SlideShare ist ein Scribd-Unternehmen logo

IBM Single Sign-On

Als PPTX, PDF herunterladen
V
Van Staub, MBA

This document provides an overview of different techniques for implementing single sign-on (SSO): - LTPA is IBM's default SSO mechanism, using a Base64 encoded token containing user identity and expiration time. - SAML resolves domain boundaries using cookies and requires additional software, using XML assertion tokens between an identity provider and service provider. - OAuth allows external apps to access user data in Connections by obtaining a token after the user logs into Connections. - SPNEGO provides SSO by logging into Windows and accessing IBM software without additional logins. External security managers can also manage access to protected resources across applications.

Technologie
1 von 32
Introduction to Single Sign-On Worldwide Business Partner Technical Enablement 2016 Van Staub – North America Embedded Solution Agreement Technical Sales 1
Agenda • General Idea • SSO techniques • LTPA • SAML • OAuth • SPNEGO • External Authentication Managers
Definitions • Single Sign-On (SSO): not having to login again (or for a while) • Authentication: the user’s identity, who they are • Authorization: what the user has access to
General Idea • a set of servers will share something secret – the key • after successful user login, a cookie is placed on the user’s browser – the token • the cookie is encrypted with the key • the cookie identifies the user • participating servers will look for the cookie/token/something to authenticate the user
Browser Cookies • cookies are valid for a domain or host • http://machine-name/resource • http://192.168.1.2/resource • http://portal.ibmcollabcloud.com/… • expires “At end of session” • where are my cookies?
LTPA • Lightweight Third Party Authentication • IBM’s default SSO mechanism • a Base64 encoded token that includes the following information: • a realm value • user identity – the distinguished name from the directory • expiration time ZoXfr6CuP1wYHSzjcxSGyli rmzQrshpWMFInqcvNPHG PyCa4frfg63tdlR96gPGkL2 B1vf1gi9WaJoCL9/UrYR+n xUuhUGFUDZ4QgPLQjCM MdIRfCIg6y6dW6Nu4I/oSL LMU5VUsXkBbAc1t//5u1X XsNY54Ttp/4xSjW32RnhW ovmRLPdL8BXZVHl11wDJ 8u9v7K2XxU7wPDIIxe14Ab hXaeK88ZD+q2d0QVGiUIe rT5EriBozIUF2cM3/v5v4Aat j80OruDUdgBwK/XJ5BKMi KscKq+/oxb6ij4hA58udIvm Fim0xkRGnlbUTmCPcjQho VnqHctMFdLF/e0uPyiklQpk m/5uY1TFL5Lihv5SY=
WebSphere SSO Settings • Open WAS Console and go to Security -> Global Security -> Single Sign- on (SSO) • specify most inclusive domain name needed • defaults seen are most often sufficient
Configuring WebSphere SSO 1. Export LTPA key from source WebSphere server 2. For each additional server, import token the password is only used when you export/import • Open WAS Console and go to Security -> Global Security -> LTPA
Configuring Domino SSO 1. create web SSO configuration document 2. import LTPA key file that was export from WebSphere 3. configure/verify the realm LtpaToken or LtpaToken2 newer servers are more likely defaultWIMFileBasedRealm
Pitfalls • expiration time is relative to the server that created the LTPAToken2 • session timeouts are not the same as LTPAToken2 expiration • different directories …
Dual Directory • dual directory describes when the same user has different distinguished names • solution is to map the names WebSphere Portal Domino DN: uid=duser1,cn=users,dc=ibm,dc=com cn: Domino User1 uid: duser1 mail: duser1@acme.com DN: CN=Dom User1,O=ibm cn: Dom User1 uid: duser1 mail: duser1@acme.com WebSphere Portal Domino DN: uid=duser1,cn=users,dc=ibm,dc=com cn: Domino User1 uid: duser1 mail: duser1@acme.com notesdn: CN=Dom User1,O=ibm UserName: Dom User1/ibm UserName: uid=duser1/cn=users/dc=ibm/dc=com cn: Dom User1 uid: duser1 mail: duser1@acme.com
Dual Directory (Option 1) 1. add LDAP distinguished name to person document 2. swap the comma delimiter for a slash
Dual Directory (Option 1) 1. ensure the web SSO document has “Map names in LTPA tokens” 2. add the other distinguished name to the LTPA user name field
Dual Directory (Option 2) 1. create directory assistance document 2. add the external directory’s attribute that contains the Domino distinguished name
Dual Directory (Option 2) 1. ensure the $DN value is used to add the LDAP distinguished name into the LTPAToken
LTPA Resources Understanding single sign-on (SSO) between IBM WebSphere Portal and IBM Lotus Domino http://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal- domino/ vanstaub.me http://vanstaub.me/category/cognos
SAML • SAML stands for Security Assertion Markup Language • resolves domain boundary using cookies • requires additional software: Tivoli Federated Identity Manager, Active Directory Federation Service, etc. • uses XML based assertion tokens used in between an Identity Provider (IdP) and a Service Provider (SP). • SAML 2.0 is the latest version – not compatible with 1.1 and 1.0
SAML • See yesterday’s NWTL topic Active Directory Single Sign-On • Install and configure Active Directory Federation Service 2.0 with WebSphere Portal
Connections Cloud SAML
Connections Cloud SAML 1.1 Encrypted XML Connections Cloud SAML 1.1 IdP My SAML SP entityID My identity http://vanstaub.me/1277
Connections Cloud SAML • SAML registration form • requires PMR to provide either manual information (SAML 1.1) or the SAML 2.0 metadata
WebSphere SAML • WebSphere is SAML SP ready – not IdP • supports SAML 2.0 IdP initiated SSO our old friend, the
Connections On-Prem SAML • “IBM supports SAML 2.0 implementations within IBM Connections on a case-by-case basis depending on your unique environment and deployment.”
SAML Resources Understanding the WebSphere Application Server SAML Trust Association Interceptor http://www.ibm.com/developerworks/websphere/techjournal/1307_lansche/1307_lansc he.html Step by step guide to implement SAML 2.0 for Portal 8.5 https://developer.ibm.com/digexp/docs/docs/customization-administration/step-step- guide-implement-saml-2-0-portal-8-5/ Front Side SAML SSO with microsoft product (ADFS -> WAS SAML TAI) https://www.ibm.com/developerworks/community/blogs/8f2bc166-3bdc-4a9d-bad4- 3620dbb3e46c/entry/Front_Side_SAML_SSO_with_microsoft_product_ADFS_WAS_S AML_TAI?lang=en Enabling Federated Identity or Integration Server for use with IBM Connections Cloud http://www-01.ibm.com/support/docview.wss?uid=swg21626501 AD + SAML + Kerberos + IBM Notes and Domino = SSO! http://www.andypedisich.com/blogs/andysblog.nsf/dx/robs-saml-presentation-from- mwlug-has-been-posted.htm vanstaub.me http://vanstaub.me/?s=saml
OAuth • Is OAuth SSO? Maybe - authorization. 1. external app asks for Connections data 2. you log in to Connections 3. Connections sends the external app a token 4. external app uses the token to access your data
OAuth Connections Cloud 3rd Party Application User’s Browser
OAuth Resources Connection Allowing third-party applications access to data via the OAuth2 protocol https://www.ibm.com/support/knowledgecenter/SSYGQH_5.5.0/admin/admin/c_admin_ common_oauth.dita Connections Cloud Using OAuth for API Authorization https://www- 10.lotus.com/ldd/appdevwiki.nsf/xpAPIViewer.xsp?lookupName=API+Reference#action =openDocument&res_title=Open_Authorization_sbt&content=apicontent Developing an IBM SmartCloud for Social Business application https://www.ibm.com/developerworks/lotus/documentation/developingsmartcloudapp/ Building an IBM OAuth Consumer in PHP http://vanstaub.me/679
SPNEGO • Simple and Protected GSS-API Negotiation Mechanism • login in to Windows, SSO to IBM Software – pretty simple
SPNEGO Resources Step-by-Step guide to Configure Single sign-on for HTTP requests using SPNEGO web authentication https://www-10.lotus.com/ldd/portalwiki.nsf/dx/Step-by- Step_guide_to_Configure_Single_sign- on_for_HTTP_requests_using_SPNEGO_web_authentication BP104 Simplifying The S’s: Single Sign-On, SPNEGO and SAML (2014) http://www.idonotes.com/IdoNotes/IdoConnect2013.nsf/dx/bp104-simplifying-the-ss- single-sign-on-spnego-and-saml-2014.htm
External Security Managers • a server that manages access to ”protected” resources • IBM Security Access Manager, CA Siteminder for example Directory and Policy Server ESM Application
Things to Consider • the LTPA token is still very relevant • after SAML is done, LTPA is still used • after SPNEGO is done, LTPA is still used • OAuth applies more to developers than users • External Security Managers do more than just authenticate
Thank You 32

Empfohlen

Active Directory Single Sign-On with IBM
Active Directory Single Sign-On with IBMActive Directory Single Sign-On with IBM
Active Directory Single Sign-On with IBM
Van Staub, MBA
 
Firewall
FirewallFirewall
Firewall
Saurabh Chauhan
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access management
Piyush Jain
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
danb02
 
SSL
SSLSSL
SSL
Badrul Alam bulon
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 

Empfohlen

Active Directory Single Sign-On with IBM
Active Directory Single Sign-On with IBMActive Directory Single Sign-On with IBM
Active Directory Single Sign-On with IBM
Van Staub, MBA
 
Firewall
FirewallFirewall
Firewall
Saurabh Chauhan
 
Identity and access management
Identity and access managementIdentity and access management
Identity and access management
Piyush Jain
 
Privileged Access Management (PAM)
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)
danb02
 
SSL
SSLSSL
SSL
Badrul Alam bulon
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
Mika Koivisto
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
Dan Brinkmann
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
Gabriella Davis
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
Shiu-Fun Poon
 
Veri Sızıntıları İçinden Bilgi Toplama: Distributed Denial of Secrets
Veri Sızıntıları İçinden Bilgi Toplama: Distributed Denial of SecretsVeri Sızıntıları İçinden Bilgi Toplama: Distributed Denial of Secrets
Veri Sızıntıları İçinden Bilgi Toplama: Distributed Denial of Secrets
BGA Cyber Security
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's Developer Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's Developer
Product School
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architecture
Karl Ots
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
Eryk Budi Pratama
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Vinay Manglani
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
FIDO Alliance
 
Unified Threat Management Vs Next-Gen Firewall: What's the difference?
Unified Threat Management Vs Next-Gen Firewall: What's the difference?Unified Threat Management Vs Next-Gen Firewall: What's the difference?
Unified Threat Management Vs Next-Gen Firewall: What's the difference?
Seqrite
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
Đỗ Duy Trung
 
Active directory domain services
Active directory domain servicesActive directory domain services
Active directory domain services
IGZ Software house
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
Ismael Goncalves
 
Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices
Ivanti
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
2. secure web gateway
2. secure web gateway2. secure web gateway
2. secure web gateway
Fabrizio Volpe
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security Hardening
Shiu-Fun Poon
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practices
walk2talk srl
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
Aidy Tificate
 
IBM Social Business Toolkit
IBM Social Business ToolkitIBM Social Business Toolkit
IBM Social Business Toolkit
Van Staub, MBA
 
IBM Digital Experience Theme Customization
IBM Digital Experience Theme CustomizationIBM Digital Experience Theme Customization
IBM Digital Experience Theme Customization
Van Staub, MBA
 

Weitere ähnliche Inhalte

Was ist angesagt?

Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
Đỗ Duy Trung
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practices
walk2talk srl
 

Was ist angesagt? (20)

An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Token, token... From SAML to OIDC
Token, token... From SAML to OIDCToken, token... From SAML to OIDC
Token, token... From SAML to OIDC
 
Veri Sızıntıları İçinden Bilgi Toplama: Distributed Denial of Secrets
Veri Sızıntıları İçinden Bilgi Toplama: Distributed Denial of SecretsVeri Sızıntıları İçinden Bilgi Toplama: Distributed Denial of Secrets
Veri Sızıntıları İçinden Bilgi Toplama: Distributed Denial of Secrets
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
 
Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's Developer Introduction to Modern Identity with Auth0's Developer
Introduction to Modern Identity with Auth0's Developer
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architecture
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID ConnectDemystifying SAML 2.0,Oauth 2.0, OpenID Connect
Demystifying SAML 2.0,Oauth 2.0, OpenID Connect
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
 
Unified Threat Management Vs Next-Gen Firewall: What's the difference?
Unified Threat Management Vs Next-Gen Firewall: What's the difference?Unified Threat Management Vs Next-Gen Firewall: What's the difference?
Unified Threat Management Vs Next-Gen Firewall: What's the difference?
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
 
Active directory domain services
Active directory domain servicesActive directory domain services
Active directory domain services
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
Patch Management Best Practices
Patch Management Best Practices Patch Management Best Practices
Patch Management Best Practices
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
2. secure web gateway
2. secure web gateway2. secure web gateway
2. secure web gateway
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security Hardening
 
CCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best PracticesCCI2018 - Azure Network - Security Best Practices
CCI2018 - Azure Network - Security Best Practices
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
 

Andere mochten auch

Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
Oliver Mueller
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
Anil Saldanha
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
Huy Pham
 

Andere mochten auch (20)

IBM Social Business Toolkit
IBM Social Business ToolkitIBM Social Business Toolkit
IBM Social Business Toolkit
 
IBM Digital Experience Theme Customization
IBM Digital Experience Theme CustomizationIBM Digital Experience Theme Customization
IBM Digital Experience Theme Customization
 
IBM Watson Work Services Development
IBM Watson Work Services DevelopmentIBM Watson Work Services Development
IBM Watson Work Services Development
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAML
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPS
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
Single sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancySingle sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancy
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSO
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On Considerations
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best Practices
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
 
SäKerhet I Molnen
SäKerhet I MolnenSäKerhet I Molnen
SäKerhet I Molnen
 
2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO2. Day 2 - Identify and SSO
2. Day 2 - Identify and SSO
 
Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05Tjänsteplattform i mtg - 2014 02-05
Tjänsteplattform i mtg - 2014 02-05
 

Ähnlich wie IBM Single Sign-On

CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
panagenda
 
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-ReloadedCollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
Christoph Adler
 
Mobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best PracticesMobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best Practices
Andrew Ferrier
 
Best ofmms scsm - iaas
Best ofmms scsm - iaasBest ofmms scsm - iaas
Best ofmms scsm - iaas
Kenny Buntinx
 

Ähnlich wie IBM Single Sign-On (20)

A Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM ConnectionsA Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM Connections
 
A hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connectionsA hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connections
 
DACHNUG50 Roadmap.pdf
DACHNUG50 Roadmap.pdfDACHNUG50 Roadmap.pdf
DACHNUG50 Roadmap.pdf
 
IBM Connect Switzerland - Der entspannte Administrator
IBM Connect Switzerland - Der entspannte AdministratorIBM Connect Switzerland - Der entspannte Administrator
IBM Connect Switzerland - Der entspannte Administrator
 
Practical solutions for connections administrators lite
Practical solutions for connections administrators litePractical solutions for connections administrators lite
Practical solutions for connections administrators lite
 
The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...
 
The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...
 
MS LAPS protection: portal for secure access to local admin passwords
MS LAPS protection: portal for secure access to local admin passwordsMS LAPS protection: portal for secure access to local admin passwords
MS LAPS protection: portal for secure access to local admin passwords
 
CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
 
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-ReloadedCollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
 
SharePoint on demand with System Center - Matija Blagus
SharePoint on demand with System Center - Matija BlagusSharePoint on demand with System Center - Matija Blagus
SharePoint on demand with System Center - Matija Blagus
 
PACLUG sametime presentation
PACLUG sametime presentationPACLUG sametime presentation
PACLUG sametime presentation
 
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
 
Mobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best PracticesMobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best Practices
 
Social Connections 13 - Troubleshooting Connections Pink
Social Connections 13 - Troubleshooting Connections PinkSocial Connections 13 - Troubleshooting Connections Pink
Social Connections 13 - Troubleshooting Connections Pink
 
Best ofmms scsm - iaas
Best ofmms scsm - iaasBest ofmms scsm - iaas
Best ofmms scsm - iaas
 
Best ofmms scsm - iaas
Best ofmms scsm - iaasBest ofmms scsm - iaas
Best ofmms scsm - iaas
 
The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...
 
Dutch Lotus User Group 2009 - Domino Tuning Presentation
Dutch Lotus User Group 2009 - Domino Tuning PresentationDutch Lotus User Group 2009 - Domino Tuning Presentation
Dutch Lotus User Group 2009 - Domino Tuning Presentation
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
 

Kürzlich hochgeladen

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 

Kürzlich hochgeladen (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 

IBM Single Sign-On

  • 1. Introduction to Single Sign-On Worldwide Business Partner Technical Enablement 2016 Van Staub – North America Embedded Solution Agreement Technical Sales 1
  • 2. Agenda • General Idea • SSO techniques • LTPA • SAML • OAuth • SPNEGO • External Authentication Managers
  • 3. Definitions • Single Sign-On (SSO): not having to login again (or for a while) • Authentication: the user’s identity, who they are • Authorization: what the user has access to
  • 4. General Idea • a set of servers will share something secret – the key • after successful user login, a cookie is placed on the user’s browser – the token • the cookie is encrypted with the key • the cookie identifies the user • participating servers will look for the cookie/token/something to authenticate the user
  • 5. Browser Cookies • cookies are valid for a domain or host • http://machine-name/resource • http://192.168.1.2/resource • http://portal.ibmcollabcloud.com/… • expires “At end of session” • where are my cookies?
  • 6. LTPA • Lightweight Third Party Authentication • IBM’s default SSO mechanism • a Base64 encoded token that includes the following information: • a realm value • user identity – the distinguished name from the directory • expiration time ZoXfr6CuP1wYHSzjcxSGyli rmzQrshpWMFInqcvNPHG PyCa4frfg63tdlR96gPGkL2 B1vf1gi9WaJoCL9/UrYR+n xUuhUGFUDZ4QgPLQjCM MdIRfCIg6y6dW6Nu4I/oSL LMU5VUsXkBbAc1t//5u1X XsNY54Ttp/4xSjW32RnhW ovmRLPdL8BXZVHl11wDJ 8u9v7K2XxU7wPDIIxe14Ab hXaeK88ZD+q2d0QVGiUIe rT5EriBozIUF2cM3/v5v4Aat j80OruDUdgBwK/XJ5BKMi KscKq+/oxb6ij4hA58udIvm Fim0xkRGnlbUTmCPcjQho VnqHctMFdLF/e0uPyiklQpk m/5uY1TFL5Lihv5SY=
  • 7. WebSphere SSO Settings • Open WAS Console and go to Security -> Global Security -> Single Sign- on (SSO) • specify most inclusive domain name needed • defaults seen are most often sufficient
  • 8. Configuring WebSphere SSO 1. Export LTPA key from source WebSphere server 2. For each additional server, import token the password is only used when you export/import • Open WAS Console and go to Security -> Global Security -> LTPA
  • 9. Configuring Domino SSO 1. create web SSO configuration document 2. import LTPA key file that was export from WebSphere 3. configure/verify the realm LtpaToken or LtpaToken2 newer servers are more likely defaultWIMFileBasedRealm
  • 10. Pitfalls • expiration time is relative to the server that created the LTPAToken2 • session timeouts are not the same as LTPAToken2 expiration • different directories …
  • 11. Dual Directory • dual directory describes when the same user has different distinguished names • solution is to map the names WebSphere Portal Domino DN: uid=duser1,cn=users,dc=ibm,dc=com cn: Domino User1 uid: duser1 mail: duser1@acme.com DN: CN=Dom User1,O=ibm cn: Dom User1 uid: duser1 mail: duser1@acme.com WebSphere Portal Domino DN: uid=duser1,cn=users,dc=ibm,dc=com cn: Domino User1 uid: duser1 mail: duser1@acme.com notesdn: CN=Dom User1,O=ibm UserName: Dom User1/ibm UserName: uid=duser1/cn=users/dc=ibm/dc=com cn: Dom User1 uid: duser1 mail: duser1@acme.com
  • 12. Dual Directory (Option 1) 1. add LDAP distinguished name to person document 2. swap the comma delimiter for a slash
  • 13. Dual Directory (Option 1) 1. ensure the web SSO document has “Map names in LTPA tokens” 2. add the other distinguished name to the LTPA user name field
  • 14. Dual Directory (Option 2) 1. create directory assistance document 2. add the external directory’s attribute that contains the Domino distinguished name
  • 15. Dual Directory (Option 2) 1. ensure the $DN value is used to add the LDAP distinguished name into the LTPAToken
  • 16. LTPA Resources Understanding single sign-on (SSO) between IBM WebSphere Portal and IBM Lotus Domino http://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal- domino/ vanstaub.me http://vanstaub.me/category/cognos
  • 17. SAML • SAML stands for Security Assertion Markup Language • resolves domain boundary using cookies • requires additional software: Tivoli Federated Identity Manager, Active Directory Federation Service, etc. • uses XML based assertion tokens used in between an Identity Provider (IdP) and a Service Provider (SP). • SAML 2.0 is the latest version – not compatible with 1.1 and 1.0
  • 18. SAML • See yesterday’s NWTL topic Active Directory Single Sign-On • Install and configure Active Directory Federation Service 2.0 with WebSphere Portal
  • 20. Connections Cloud SAML 1.1 Encrypted XML Connections Cloud SAML 1.1 IdP My SAML SP entityID My identity http://vanstaub.me/1277
  • 21. Connections Cloud SAML • SAML registration form • requires PMR to provide either manual information (SAML 1.1) or the SAML 2.0 metadata
  • 22. WebSphere SAML • WebSphere is SAML SP ready – not IdP • supports SAML 2.0 IdP initiated SSO our old friend, the
  • 23. Connections On-Prem SAML • “IBM supports SAML 2.0 implementations within IBM Connections on a case-by-case basis depending on your unique environment and deployment.”
  • 24. SAML Resources Understanding the WebSphere Application Server SAML Trust Association Interceptor http://www.ibm.com/developerworks/websphere/techjournal/1307_lansche/1307_lansc he.html Step by step guide to implement SAML 2.0 for Portal 8.5 https://developer.ibm.com/digexp/docs/docs/customization-administration/step-step- guide-implement-saml-2-0-portal-8-5/ Front Side SAML SSO with microsoft product (ADFS -> WAS SAML TAI) https://www.ibm.com/developerworks/community/blogs/8f2bc166-3bdc-4a9d-bad4- 3620dbb3e46c/entry/Front_Side_SAML_SSO_with_microsoft_product_ADFS_WAS_S AML_TAI?lang=en Enabling Federated Identity or Integration Server for use with IBM Connections Cloud http://www-01.ibm.com/support/docview.wss?uid=swg21626501 AD + SAML + Kerberos + IBM Notes and Domino = SSO! http://www.andypedisich.com/blogs/andysblog.nsf/dx/robs-saml-presentation-from- mwlug-has-been-posted.htm vanstaub.me http://vanstaub.me/?s=saml
  • 25. OAuth • Is OAuth SSO? Maybe - authorization. 1. external app asks for Connections data 2. you log in to Connections 3. Connections sends the external app a token 4. external app uses the token to access your data
  • 27. OAuth Resources Connection Allowing third-party applications access to data via the OAuth2 protocol https://www.ibm.com/support/knowledgecenter/SSYGQH_5.5.0/admin/admin/c_admin_ common_oauth.dita Connections Cloud Using OAuth for API Authorization https://www- 10.lotus.com/ldd/appdevwiki.nsf/xpAPIViewer.xsp?lookupName=API+Reference#action =openDocument&res_title=Open_Authorization_sbt&content=apicontent Developing an IBM SmartCloud for Social Business application https://www.ibm.com/developerworks/lotus/documentation/developingsmartcloudapp/ Building an IBM OAuth Consumer in PHP http://vanstaub.me/679
  • 28. SPNEGO • Simple and Protected GSS-API Negotiation Mechanism • login in to Windows, SSO to IBM Software – pretty simple
  • 29. SPNEGO Resources Step-by-Step guide to Configure Single sign-on for HTTP requests using SPNEGO web authentication https://www-10.lotus.com/ldd/portalwiki.nsf/dx/Step-by- Step_guide_to_Configure_Single_sign- on_for_HTTP_requests_using_SPNEGO_web_authentication BP104 Simplifying The S’s: Single Sign-On, SPNEGO and SAML (2014) http://www.idonotes.com/IdoNotes/IdoConnect2013.nsf/dx/bp104-simplifying-the-ss- single-sign-on-spnego-and-saml-2014.htm
  • 30. External Security Managers • a server that manages access to ”protected” resources • IBM Security Access Manager, CA Siteminder for example Directory and Policy Server ESM Application
  • 31. Things to Consider • the LTPA token is still very relevant • after SAML is done, LTPA is still used • after SPNEGO is done, LTPA is still used • OAuth applies more to developers than users • External Security Managers do more than just authenticate