This session is about setting up Federated login between IBM Connections Cloud and your on-premises environment so that your users seamlessly get logged in their Collaborative environment. In this session we go through the different steps needed to get a working solution and we discuss about the technologies used to accomplish the goal.
Berhampur CALL GIRL❤7091819311❤CALL GIRLS IN ESCORT SERVICE WE ARE PROVIDING
Open Doors In The Cloud By Using SSO Methodologies Between Your Organisation And IBM
1. Social Connections 11 Chicago, June 1-2 2017
Open Doors In The Cloud By Using
SSO Methodologies Between
Your Organisation And IBM
Kris De Bisschop,
@debisschopk
3. Social Connections 11 Chicago, June 1-2 2017
A little about me
• CEO @
• Administrator ICS Portfolio
o IBM Notes/Domino
o IBM Sametime
o IBM Notes Traveler
o IBM Connections
o TDI
• Social Business speaker
• IBM Champion Collaboration Solutions
• Love high-level issues
• Badminton
4. Social Connections 11 Chicago, June 1-2 2017
Single sign-on (SSO)
• Session and user authentication service
• Allows the use of one set of login credentials
• No more login prompts when switching
applications
5. Social Connections 11 Chicago, June 1-2 2017
SAML
• Security Assertion Markup Language
• Established as a Web SSO standard in early 2008
• XML-based
• Built from WebServices Security token concepts
• SAMLResponse is sent as a POST body, contains
an Assertion with user details, most important one
is NameId, ex InternetAddress
6. Social Connections 11 Chicago, June 1-2 2017
SAML
• Identity Provider (IdP)
• LDAP
• Active Directory Federation Service (ADFS)
• Tivoli Federated Identity Manager
• …
• Service Provider (SP)
• Domino
• …
• Client
• Browser
• IBM Notes Client
7. Social Connections 11 Chicago, June 1-2 2017
SAML
• User tries to access SP application
• As user is not authenticated the first time, SP redirects to IdP
• User authenticates to IdP
• IdP redirects user to SP by sending SAMLResponse over HTTP POST inside hidden form. SP processes
SAMLResponse and redirects user to the application
User
Application
Service Provider (SP) / client
Identity Provider (IdP)
1
2
4
3
1
2
3
4
9. Social Connections 11 Chicago, June 1-2 2017
IBM Connections Cloud Login Types
• Standard
• Federated
• UserChoice (aka Modified)
• AdminChoice (aka Partial)
10. Social Connections 11 Chicago, June 1-2 2017
IBM Connections Cloud Login Types
• Standard
• Default type
• Users must log in with email address and password
11. Social Connections 11 Chicago, June 1-2 2017
IBM Connections Cloud Login Types
• Federated
• Users don’t have username/password on Connections
Cloud
• Applies to all users
• The IdP must be available from the internet or VPN
• Services that don’t support SAML or application
passwords, don’t work
• POP
• IMAP
12. Social Connections 11 Chicago, June 1-2 2017
IBM Connections Cloud Login Types
• UserChoice
• Users have the choice to use Organization login or
Connections Cloud credentials
• Applies to all users
• You do not need to expose IdP to internet
13. Social Connections 11 Chicago, June 1-2 2017
IBM Connections Cloud Login Types
• AdminChoice
• Admin specifies login type, default type is Standard
• Login type can be based on
• Type of users: office users vs mobile users
• Application-based: POP/IMAP or not
14. Social Connections 11 Chicago, June 1-2 2017
SSO IBM Connections Cloud
• IBM Connections Cloud products rely on SAML
• Your organization is the IdP
• Connections Cloud is the SP
• Three flow models exist
• IdP-initiated
• SP-initiated
• SP-initiated model for mobile apps and plug-ins
15. Social Connections 11 Chicago, June 1-2 2017
SSO IBM Connections Cloud
• Idp-initiated
• User accesses local resource with authentication
• Webmail
• Intranet
• …
• User clicks a link that redirects to Connections Cloud
• SSO process is initiated, SAML assertion is sent to
Connections
• If validated, user accesses Connections
16. Social Connections 11 Chicago, June 1-2 2017
SSO IBM Connections Cloud
• SP-initiated
• User navigates to authentication page Connections
Cloud
• User clicks “Use My Organization’s Login” and enters
credentials
• Connections Cloud redirects to IdP
• SSO process is initiated, SAML assertion is sent to
Connections
• If validated, user accesses Connections
17. Social Connections 11 Chicago, June 1-2 2017
SSO IBM Connections Cloud
• SP-initiated for mobile apps and plug-ins
• App requests to Connections Cloud for login endpoint
• Connections Cloud looks up email address and
responds with URL of authentication mechanism
• App performs basic or simple form authentication
• SSO process is initiated, SAML assertion is sent to
Connections
• If validated, user accesses Connections
18. Social Connections 11 Chicago, June 1-2 2017
Plug-Ins and Mobile Apps
• Plug-Ins
• Connections Desktop Plug-In for Windows
• Connections Desktop Plug-In for Mac
• Connections Plug-In for MS Outlook
• Mobile Apps
• Connections mobile
• Chat
• Meetings
• Notes Traveler
19. Social Connections 11 Chicago, June 1-2 2017
Application passwords
• A way to bypass regular log in process
• Can be used by Plug-Ins and Mobile apps
• Generated using a strong random number generator
• Application password can be revoked
• Activated by the administrator
• When a user generates an application password, it is
displayed only one time
20. Social Connections 11 Chicago, June 1-2 2017
Prepare for federated identity management
• Choose the SAML version to use, typically SAMLv2
• Choose the federation type
• Federated
• UserChoice
• AdminChoice
• Review the flow models
• IdP-initiated
• SP-initiated
• SP-initiated model for mobile apps and plug-ins
• Implement SAML in your environment
• Can be done between Domino and ADFS
• Make sure to use the email address as NameID
• Prepare for Plug-Ins and mobile devices
• Test your SAML set up internally
• Configure SAML with IBM Connections Cloud
21. Social Connections 11 Chicago, June 1-2 2017
Enable federated identity management
• Send an email to support@collabserv.com
• Request to have federated identity management enabled
• Don’t forget your Connections Customer ID
• You will need to send the FederationMetadata
• https://<MY-ADFS-SERVER.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml
• Set up a Relying party trust in ADFS when you
receive the info back from support
22. Social Connections 11 Chicago, June 1-2 2017
Configure Relying party trust ADFS
• Navigate to "Relying Party Trusts" and click on "Add Relying Party Trust"
23. Social Connections 11 Chicago, June 1-2 2017
Configure Relying party trust ADFS
• Select to import a file and refer to the received xml
24. Social Connections 11 Chicago, June 1-2 2017
Configure Relying party trust ADFS
• Specify a display name, like IBM Cloud
31. Social Connections 11 Chicago, June 1-2 2017
Configure Relying party trust ADFS
• Add a second rule based on the template Transform an Incoming Claim
Transform an Incoming Claim
32. Social Connections 11 Chicago, June 1-2 2017
Configure Relying party trust ADFS
• For the Incoming claim type, select E-mail Address.
• For the Outgoing claim type, select Name ID.
• For the Outgoing name ID format, select Email.
• Select Pass through all claim values.
• On your AD FS server, open a PowerShell command window and issue the
following command: Set-AdfsClaimsProviderTrust -TargetIdentifier "AD
AUTHORITY" -AlternateLoginID mail -LookupForests <forest domain>
• Forest domain is the DNS name where the users belong to
33. Social Connections 11 Chicago, June 1-2 2017
Useful links
• Submitting a service request
• http://www-01.ibm.com/support/docview.wss?uid=swg21507389
• Federated Identity Management documentation
• http://www-01.ibm.com/support/knowledgecenter/SSL3JX/admin/SAMLFederatedIdentity/fim_setting_up_fim.html
• Complete cookbook set up SAML with Domino
• http://www-01.ibm.com/support/docview.wss?uid=swg21614543
34. Social Connections 11 Chicago, June 1-2 2017
Contact me
https://www.linkedin.com/in/debisschopk
@debisschopk
https://debisschopk.wordpress.com
kris.de.bisschop@groupwave.be