Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analyn Policarpio Andrew Jazon Gupaal

Published byEdward Potter Modified over 6 years ago

Similar presentations

Presentation on theme: "Analyn Policarpio Andrew Jazon Gupaal"— Presentation transcript:

1 Open Mic Webcast Configuring an IBM Domino Web Server to use Web Federated Login (SAML)
Analyn Policarpio Andrew Jazon Gupaal John Kenneth Santos Roderick Andaya January 25, 2017

2 Agenda SAML Overview SAML Concepts Benefits and Requirements
Setting up Web Federated Login How it Works Troubleshooting © 2017 IBM Corporation

3 SAML Overview and Concepts
Analyn Policarpio © 2017 IBM Corporation

4 What is SAML? Security Assertion Markup Language
Provides Web-based SSO capability Secure XML based protocol for representing and communicating identity and authentication data between parties Assertion -User information represented in XML format -SAML assertion is encrypted © 2017 IBM Corporation

5 What is Federated Login?
Once logged in using SAML, Domino provides access to the Notes ID. Notes ID is stored in the ID Vault. Web Federated Login -SAML authentication for accessing iNotes 9.x secure mail © 2017 IBM Corporation

6 SAML Concepts Identity Provider (IdP) -Creates Assertions
-Maintain the user’s information -Maintain the list of relying parties -Performs the authentication with the client Supported IdPs -Microsoft’s ADFS 2.0 integrated with Active Directory -IBM Tivoli Federated Identity Manager (TFIM) © 2017 IBM Corporation

7 SAML Concepts Service Provider (SP) ID Vault
-Check for validity of the Assertion -Process the Assertion to identify the user -Provides application service -Domino 9.x ID Vault Clients used for accessing services -Browser © 2017 IBM Corporation

8 Benefits and Requirements
John Kenneth Santos © 2017 IBM Corporation

9 Benefits of SAML Provides a single sign on experience across multiple platforms. Reduces the need for users to manage multiple username/password. Reduces the administrative cost for maintaining multiple directories. One Identity provider for the organization. Reduces user data redundancy. © 2017 IBM Corporation

10 Requirements Domino 9.x and Notes 9.x Standard only.
TFIM and ADFS for IdPs, others can work but not supported. address from IdP's directory is in the users person document or, Directory Assistance is used to name map between IdP's directory and Domino user entry. © 2017 IBM Corporation

11 Requirements SSO configured on Web Server. SSL enabled in Domino.
ID vault has the user IDs. Import SSL certificate of IdP, cross certify and push to the client. Policy settings. IdP Catalog. © 2017 IBM Corporation

12 Setting up Web Federated Login
Andrew Jazon Gupaal © 2017 IBM Corporation

13 Creating the Relying Party Trust
Follow the cookbook: Setting up new Relying Party Trust for AD FS 2.0 10.lotus.com/ldd/dominowiki.nsf/dx/Cookbookcol_Setting_up_new_R elying_Party_Trust_for_AD_FS_2.0_ © 2017 IBM Corporation

14 iNotes configuration on the IdP
For the service URL, use the URL for accessing your iNotes server with /names.nsf?SAMLLogin appended. The string entered into the “Relying party trust identifier” field needs to needs to match the value in the “Service Provider ID” field located in the Domino idpcat configuration document. © 2017 IBM Corporation

15 ID Vault configuration on the IdP
For the service URL, use the URL for accessing your iNotes server. With this configuration however, you append /names.nsf?SAMLIDLogin. The string entered into the “Relying party trust identifier” field needs to match the value in the “Service Provider ID” field located in the Domino idpcat configuration document. © 2017 IBM Corporation

16 Domino IdP Catalog (idpcat.nsf)
This is where you provide Domino with the details of your IdP. Must be on the iNotes and ID Vault server. Two separate configurations need to be implemented in the idpcat.nsf. © 2017 IBM Corporation

17 iNotes configuration document in idpcat.nsf
Hostname is the URL your iNotes user uses to access their home mail server. Also you need to list the IP address associated with your SSL configuration. The “Service provider ID” is the string that identifies Domino as a SP partner with the IdP. © 2017 IBM Corporation

18 ID vault configuration document in idpcat.nsf
ID Vault access prepends “vault.” to the Domino server name. Domino server: domino1.us.renovations.com vault partnership name: vault.domino1.us.renovations.com The name given to the vault partnership need not be a valid DNS, but must look valid to the IdP. Do NOT specify an IP address for vault. © 2017 IBM Corporation

19 ID Vault configuration document
If the Notes ID vault does not already exist, the Vault administrator creates the vault. © 2017 IBM Corporation

20 Cross certificate Export a copy of the Internet SSL certificate from your IdP. Import that certifier into your Domino Directory. Create an internet cross certificate. © 2017 IBM Corporation

21 Policy Settings User’s security policy provides the name of the user’s ID vault. © 2017 IBM Corporation

22 © 2017 IBM Corporation

23 How it Works Roderick Andaya © 2017 IBM Corporation

24 How it works © 2017 IBM Corporation

25 Troubleshooting Roderick Andaya © 2017 IBM Corporation

26 Test SAML authentication
Verify if Standard SAML authentication works. Once verified, test if Web Federated works. If login fails, enable SAML debug, webauth debug, name lookup debug and take Fiddler traces in order to identify where the login fails. Debug_SAML=31 Webauth_Verbose_Trace=1 Debug_NameLookup=1 © 2017 IBM Corporation

27 Test SAML authentication (cntd…)
Collect a fiddler trace © 2017 IBM Corporation

28 Commonly seen sources of login failures
Missing IdP relying party trust for the ID Vault. Incorrect IdP entries. Invalid metadata imported into the IdP catalog. No cross-certificate for accessing the ID Vault. ID not found in vault. © 2017 IBM Corporation

29 References IdP catalog configuration for SAML authentication in Notes/Domino Troubleshooting SAML authentication in Domino © 2017 IBM Corporation

30 Thank you! © 2017 IBM Corporation

31 Q & A Press *1 on your telephone to ask a question.
Visit our Support Technical Exchange page or our Facebook page for details on future events. To help shape the future of IBM software, take this quality survey and share your opinion of IBM software used within your organization: IBM Collaboration Solutions Support page IBM Collaboration Solutions Support © 2017 IBM Corporation

Download ppt "Analyn Policarpio Andrew Jazon Gupaal"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Eric Raff. Usergroup up

Eric Raff. Usergroup up
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
Www.eduserv.org.uk/openathens Alumni Authentication… Explained Robert Scaysbrook – OpenAthens UK Account Manager.

Alumni Authentication… Explained Robert Scaysbrook – OpenAthens UK Account Manager.
Troubleshooting Federation, AD FS 2.0, and More…

Troubleshooting Federation, AD FS 2.0, and More…
Virtual techdays INDIA │ 18-20 august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)

Virtual techdays INDIA │ august 2010 Secure Collaboration: All You Need to Know about Extending Active Directory Rights Management Services (AD RMS)
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.

Similar presentations

Ads by Google