This session is about setting up Federated login between IBM Connections Cloud and your on-premises environment so that your users seamlessly get logged in their Collaborative environment. In this session we go through the different steps needed to get a working solution and we discuss about the technologies used to accomplish the goal.
Open Doors In The Cloud By Using SSO Methodologies Between Your Organisation And IBM
1. Social Connections 11 Chicago, June 1-2 2017
Open Doors In The Cloud By Using
SSO Methodologies Between
Your Organisation And IBM
Kris De Bisschop,
@debisschopk
3. Social Connections 11 Chicago, June 1-2 2017
A little about me
⢠CEO @
⢠Administrator ICS Portfolio
o IBM Notes/Domino
o IBM Sametime
o IBM Notes Traveler
o IBM Connections
o TDI
⢠Social Business speaker
⢠IBM Champion Collaboration Solutions
⢠Love high-level issues
⢠Badminton
4. Social Connections 11 Chicago, June 1-2 2017
Single sign-on (SSO)
⢠Session and user authentication service
⢠Allows the use of one set of login credentials
⢠No more login prompts when switching
applications
5. Social Connections 11 Chicago, June 1-2 2017
SAML
⢠Security Assertion Markup Language
⢠Established as a Web SSO standard in early 2008
⢠XML-based
⢠Built from WebServices Security token concepts
⢠SAMLResponse is sent as a POST body, contains
an Assertion with user details, most important one
is NameId, ex InternetAddress
6. Social Connections 11 Chicago, June 1-2 2017
SAML
⢠Identity Provider (IdP)
⢠LDAP
⢠Active Directory Federation Service (ADFS)
⢠Tivoli Federated Identity Manager
⢠âŚ
⢠Service Provider (SP)
⢠Domino
⢠âŚ
⢠Client
⢠Browser
⢠IBM Notes Client
7. Social Connections 11 Chicago, June 1-2 2017
SAML
⢠User tries to access SP application
⢠As user is not authenticated the first time, SP redirects to IdP
⢠User authenticates to IdP
⢠IdP redirects user to SP by sending SAMLResponse over HTTP POST inside hidden form. SP processes
SAMLResponse and redirects user to the application
User
Application
Service Provider (SP) / client
Identity Provider (IdP)
1
2
4
3
1
2
3
4
9. Social Connections 11 Chicago, June 1-2 2017
IBM Connections Cloud Login Types
⢠Standard
⢠Federated
⢠UserChoice (aka Modified)
⢠AdminChoice (aka Partial)
10. Social Connections 11 Chicago, June 1-2 2017
IBM Connections Cloud Login Types
⢠Standard
⢠Default type
⢠Users must log in with email address and password
11. Social Connections 11 Chicago, June 1-2 2017
IBM Connections Cloud Login Types
⢠Federated
⢠Users donât have username/password on Connections
Cloud
⢠Applies to all users
⢠The IdP must be available from the internet or VPN
⢠Services that donât support SAML or application
passwords, donât work
⢠POP
⢠IMAP
12. Social Connections 11 Chicago, June 1-2 2017
IBM Connections Cloud Login Types
⢠UserChoice
⢠Users have the choice to use Organization login or
Connections Cloud credentials
⢠Applies to all users
⢠You do not need to expose IdP to internet
13. Social Connections 11 Chicago, June 1-2 2017
IBM Connections Cloud Login Types
⢠AdminChoice
⢠Admin specifies login type, default type is Standard
⢠Login type can be based on
⢠Type of users: office users vs mobile users
⢠Application-based: POP/IMAP or not
14. Social Connections 11 Chicago, June 1-2 2017
SSO IBM Connections Cloud
⢠IBM Connections Cloud products rely on SAML
⢠Your organization is the IdP
⢠Connections Cloud is the SP
⢠Three flow models exist
⢠IdP-initiated
⢠SP-initiated
⢠SP-initiated model for mobile apps and plug-ins
15. Social Connections 11 Chicago, June 1-2 2017
SSO IBM Connections Cloud
⢠Idp-initiated
⢠User accesses local resource with authentication
⢠Webmail
⢠Intranet
⢠âŚ
⢠User clicks a link that redirects to Connections Cloud
⢠SSO process is initiated, SAML assertion is sent to
Connections
⢠If validated, user accesses Connections
16. Social Connections 11 Chicago, June 1-2 2017
SSO IBM Connections Cloud
⢠SP-initiated
⢠User navigates to authentication page Connections
Cloud
⢠User clicks âUse My Organizationâs Loginâ and enters
credentials
⢠Connections Cloud redirects to IdP
⢠SSO process is initiated, SAML assertion is sent to
Connections
⢠If validated, user accesses Connections
17. Social Connections 11 Chicago, June 1-2 2017
SSO IBM Connections Cloud
⢠SP-initiated for mobile apps and plug-ins
⢠App requests to Connections Cloud for login endpoint
⢠Connections Cloud looks up email address and
responds with URL of authentication mechanism
⢠App performs basic or simple form authentication
⢠SSO process is initiated, SAML assertion is sent to
Connections
⢠If validated, user accesses Connections
18. Social Connections 11 Chicago, June 1-2 2017
Plug-Ins and Mobile Apps
⢠Plug-Ins
⢠Connections Desktop Plug-In for Windows
⢠Connections Desktop Plug-In for Mac
⢠Connections Plug-In for MS Outlook
⢠Mobile Apps
⢠Connections mobile
⢠Chat
⢠Meetings
⢠Notes Traveler
19. Social Connections 11 Chicago, June 1-2 2017
Application passwords
⢠A way to bypass regular log in process
⢠Can be used by Plug-Ins and Mobile apps
⢠Generated using a strong random number generator
⢠Application password can be revoked
⢠Activated by the administrator
⢠When a user generates an application password, it is
displayed only one time
20. Social Connections 11 Chicago, June 1-2 2017
Prepare for federated identity management
⢠Choose the SAML version to use, typically SAMLv2
⢠Choose the federation type
⢠Federated
⢠UserChoice
⢠AdminChoice
⢠Review the flow models
⢠IdP-initiated
⢠SP-initiated
⢠SP-initiated model for mobile apps and plug-ins
⢠Implement SAML in your environment
⢠Can be done between Domino and ADFS
⢠Make sure to use the email address as NameID
⢠Prepare for Plug-Ins and mobile devices
⢠Test your SAML set up internally
⢠Configure SAML with IBM Connections Cloud
21. Social Connections 11 Chicago, June 1-2 2017
Enable federated identity management
⢠Send an email to support@collabserv.com
⢠Request to have federated identity management enabled
⢠Donât forget your Connections Customer ID
⢠You will need to send the FederationMetadata
⢠https://<MY-ADFS-SERVER.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml
⢠Set up a Relying party trust in ADFS when you
receive the info back from support
22. Social Connections 11 Chicago, June 1-2 2017
Configure Relying party trust ADFS
⢠Navigate to "Relying Party Trusts" and click on "Add Relying Party Trust"
23. Social Connections 11 Chicago, June 1-2 2017
Configure Relying party trust ADFS
⢠Select to import a file and refer to the received xml
24. Social Connections 11 Chicago, June 1-2 2017
Configure Relying party trust ADFS
⢠Specify a display name, like IBM Cloud
31. Social Connections 11 Chicago, June 1-2 2017
Configure Relying party trust ADFS
⢠Add a second rule based on the template Transform an Incoming Claim
Transform an Incoming Claim
32. Social Connections 11 Chicago, June 1-2 2017
Configure Relying party trust ADFS
⢠For the Incoming claim type, select E-mail Address.
⢠For the Outgoing claim type, select Name ID.
⢠For the Outgoing name ID format, select Email.
⢠Select Pass through all claim values.
⢠On your AD FS server, open a PowerShell command window and issue the
following command: Set-AdfsClaimsProviderTrust -TargetIdentifier "AD
AUTHORITY" -AlternateLoginID mail -LookupForests <forest domain>
⢠Forest domain is the DNS name where the users belong to
33. Social Connections 11 Chicago, June 1-2 2017
Useful links
⢠Submitting a service request
⢠http://www-01.ibm.com/support/docview.wss?uid=swg21507389
⢠Federated Identity Management documentation
⢠http://www-01.ibm.com/support/knowledgecenter/SSL3JX/admin/SAMLFederatedIdentity/fim_setting_up_fim.html
⢠Complete cookbook set up SAML with Domino
⢠http://www-01.ibm.com/support/docview.wss?uid=swg21614543
34. Social Connections 11 Chicago, June 1-2 2017
Contact me
https://www.linkedin.com/in/debisschopk
@debisschopk
https://debisschopk.wordpress.com
kris.de.bisschop@groupwave.be