Analyn Policarpio Andrew Jazon Gupaal

Slides:



Advertisements
Similar presentations
Secure Single Sign-On Across Security Domains
Advertisements

Enabling Secure Internet Access with ISA Server
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Eric Raff. Usergroup up
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
Alumni Authentication… Explained Robert Scaysbrook – OpenAthens UK Account Manager.
Troubleshooting Federation, AD FS 2.0, and More…
Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
SWITCHaai Team Introduction to Shibboleth.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Troubleshooting Federation, AD FS 2.0, and More…
Identity Management Report By Jean Carreon and Marlon Gonzales.
© 2012 Cisco and/or its affiliates. All rights reserved. BRKUCC Cisco Public (SAML) Single Sign-On (SSO) for Cisco Unified Communications 10.x By.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Integrating with UCSF’s Shibboleth system
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Using AS 10g with EBS What are the Benefits of Integrating AS 10g with Oracle Applications?
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Otomo End User SSO - TOI March 2014 Otomo 10.5 – End User SSO Support.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
All Rights Reserved 2014 © CMG Consulting LLC Federated Identity Management and Access Andres Carvallo Dwight Moore CMG Consulting, LLC October
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Adxstudio Portals Training
With ADFS and Azure Active Directory
Linus Joyeux Valerie Alonso Managing consultantLead consultant blue-infinity (Switzerland) Active Directory Federation Services v2.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
F5 APM & Security Assertion Markup Language ‘sam-el’
General Overview of Various SSO Systems: Active Directory, Google & Facebook Antti Pyykkö Mikko Malinen Oskari Miettinen.
Access Policy - Federation March 23, 2016
Secure Single Sign-On Across Security Domains
Using Your Own Authentication System with ArcGIS Online
Stop Those Prying Eyes Getting to Your Data
Azure Active Directory - Business 2 Consumer
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Authentication Interact Cloud.
Federation made simple
Federation Systems, ADFS, & Shibboleth 2.0
Identity Federations - Overview
Data and Applications Security Developments and Directions
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Shibboleth Implementation in EZproxy
Using SSL – Secure Socket Layer
Public Single Sign-On for EPM Cloud Using Oracle Identity Cloud Service (IDCS) Question: How can I set up single sign-on (SSO) between EPM.
SharePoint Online Hybrid – Configure Outbound Search
Office 365 Identity Management
Implement Web Application Proxy (WAP)
Device Registration and Multi-Factor Authentication
M6: Advanced Identity Management topics for Office 365
Shibboleth 2.0 IdP Training: Introduction
INTEGRATIONS WITH Single Sign-On
Presentation transcript:

Open Mic Webcast Configuring an IBM Domino Web Server to use Web Federated Login (SAML) Analyn Policarpio Andrew Jazon Gupaal John Kenneth Santos Roderick Andaya January 25, 2017

Agenda SAML Overview SAML Concepts Benefits and Requirements Setting up Web Federated Login How it Works Troubleshooting © 2017 IBM Corporation

SAML Overview and Concepts Analyn Policarpio © 2017 IBM Corporation

What is SAML? Security Assertion Markup Language Provides Web-based SSO capability Secure XML based protocol for representing and communicating identity and authentication data between parties Assertion -User information represented in XML format -SAML assertion is encrypted © 2017 IBM Corporation

What is Federated Login? Once logged in using SAML, Domino provides access to the Notes ID. Notes ID is stored in the ID Vault. Web Federated Login -SAML authentication for accessing iNotes 9.x secure mail © 2017 IBM Corporation

SAML Concepts Identity Provider (IdP) -Creates Assertions -Maintain the user’s information -Maintain the list of relying parties -Performs the authentication with the client Supported IdPs -Microsoft’s ADFS 2.0 integrated with Active Directory -IBM Tivoli Federated Identity Manager (TFIM) © 2017 IBM Corporation

SAML Concepts Service Provider (SP) ID Vault -Check for validity of the Assertion -Process the Assertion to identify the user -Provides application service -Domino 9.x ID Vault Clients used for accessing services -Browser © 2017 IBM Corporation

Benefits and Requirements John Kenneth Santos © 2017 IBM Corporation

Benefits of SAML Provides a single sign on experience across multiple platforms. Reduces the need for users to manage multiple username/password. Reduces the administrative cost for maintaining multiple directories. One Identity provider for the organization. Reduces user data redundancy. © 2017 IBM Corporation

Requirements Domino 9.x and Notes 9.x Standard only. TFIM and ADFS for IdPs, others can work but not supported. Email address from IdP's directory is in the users person document or, Directory Assistance is used to name map between IdP's directory and Domino user entry. © 2017 IBM Corporation

Requirements SSO configured on Web Server. SSL enabled in Domino. ID vault has the user IDs. Import SSL certificate of IdP, cross certify and push to the client. Policy settings. IdP Catalog. © 2017 IBM Corporation

Setting up Web Federated Login Andrew Jazon Gupaal © 2017 IBM Corporation

Creating the Relying Party Trust Follow the cookbook: Setting up new Relying Party Trust for AD FS 2.0 http://www- 10.lotus.com/ldd/dominowiki.nsf/dx/Cookbookcol_Setting_up_new_R elying_Party_Trust_for_AD_FS_2.0_ © 2017 IBM Corporation

iNotes configuration on the IdP For the service URL, use the URL for accessing your iNotes server with /names.nsf?SAMLLogin appended. The string entered into the “Relying party trust identifier” field needs to needs to match the value in the “Service Provider ID” field located in the Domino idpcat configuration document. © 2017 IBM Corporation

ID Vault configuration on the IdP For the service URL, use the URL for accessing your iNotes server. With this configuration however, you append /names.nsf?SAMLIDLogin. The string entered into the “Relying party trust identifier” field needs to match the value in the “Service Provider ID” field located in the Domino idpcat configuration document. © 2017 IBM Corporation

Domino IdP Catalog (idpcat.nsf) This is where you provide Domino with the details of your IdP. Must be on the iNotes and ID Vault server. Two separate configurations need to be implemented in the idpcat.nsf. © 2017 IBM Corporation

iNotes configuration document in idpcat.nsf Hostname is the URL your iNotes user uses to access their home mail server. Also you need to list the IP address associated with your SSL configuration. The “Service provider ID” is the string that identifies Domino as a SP partner with the IdP. © 2017 IBM Corporation

ID vault configuration document in idpcat.nsf ID Vault access prepends “vault.” to the Domino server name. Domino server: domino1.us.renovations.com vault partnership name: vault.domino1.us.renovations.com The name given to the vault partnership need not be a valid DNS, but must look valid to the IdP. Do NOT specify an IP address for vault. © 2017 IBM Corporation

ID Vault configuration document If the Notes ID vault does not already exist, the Vault administrator creates the vault. © 2017 IBM Corporation

Cross certificate Export a copy of the Internet SSL certificate from your IdP. Import that certifier into your Domino Directory. Create an internet cross certificate. © 2017 IBM Corporation

Policy Settings User’s security policy provides the name of the user’s ID vault. © 2017 IBM Corporation

© 2017 IBM Corporation

How it Works Roderick Andaya © 2017 IBM Corporation

How it works © 2017 IBM Corporation

Troubleshooting Roderick Andaya © 2017 IBM Corporation

Test SAML authentication Verify if Standard SAML authentication works. Once verified, test if Web Federated works. If login fails, enable SAML debug, webauth debug, name lookup debug and take Fiddler traces in order to identify where the login fails. Debug_SAML=31 Webauth_Verbose_Trace=1 Debug_NameLookup=1 © 2017 IBM Corporation

Test SAML authentication (cntd…) Collect a fiddler trace http://www.ibm.com/support/docview.wss?uid=swg21614358 © 2017 IBM Corporation

Commonly seen sources of login failures Missing IdP relying party trust for the ID Vault. Incorrect IdP entries. Invalid metadata imported into the IdP catalog. No cross-certificate for accessing the ID Vault. ID not found in vault. © 2017 IBM Corporation

References IdP catalog configuration for SAML authentication in Notes/Domino http://www.ibm.com/support/docview.wss?uid=swg21988698 Troubleshooting SAML authentication in Domino http://www.ibm.com/support/docview.wss?uid=swg21902373 © 2017 IBM Corporation

Thank you! © 2017 IBM Corporation

Q & A Press *1 on your telephone to ask a question. Visit our Support Technical Exchange page or our Facebook page for details on future events. To help shape the future of IBM software, take this quality survey and share your opinion of IBM software used within your organization: https://ibm.biz/BdsyeX IBM Collaboration Solutions Support page http://www.facebook.com/IBMLotusSupport IBM Collaboration Solutions Support http://twitter.com/IBM_ICSSupport © 2017 IBM Corporation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.