Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Open Doors In The Cloud By Using SSO Methodologies Between Your Organisation And IBM

250 Aufrufe

Veröffentlicht am

This session is about setting up Federated login between IBM Connections Cloud and your on-premises environment so that your users seamlessly get logged in their Collaborative environment. In this session we go through the different steps needed to get a working solution and we discuss about the technologies used to accomplish the goal.

Veröffentlicht in: Business
  • If you just broke up with your Ex,you have to follow these steps to get her back or risk ruining your chances. Click here ♥♥♥ http://t.cn/R50e5nn
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

Open Doors In The Cloud By Using SSO Methodologies Between Your Organisation And IBM

  1. 1. Social Connections 11 Chicago, June 1-2 2017 Open Doors In The Cloud By Using SSO Methodologies Between Your Organisation And IBM Kris De Bisschop, @debisschopk
  2. 2. PLATINUM SPONSORS GOLD SPONSORS SILVER SPONSORS
  3. 3. Social Connections 11 Chicago, June 1-2 2017 A little about me • CEO @ • Administrator ICS Portfolio o IBM Notes/Domino o IBM Sametime o IBM Notes Traveler o IBM Connections o TDI • Social Business speaker • IBM Champion Collaboration Solutions • Love high-level issues • Badminton
  4. 4. Social Connections 11 Chicago, June 1-2 2017 Single sign-on (SSO) • Session and user authentication service • Allows the use of one set of login credentials • No more login prompts when switching applications
  5. 5. Social Connections 11 Chicago, June 1-2 2017 SAML • Security Assertion Markup Language • Established as a Web SSO standard in early 2008 • XML-based • Built from WebServices Security token concepts • SAMLResponse is sent as a POST body, contains an Assertion with user details, most important one is NameId, ex InternetAddress
  6. 6. Social Connections 11 Chicago, June 1-2 2017 SAML • Identity Provider (IdP) • LDAP • Active Directory Federation Service (ADFS) • Tivoli Federated Identity Manager • … • Service Provider (SP) • Domino • … • Client • Browser • IBM Notes Client
  7. 7. Social Connections 11 Chicago, June 1-2 2017 SAML • User tries to access SP application • As user is not authenticated the first time, SP redirects to IdP • User authenticates to IdP • IdP redirects user to SP by sending SAMLResponse over HTTP POST inside hidden form. SP processes SAMLResponse and redirects user to the application User Application Service Provider (SP) / client Identity Provider (IdP) 1 2 4 3 1 2 3 4
  8. 8. Social Connections 11 Chicago, June 1-2 2017 Use Case On-Premise Cloud IdP SP SP
  9. 9. Social Connections 11 Chicago, June 1-2 2017 IBM Connections Cloud Login Types • Standard • Federated • UserChoice (aka Modified) • AdminChoice (aka Partial)
  10. 10. Social Connections 11 Chicago, June 1-2 2017 IBM Connections Cloud Login Types • Standard • Default type • Users must log in with email address and password
  11. 11. Social Connections 11 Chicago, June 1-2 2017 IBM Connections Cloud Login Types • Federated • Users don’t have username/password on Connections Cloud • Applies to all users • The IdP must be available from the internet or VPN • Services that don’t support SAML or application passwords, don’t work • POP • IMAP
  12. 12. Social Connections 11 Chicago, June 1-2 2017 IBM Connections Cloud Login Types • UserChoice • Users have the choice to use Organization login or Connections Cloud credentials • Applies to all users • You do not need to expose IdP to internet
  13. 13. Social Connections 11 Chicago, June 1-2 2017 IBM Connections Cloud Login Types • AdminChoice • Admin specifies login type, default type is Standard • Login type can be based on • Type of users: office users vs mobile users • Application-based: POP/IMAP or not
  14. 14. Social Connections 11 Chicago, June 1-2 2017 SSO IBM Connections Cloud • IBM Connections Cloud products rely on SAML • Your organization is the IdP • Connections Cloud is the SP • Three flow models exist • IdP-initiated • SP-initiated • SP-initiated model for mobile apps and plug-ins
  15. 15. Social Connections 11 Chicago, June 1-2 2017 SSO IBM Connections Cloud • Idp-initiated • User accesses local resource with authentication • Webmail • Intranet • … • User clicks a link that redirects to Connections Cloud • SSO process is initiated, SAML assertion is sent to Connections • If validated, user accesses Connections
  16. 16. Social Connections 11 Chicago, June 1-2 2017 SSO IBM Connections Cloud • SP-initiated • User navigates to authentication page Connections Cloud • User clicks “Use My Organization’s Login” and enters credentials • Connections Cloud redirects to IdP • SSO process is initiated, SAML assertion is sent to Connections • If validated, user accesses Connections
  17. 17. Social Connections 11 Chicago, June 1-2 2017 SSO IBM Connections Cloud • SP-initiated for mobile apps and plug-ins • App requests to Connections Cloud for login endpoint • Connections Cloud looks up email address and responds with URL of authentication mechanism • App performs basic or simple form authentication • SSO process is initiated, SAML assertion is sent to Connections • If validated, user accesses Connections
  18. 18. Social Connections 11 Chicago, June 1-2 2017 Plug-Ins and Mobile Apps • Plug-Ins • Connections Desktop Plug-In for Windows • Connections Desktop Plug-In for Mac • Connections Plug-In for MS Outlook • Mobile Apps • Connections mobile • Chat • Meetings • Notes Traveler
  19. 19. Social Connections 11 Chicago, June 1-2 2017 Application passwords • A way to bypass regular log in process • Can be used by Plug-Ins and Mobile apps • Generated using a strong random number generator • Application password can be revoked • Activated by the administrator • When a user generates an application password, it is displayed only one time
  20. 20. Social Connections 11 Chicago, June 1-2 2017 Prepare for federated identity management • Choose the SAML version to use, typically SAMLv2 • Choose the federation type • Federated • UserChoice • AdminChoice • Review the flow models • IdP-initiated • SP-initiated • SP-initiated model for mobile apps and plug-ins • Implement SAML in your environment • Can be done between Domino and ADFS • Make sure to use the email address as NameID • Prepare for Plug-Ins and mobile devices • Test your SAML set up internally • Configure SAML with IBM Connections Cloud
  21. 21. Social Connections 11 Chicago, June 1-2 2017 Enable federated identity management • Send an email to support@collabserv.com • Request to have federated identity management enabled • Don’t forget your Connections Customer ID • You will need to send the FederationMetadata • https://<MY-ADFS-SERVER.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml • Set up a Relying party trust in ADFS when you receive the info back from support
  22. 22. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS • Navigate to "Relying Party Trusts" and click on "Add Relying Party Trust"
  23. 23. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS • Select to import a file and refer to the received xml
  24. 24. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS • Specify a display name, like IBM Cloud
  25. 25. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS
  26. 26. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS
  27. 27. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS
  28. 28. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS • Click on add rule
  29. 29. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS
  30. 30. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS
  31. 31. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS • Add a second rule based on the template Transform an Incoming Claim Transform an Incoming Claim
  32. 32. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS • For the Incoming claim type, select E-mail Address. • For the Outgoing claim type, select Name ID. • For the Outgoing name ID format, select Email. • Select Pass through all claim values. • On your AD FS server, open a PowerShell command window and issue the following command: Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests <forest domain> • Forest domain is the DNS name where the users belong to
  33. 33. Social Connections 11 Chicago, June 1-2 2017 Useful links • Submitting a service request • http://www-01.ibm.com/support/docview.wss?uid=swg21507389 • Federated Identity Management documentation • http://www-01.ibm.com/support/knowledgecenter/SSL3JX/admin/SAMLFederatedIdentity/fim_setting_up_fim.html • Complete cookbook set up SAML with Domino • http://www-01.ibm.com/support/docview.wss?uid=swg21614543
  34. 34. Social Connections 11 Chicago, June 1-2 2017 Contact me https://www.linkedin.com/in/debisschopk @debisschopk https://debisschopk.wordpress.com kris.de.bisschop@groupwave.be
  35. 35. PLATINUM SPONSORS GOLD SPONSORS SILVER SPONSORS

×