusSupport
IBM Collaboration Solutions Supporthttp://twitter.com/IBM_ICSSupport