Open Doors In The Cloud By Using SSO Methodologies Between Your Organisation And IBM
1 like337 views
The document discusses Single Sign-On (SSO) methodologies using SAML for IBM Connections Cloud, detailing various login types including standard, federated, user-choice, and admin-choice. It outlines the authentication flow models and implementation steps for federated identity management. Additionally, it provides guidance on configuring relying party trusts in Active Directory Federation Services (ADFS) for seamless user access to applications without repeated login prompts.
Open Doors In The Cloud By Using SSO Methodologies Between Your Organisation And IBM
- 1. Social Connections 11 Chicago, June 1-2 2017 Open Doors In The Cloud By Using SSO Methodologies Between Your Organisation And IBM Kris De Bisschop, @debisschopk
- 3. Social Connections 11 Chicago, June 1-2 2017 A little about me • CEO @ • Administrator ICS Portfolio o IBM Notes/Domino o IBM Sametime o IBM Notes Traveler o IBM Connections o TDI • Social Business speaker • IBM Champion Collaboration Solutions • Love high-level issues • Badminton
- 4. Social Connections 11 Chicago, June 1-2 2017 Single sign-on (SSO) • Session and user authentication service • Allows the use of one set of login credentials • No more login prompts when switching applications
- 5. Social Connections 11 Chicago, June 1-2 2017 SAML • Security Assertion Markup Language • Established as a Web SSO standard in early 2008 • XML-based • Built from WebServices Security token concepts • SAMLResponse is sent as a POST body, contains an Assertion with user details, most important one is NameId, ex InternetAddress
- 6. Social Connections 11 Chicago, June 1-2 2017 SAML • Identity Provider (IdP) • LDAP • Active Directory Federation Service (ADFS) • Tivoli Federated Identity Manager • … • Service Provider (SP) • Domino • … • Client • Browser • IBM Notes Client
- 7. Social Connections 11 Chicago, June 1-2 2017 SAML • User tries to access SP application • As user is not authenticated the first time, SP redirects to IdP • User authenticates to IdP • IdP redirects user to SP by sending SAMLResponse over HTTP POST inside hidden form. SP processes SAMLResponse and redirects user to the application User Application Service Provider (SP) / client Identity Provider (IdP) 1 2 4 3 1 2 3 4
- 8. Social Connections 11 Chicago, June 1-2 2017 Use Case On-Premise Cloud IdP SP SP
- 9. Social Connections 11 Chicago, June 1-2 2017 IBM Connections Cloud Login Types • Standard • Federated • UserChoice (aka Modified) • AdminChoice (aka Partial)
- 10. Social Connections 11 Chicago, June 1-2 2017 IBM Connections Cloud Login Types • Standard • Default type • Users must log in with email address and password
- 11. Social Connections 11 Chicago, June 1-2 2017 IBM Connections Cloud Login Types • Federated • Users don’t have username/password on Connections Cloud • Applies to all users • The IdP must be available from the internet or VPN • Services that don’t support SAML or application passwords, don’t work • POP • IMAP
- 12. Social Connections 11 Chicago, June 1-2 2017 IBM Connections Cloud Login Types • UserChoice • Users have the choice to use Organization login or Connections Cloud credentials • Applies to all users • You do not need to expose IdP to internet
- 13. Social Connections 11 Chicago, June 1-2 2017 IBM Connections Cloud Login Types • AdminChoice • Admin specifies login type, default type is Standard • Login type can be based on • Type of users: office users vs mobile users • Application-based: POP/IMAP or not
- 14. Social Connections 11 Chicago, June 1-2 2017 SSO IBM Connections Cloud • IBM Connections Cloud products rely on SAML • Your organization is the IdP • Connections Cloud is the SP • Three flow models exist • IdP-initiated • SP-initiated • SP-initiated model for mobile apps and plug-ins
- 15. Social Connections 11 Chicago, June 1-2 2017 SSO IBM Connections Cloud • Idp-initiated • User accesses local resource with authentication • Webmail • Intranet • … • User clicks a link that redirects to Connections Cloud • SSO process is initiated, SAML assertion is sent to Connections • If validated, user accesses Connections
- 16. Social Connections 11 Chicago, June 1-2 2017 SSO IBM Connections Cloud • SP-initiated • User navigates to authentication page Connections Cloud • User clicks “Use My Organization’s Login” and enters credentials • Connections Cloud redirects to IdP • SSO process is initiated, SAML assertion is sent to Connections • If validated, user accesses Connections
- 17. Social Connections 11 Chicago, June 1-2 2017 SSO IBM Connections Cloud • SP-initiated for mobile apps and plug-ins • App requests to Connections Cloud for login endpoint • Connections Cloud looks up email address and responds with URL of authentication mechanism • App performs basic or simple form authentication • SSO process is initiated, SAML assertion is sent to Connections • If validated, user accesses Connections
- 18. Social Connections 11 Chicago, June 1-2 2017 Plug-Ins and Mobile Apps • Plug-Ins • Connections Desktop Plug-In for Windows • Connections Desktop Plug-In for Mac • Connections Plug-In for MS Outlook • Mobile Apps • Connections mobile • Chat • Meetings • Notes Traveler
- 19. Social Connections 11 Chicago, June 1-2 2017 Application passwords • A way to bypass regular log in process • Can be used by Plug-Ins and Mobile apps • Generated using a strong random number generator • Application password can be revoked • Activated by the administrator • When a user generates an application password, it is displayed only one time
- 20. Social Connections 11 Chicago, June 1-2 2017 Prepare for federated identity management • Choose the SAML version to use, typically SAMLv2 • Choose the federation type • Federated • UserChoice • AdminChoice • Review the flow models • IdP-initiated • SP-initiated • SP-initiated model for mobile apps and plug-ins • Implement SAML in your environment • Can be done between Domino and ADFS • Make sure to use the email address as NameID • Prepare for Plug-Ins and mobile devices • Test your SAML set up internally • Configure SAML with IBM Connections Cloud
- 21. Social Connections 11 Chicago, June 1-2 2017 Enable federated identity management • Send an email to support@collabserv.com • Request to have federated identity management enabled • Don’t forget your Connections Customer ID • You will need to send the FederationMetadata • https://<MY-ADFS-SERVER.yourdomain.com/FederationMetadata/2007-06/FederationMetadata.xml • Set up a Relying party trust in ADFS when you receive the info back from support
- 22. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS • Navigate to "Relying Party Trusts" and click on "Add Relying Party Trust"
- 23. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS • Select to import a file and refer to the received xml
- 24. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS • Specify a display name, like IBM Cloud
- 25. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS
- 26. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS
- 27. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS
- 28. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS • Click on add rule
- 29. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS
- 30. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS
- 31. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS • Add a second rule based on the template Transform an Incoming Claim Transform an Incoming Claim
- 32. Social Connections 11 Chicago, June 1-2 2017 Configure Relying party trust ADFS • For the Incoming claim type, select E-mail Address. • For the Outgoing claim type, select Name ID. • For the Outgoing name ID format, select Email. • Select Pass through all claim values. • On your AD FS server, open a PowerShell command window and issue the following command: Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests <forest domain> • Forest domain is the DNS name where the users belong to
- 33. Social Connections 11 Chicago, June 1-2 2017 Useful links • Submitting a service request • http://www-01.ibm.com/support/docview.wss?uid=swg21507389 • Federated Identity Management documentation • http://www-01.ibm.com/support/knowledgecenter/SSL3JX/admin/SAMLFederatedIdentity/fim_setting_up_fim.html • Complete cookbook set up SAML with Domino • http://www-01.ibm.com/support/docview.wss?uid=swg21614543
- 34. Social Connections 11 Chicago, June 1-2 2017 Contact me https://www.linkedin.com/in/debisschopk @debisschopk https://debisschopk.wordpress.com kris.de.bisschop@groupwave.be