SAML - SUTOL

Transcription

SAML - SUTOL
JMP105 JumpStart:
Single Sign-on (SAML)
Administration Basics
Jane Marcus
[email protected]
Senior software engineer, IBM
© 2014 IBM Corporation
Agenda
§  Single sign-on introduction
§  SAML concepts
§  Domino 9.x web server authentication using SAML
– Troubleshooting
§  Web federated login
– Troubleshooting
§  Notes Federated Login
– Troubleshooting
§  Q&A
2
Single sign-on (SSO) environment
Browser
®
IBM Sametime
®
IBM Notes
®
®
IBM Smartcloud
IBM
®
Connections
®
IBM iNotes mail
facebook
Services on-premises, cloud services, third party services.
User doesn't want multiple password prompts.
3
®
Fewer password prompts. Fewer passwords in general.
§  We need single sign-on (SSO) because:
– High administrative cost for managing passwords.
– Users can't remember a lot of passwords.
– Password prompts are annoying.
– Many “different” passwords leads to lower security.
§  If we use cryptographic mechanisms instead of passwords, we can improve
security and minimize cost.
4
Security Assertion Markup Language (SAML)
•  SSO public standard from OASIS
•  One SSO approach for countless different products!
•  Many implementations available from IBM and third party providers
•  Including open source implementations
•  Many organizations currently use SAML for web SSO.
5
How is SSO possible across third party applications?
§  User's identity is represented in a signed XML assertion.
– Public standard provides specification for assertion format.
§  User may be known to applications across domains and across
corporations.
– Usually the SAML assertion contains user's email address.
– A service receives the user's identity assertion.
•  The assertion must pass cryptographic verification.
•  The service doesn't need the user's password to know who the user
is.
– (Optional, but recommended) the SAML assertion is encrypted.
•  Private unique identity information could be included in a SAML
assertion.
6
Eliminate or minimize password prompting with Notes/
Domino 9.x SAML features.
§  Web user
– SAML authentication when accessing Domino 9.x web URLs
– SAML authentication for accessing iNotes 9.x secure mail
•  Feature name: Web federated login
§  Notes 9.x user
– SAML authentication at Notes startup
•  Feature name: Notes federated login
– Notes plugins and accounts using SAML for accessing web URLs,
including IBM Smartcloud
7
Agenda
§  Single sign-on introduction
§  SAML concepts
§  Domino 9.x web server authentication using SAML
– Troubleshooting
§  Web federated login
– Troubleshooting
§  Notes Federated Login
– Troubleshooting
§  Q&A
8
SAML Federated Identity architecture
§  SAML Identity Provider (IdP)
– Server creating the SAML assertion
§  Service Provider (SP), for example, Domino 9.x
– Server processing the SAML assertion
§  Clients used for accessing services
– Browser
– Notes 9.x (standard) with embedded browser
9
Directory
SAML Identity Provider (IdP) authenticates the user and
creates the user's SAML assertion
§  IdP
Directory
– Knows about user names, passwords.
– Might be able to authenticate the user via Integrated Windows Authentication
(SPNEGO/Kerberos), or alternate non-password method.
– Prepares credentials (SAML identity assertion) for the user
•  IdP authenticated user x at time y
§  Notes/Domino 9.x is integrated with these IdPs
– Microsoft® ADFS 2.0 integrated with Active Directory
– IBM Tivoli Federated Identity Manager (TFIM, IBM Security Identity Manager)
Ø Other IdPs are not supported, but might work.
10
Federated identity using SAML assertions
§  Why is it a good thing for security?
– Minimized use of password (only handled by IdP, if required).
– Authenticate once to IdP. The IdP may “remember” the user.
•  SSO is achieved if applications use the same IdP, or...
•  SSO is achieved if authentication at the IdP is transparent to the user.
– Customers can use/control their own on-premises IdP.
– Less user data redundancy.
– Goal: password info is unavailable to crackers wanting to launch an offline
password guessing attack
Directory
Browser
11
SAML Assertion Security Overview
•  User's identity is represented in a signed XML assertion.
•  Standards based Internet certificates and keys are used.
•  Where did this assertion come from? Has it been tampered with?
•  PKI-based signature:
•  Server creating the assertion has certificate with private key, public key pair:
Ø Server creating the assertion signs it using its private key.
Ø Server processing assertion validates signature using the trusted signer's
public key.
•  Information privacy: PKI-based encryption
•  Server processing the assertion has certificate with private key, public key pair:
Ø Server creating the assertion encrypts with processing server's public key.
Ø Processing server decrypts assertion using its private key.
12
Agenda
§  Single sign-on introduction
§  SAML concepts
§  Domino 9.x web server authentication using SAML
– Troubleshooting
§  Web federated login
– Troubleshooting
§  Notes Federated Login
– Troubleshooting
§  Q&A
13
Domino 8.5x web server authentication
§  In Domino 8.5x, user browses to a Domino URL
– User is challenged for user name and password.
– Domino handles password verification.
The image cannot be displayed. Your computer may not have enough memory to open the image, or the image may have been corrupted. Restart your computer, and then open
the file again. If the red x still appears, you may have to delete the image and then insert it again.
The image cannot be displayed. Your computer
may not have enough memory to open the
image, or the image may have been corrupted.
Restart your computer, and then open the file
again. If the red x still appears, you may have
to delete the image and then insert it again.
14
Domino 8.5x Windows single sign-on for Web clients
§  User browses to a Domino URL, and is not challenged for username and
password.
– For Intranet access only.
– Domino server is required to be on Windows platform only.
The image cannot be displayed. Your computer
may not have enough memory to open the
image, or the image may have been corrupted.
Restart your computer, and then open the file
again. If the red x still appears, you may have
to delete the image and then insert it again.
15
Domino 9.x web server SAML authentication
§  Domino server can be on any supported platform.
§  SSO options for the Internet and Intranet
§  The SAML IdP takes responsibility to authenticate the user.
– Best SSO interoperability with third party applications.
16
Domino 9.x web server SAML authentication: no password
§  The SAML IdP may be able to authenticate the user with non-password
method
– Integrated Windows Authentication (SPNEGO/Kerberos) for the Intranet.
§  The user starts browsing Domino URL without any prompting.
§  The user does not need any Domino HTTP password.
The image cannot be displayed. Your computer
may not have enough memory to open the
image, or the image may have been corrupted.
Restart your computer, and then open the file
again. If the red x still appears, you may have
to delete the image and then insert it again.
17
Domino 9.x web server SAML authentication: password at IdP
§  The user browses to a Domino URL:
– The user does not need any Domino HTTP password.
– The SAML IdP takes responsibility to authenticate the user.
•  SAML IdP's login web page prompts for password.
ü The SAML IdP verifies the user's password.
– IdP “remembers” the user so that additional prompts not needed.
The image cannot be displayed. Your computer
may not have enough memory to open the
image, or the image may have been corrupted.
Restart your computer, and then open the file
again. If the red x still appears, you may have
to delete the image and then insert it again.
18
Domino web server authentication using SAML
Web Browser
19
SAML IdP
Domino
Domino web server authentication using SAML
Web Browser
SAML IdP
Domino
User browses to URL at Service Provider (SP)
SP redirects browser to SAML Identity Provider (IdP)
20
Domino web server authentication using SAML
Web Browser
SAML IdP
Domino
User browses to URL at Service Provider (SP)
SP redirects browser to SAML Identity Provider (IdP)
User authenticates to IdP
IdP returns SAML assertion
21
Domino web server authentication using SAML
Web Browser
SAML IdP
Domino
User browses to URL at Service Provider (SP)
SP redirects browser to SAML Identity Provider (IdP)
User authenticates to IdP
IdP returns SAML assertion
POST containing the SAML assertion to the SP
SP returns a session cookie to the client
22
Domino web server authentication using SAML
Web Browser
SAML IdP
Domino
User browses to URL at Service Provider (SP)
SP redirects browser to SAML Identity Provider (IdP)
User authenticates to IdP
IdP returns SAML assertion
POST containing the SAML assertion to the SP
SP returns a session cookie to the client
Browser sends session cookie with user request for URL
23
Web client: Third party browser application
Web Browser
SAML IdP
Domino
facebook
§  If a third party application is configured to trust the same SAML IdP, the
authenticated user achieves SSO.
24
SAML deployment overview
§  Deploy a SAML IdP on-premises (We have cookbooks to assist you).
– Customers desiring an all-IBM solution will use IBM TFIM.
– For customers with large Windows deployment, Microsoft ADFS with Active
Directory may be a common choice.
25
SAML deployment overview
§  Deploy a SAML IdP on-premises
– Customers desiring an all-IBM solution will use IBM TFIM.
– For customers with large Windows deployment, we expect Microsoft ADFS
with Active Directory may be a common choice.
§  Configure Domino idpcat.nsf
26
Domino IdP catalog (idpcat.nsf)
§  Use idpcat.ntf template. Database must be called idpcat.nsf
§  Special database containing trusted identity providers and their certificates.
27
SAML deployment overview
§  Deploy a SAML IdP on-premises
– Customers desiring an all-IBM solution will use IBM TFIM.
– For customers with large Windows deployment, we expect Microsoft
ADFS with Active Directory may be a common choice.
§  Configure Domino idpcat.nsf
– Import IdP information into the idpcat.nsf, so that Domino trusts the IdP.
•  Idpcat contains the IdP's login URL and the IdP's certificate.
– Export Domino information to bring to the IdP.
28
SAML deployment overview
§  Deploy a SAML IdP on-premises
– Customers desiring an all-IBM solution will use IBM TFIM.
– For customers with large Windows deployment, we expect Microsoft
ADFS with Active Directory may be a common choice.
§  Configure Domino idpcat.nsf
– Import IdP information into the idpcat.nsf, so that Domino trusts the IdP.
•  Idpcat contains the IdP's login URL and the IdP's certificate.
– Export Domino information to bring to the IdP.
§  Configure the IdP to know about Domino.
– Configure a “partnership” between the IdP and Domino, including
Domino URL to send SAML assertion.
29
SAML deployment overview
§  Deploy a SAML IdP on-premises
– Customers desiring an all-IBM solution will use IBM TFIM.
– For customers with large Windows deployment, we expect Microsoft
ADFS with Active Directory may be a common choice.
§  Configure Domino idpcat.nsf
– Import IdP information into the idpcat.nsf, so that Domino trusts the IdP.
•  Idpcat contains the IdP's login URL and the IdP's certificate.
– Export Domino information to bring to the IdP.
§  Configure the IdP to know about Domino.
– Configure a “partnership” between the IdP and Domino, including
Domino URL to send SAML assertion.
§  Enable SAML authentication in the Domino web server.
30
Domino web server configured for SAML authentication
§  Internet site document or server document specifies SAML
– Also specify the type of session cookie to be used
•  Single server session cookie (default, see below)
•  Web SSO Configuration: LTPA session cookie, if needed to facilitate
SSO with other IBM applications
31
IdP administrator decisions
§  IdP administrator
– Manages the SAML federation (at ADFS or TFIM IdP).
32
SAML 2.0 vs SAML 1.1 federation
§  SAML 2.0 and 1.1 assertions have different formats.
§  New SAML deployments typically use SAML 2.0.
§  SAML 2.0 supports encrypted assertions.
§  Consider the applications for which SSO is needed.
– Domino supports SAML 2.0 and SAML 1.1
– IBM SmartCloud supports SAML 2.0 and SAML 1.1
33
Configure SSL for the IdP
§  IdP operations require an SSL connection.
– IdP can use either a CA-signed or a self-signed SSL certificate.
– A self-signed certificate requires a specific keyUsage setting, including
"keyCertSign" and "crlSign".
•  Creating a self-signed certificate for an ADFS IdP has a special
procedure documented in IBM technote #1614543.
34
Configure SSL for the IdP
§  IdP operations require an SSL connection.
– IdP can use either a CA-signed or a self-signed SSL certificate.
– A self-signed certificate requires a specific keyUsage setting, including
"keyCertSign" and "crlSign".
•  Creating a self-signed certificate for an ADFS IdP has a special
procedure documented in IBM technote #1614543.
§  Trust setup for Domino, if participating in SSL connection to IdP:
– Export a copy of the Internet SSL certificate from your IdP federation
(ADFS or TFIM).
– Import the SSL certificate into Domino Directory.
– Cross-certify the SSL certificate.
35
Review: authentication using SAML (part one)
Web Browser
SAML IdP
Domino
User browses to URL at Service Provider (SP)
SP redirects browser to SAML Identity Provider (IdP)
User authenticates to IdP
IdP returns SAML assertion
36
IdP login setup
§  IdP administrator
– Manages the SAML federation (at ADFS or TFIM IdP).
– Decides how users will authenticate to the IdP:
•  IWA (Kerberos) for Intranet transparent login.
•  Password for Internet.
•  Possible to configure non-password authentication method.
37
IdP directory user records
§  IdP administrator
– Manages the SAML federation (at ADFS or TFIM IdP).
– Decides how users will authenticate to the IdP:
– Manages (or works with the manager of) the IdP's directory user
records.
•  The IdP's directory is an LDAP directory.
•  All SAML users must have an assigned email address.
ü SAML assertion contains the user's email address.
38
IdP partnership (relying party) configuration specifies how to
find the user's email address
39
IdP partnership with Domino
§  IdP administrator
– Manages the SAML federation (at ADFS or TFIM IdP).
– Decides how users will authenticate to the IdP.
– Manages (or works with the manager of) the IdP's directory user
records.
– Manages IdP partnerships with SAML service providers (Domino
server).
40
Review: authentication using SAML (part two)
Web Browser
SAML IdP
Domino
User browses to URL at Service Provider (SP)
SP redirects browser to SAML Identity Provider (IdP)
User authenticates to IdP
IdP returns SAML assertion
POST containing the SAML assertion to the SP
41
SAML IdP is configured to know about Domino
§  Domino URL to redirect to, with the user's SAML assertion:
– Domino Web server command: SAMLLogin
– When receiving this command, Domino knows that SAML is in progress.
42
IdP administrator sets up partnership with Domino
§  IdP administrator
– Manages the SAML federation (at ADFS or TFIM IdP).
– Decides how users will authenticate to the IdP
– Manages (or works with the manager of) the IdP's directory user
records.
– Manages IdP partnerships with SAML service providers (Domino
server).
•  Decides with Domino administrator whether SAML assertions must
be encrypted.
Ø Encrypted assertions require a Domino certificate.
Ø Additional steps at IdP to configure use of encryption.
43
IdP metadata
§  IdP administrator
– Manages the SAML federation (at ADFS or TFIM IdP).
– Decides how users will authenticate to the IdP
– Manages (or works with the manager of) the IdP's directory user
records.
– Manages IdP partnerships with SAML service providers (Domino
server).
•  Decides with Domino administrator whether SAML assertions must
be encrypted.
Ø Encrypted assertions require a Domino certificate.
Ø Additional steps at IdP to configure use of encryption.
•  Provides Domino administrator with IdP metadata file for the
federation.
44
Cooperating administrators: Domino setup to trust the IdP
§  IdP administrator…..
§  Domino administrator
– Creates and deploys the idpcat.nsf
•  Decides whether to replicate the idpcat.nsf between Domino servers
that share the same Domino directory.
Ø Separate idpcat.nsf on each Domino SAML server
Ø Or shared, replicated idpcat.nsf
45
Domino IdP catalog (idpcat.nsf)
§  Prevent attacks by deploying a very restrictive ACL on idpcat.
– That's why this highly sensitive configuration isn't in the directory!
§  If the idpcat.nsf with intact configuration is present on server:
– Server enforces SAML authentication configured in idpcat.nsf, even if
Domino directory configuration does not specify use of SAML.
46
Domino Internet site for SAML
§  Domino administrator
– Creates and deploys the idpcat.nsf
– Decides the security configuration per deployed Internet site.
Example deployment:
ü Internet Site for users who should not be authenticated by SAML.
» URL https://domino1-login.us.renovations.com/
ü Internet Site for users in Active directory who should be
authenticated by ADFS IdP.
» URL https://domino1.us.renovations.com/
47
Cooperating administrators: Domino administrator and
multiple IdP administrators?
§  Domino administrator
– Creates and deploys the idpcat.nsf
– Decides the security configuration per deployed Internet site.
Example deployment:
ü Internet Site for users who should not be authenticated by SAML.
ü Internet Site for users in Active directory who should be
authenticated by ADFS IdP.
– May want some servers/URLs serviced by one IdP, and other servers/
URLs serviced by alternate IdP.
48
Which IdP will authenticate Domino Web users?
§  Domino URL corresponds to a particular Internet site (or server config).
§  Idpcat.nsf has a document for each Internet site (or server config) supporting SAML
authentication.
49
Create SAML partnership between Domino and trusted IdP
in an idpcat.nsf document
§  Import IdP's information using the metadata file supplied by the IdP
administrator.
50
Create SAML partnership between Domino and trusted IdP
in an idpcat.nsf document
§  Import IdP's information using the metadata file supplied by the IdP
administrator.
§  Domino Internet certificate required for SAML 2.0.
– You can use an existing certificate for Domino with SAML.
•  Use Domino server console “certmgmt” command for SAML
operations.
– Or you can create a new certificate.
51
Create SAML partnership between Domino and trusted IdP
in an idpcat.nsf document
§  Import IdP's information using the metadata file supplied by the IdP
administrator.
§  Domino Internet certificate required for SAML 2.0.
– You can use an existing certificate for Domino with SAML.
•  Use Domino server console “certmgmt” command for SAML
operations.
– Or you can create a new certificate.
§  Domino Internet certificate required for encrypted assertions.
– You can use Domino’s certificate for the SAML 2.0 partnership to
also be used with SAML assertion encryption.
52
Creating SAML certificates with idpcat or
Domino server console command
§  Create a new Domino certificate using idpcat Certificate
Management tab.
– Prerequisites for running the idpcat agents on Domino server:
•  Administrator listed (or belongs to a group) in Full Access
administrators in server document in Domino directory,
•  Administrator listed (or belongs to a group) in Administrators in
server document,
•  Administrator listed (or belongs to a group) in Sign or run
unrestricted methods and operations in server document.
53
Creating SAML certificates with idpcat or
Domino server console command
§  Create a new Domino certificate using idpcat Certificate
Management tab.
– Prerequisites for running the idpcat agents on Domino server:
•  Administrator listed (or belongs to a group) in Full Access
administrators in server document in Domino directory,
•  Administrator listed (or belongs to a group) in Administrators in
server document,
•  Administrator listed (or belongs to a group) in Sign or run
unrestricted methods and operations in server document.
§  Or create a new Domino certificate using “certmgmt” console
command.
– Required if the server id file is password protected.
54
Creating SAML certificate
§  Visit the idpcat document, Certificate Management tab.
– Create self-signed certificate, added to the Domino server id file.
– Once the cert is created, you will see its hash reported in the UI.
55
Typical errors creating a SAML certificate in idpcat.nsf
idpcat document property "NotesError" is helpful to diagnose the most recent error:
§  "You are not authorized to perform that function"
– Action: Check permissions in server document security tab.
§  "Cannot accept internet certificate because the certificate is already in the ID file."
– Action: Use a different certifier name (company name)
Updating SAML certificate
§  If you want to use a different certificate later, you must update the
certificate public hash value:
– Server console “certmgmt show all” to research hash values
– Export to XML file, for configuring the partnership at the IdP.
57
Export XML: Export metadata to give to the IdP administrator
§  SAML 2.0 partnerships at the IdP may require a Domino metadata file.
§  Prerequisites for successful metadata file export:
– Create (or re-use existing) certificate, and Company name.
– Enter a Single logout URL (even if your IdP doesn’t support one).
– Enter valid (partial) Domino URL for the Domino web server.
•  Specify “https” if Domino is configured for SSL.
58
Must the Domino deployment include SSL (HTTPS)?
§  At IdP, SSL is required.
– Used to protect any password challenge to the user during login.
§  At a Domino SAML-enabled server, SSL is optional.
– TFIM IdP can either be configured to expect SSL at Domino URLs, or
not.
– Microsoft ADFS IdP requires Domino server must be configured for SSL.
59
SSL at Domino is always recommended for security
§  User's SAML assertion is sent by HTTP protocols. HTTPS is always
recommended.
§  If SSL is not used to encrypt the channels to Domino:
– Eavesdropper steals the identity assertion.
•  Good for short period of time.
– Eavesdropper steals the session cookie.
•  Good for an administrator configured period of time.
60
SSL deployment at Domino
§  Domino administrator
– Creates and deploys the idpcat.nsf
– Decides the security configuration per deployed Internet site.
– May cooperate with multiple IdPs.
– Determines SSL deployment per Internet site.
•  If multiple SSL-protected Internet sites are serviced on one Domino
server:
Ø Each site needs its own https URL.
Ø Each site needs its own SSL keyring file.
Ø Each site needs its own ip address.
61
Agenda
§  Single sign-on introduction
§  SAML concepts
§  Domino 9.x web server authentication using SAML
– Troubleshooting
§  Web federated login
– Troubleshooting
§  Notes Federated Login
– Troubleshooting
§  Q&A
62
Debug prerequisite
§  Before turning on SAML authentication:
– Make sure SSL is deployed properly (if required).
– Make sure the Web server is functioning properly for session
authentication.
•  Single server session
Or
•  Multi-server session (LTPA)
•  Test the session and SSO behavior across Domino URLs
63
Synchronize clocks! SAML assertions contain timestamps
§  If the Domino server machine’s time is behind the SAML IdP machine’s time:
–  SAML assertions received by Domino are invalid due to already being expired.
–  Domino notes.ini
SAML_NotOnOrAfterSkewInMinutes
Ø Allows up to n extra minutes in the 'not after' timestamp check on the SAML
assertion.
Ø Positive integer (any minus sign will be ignored), with maximum of 10
minutes.
§  If the Domino server machine’s time is ahead of the SAML IdP machine’s time:
–  SAML assertions received by Domino are invalid due to specifying a future time.
–  Domino notes.ini
SAML_NotBeforeSkewInMinutes
Ø Allows up to n extra minutes in the 'not before' timestamp check on the SAML
assertion.
Ø Positive integer (any minus sign will be ignored), with maximum of 10
minutes.
64
Debug assistance at the Domino server console: DEBUG_SAML
DEBUG_SAML flags
#define SAML_DEBUG_HTTP
0x0001
/* Debug output contains
information from http side. */
#define SAML_DEBUG_PARSE
0x0002
/* Debug output contains SAML
parse information. */
#define SAML_DEBUG_ERRORS
0x0004
/* Debug output only contains
errors. */
#define SAML_DEBUG_DECODE_ASSERT
0x0008
/* Debug to dump decoded
assertion. */
#define SAML_DEBUG_IDPCAT
0x0010
/* Debug to trace idpcat activity */
#define SAML_DEBUG_CERT
0x2000
/* Debug output for certificate
management */
Example server console logging notes.ini setting:
DEBUG_SAML = 31
65
Debug tips in addition to DEBUG_SAML
§  Domino must resolve the email name in the SAML assertion to the Domino
name.
– Server ini: WEBAUTH_VERBOSE_TRACE=1
§  Test the Single sign-on service URL to make sure the IdP is functioning,
independent of Domino.
– Is the user properly prompted by the IdP (if password prompt required)?
– If Integrated Windows Authentication (SPNEGO/Kerberos), use klist to
see Kerberos ticket for the user to the SAML IdP.
§  Use fiddler or firebug for network trace.
– Check the HTTP post with SAML assertion.
66
Viewing SAML Assertions
– For a SAML assertion saved to file:
•  Open a text editor to view the SAML assertion file.
•  Open a tool or web site that can do base 64 decoding, such as
http://ostermiller.org/calc/encode.html
Ø From text editor, copy the base 64 encoded assertion.
Ø Paste base 64 encoded assertion to the decoder tool, and decode.
•  Open a new text editor window, copy the decoded assertion.
•  Save to file, providing a file extension of .xml
•  Open IE browser, enter the path to the .xml file
67
Seeing the SAML Assertion content outside of Domino
– IdP sends the SAML assertion to Domino in an HTTP POST
– If we view the source of the HTTP POST, it looks something like this.
•  SAML response contains base 64 encoded SAML assertion.
68
Sample decoded SAML 2.0 encrypted assertion
69
Sample decoded SAML 1.1 assertion
70
Agenda
§  Single sign-on introduction
§  SAML concepts
§  Domino 9.x web server authentication using SAML
– Troubleshooting
§  Web federated login
– Troubleshooting
§  Notes Federated Login
– Troubleshooting
§  Q&A
71
iNotes 8.5x secure mail
§  Secure mail (encrypted or signed) requires the Notes id file.
§  Prompt the user for the Notes id password (sometimes avoided when the user's
iNotes login password is the same as the Notes id password).
– User's notes id might be stored in the mailfile.
•  Password needed to unlock the Notes id.
– User's notes id might be in the ID vault.
•  Password needed to authenticate to ID vault to request id download.
mail/jdoe.nsf
iNotes
Browser
72
ID Files
ID vault
9.x Web federated login:
Fewer password prompts, fewer passwords in general.
§  iNotes secure mail automates the download of Notes id file from id vault.
– iNotes uses SAML authentication to ID vault to avoid Notes id password
prompt.
– Notes id is stored in the vault, and not in the mailfile.
– Notes id is downloaded and stored in memory when being used.
mail/jdoe.nsf
iNotes
Browser
73
ID Files
Notes RPC to authenticate to ID vault using SAML
Web federated login user’s id is in the ID vault
§  If the Notes ID vault does not already exist:
– Vault administrator creates the vault.
§  User’s security policy provides the name of the user’s ID vault
– Domino administrator manages the security policy.
74
User's policy configured for Web federated login
75
Notes NRPC channel to the Notes ID vault
§  An ID vault server usually is not configured for HTTP(S).
– May be risky to open HTTP(S) port on the vault server.
§  SAML protocols use HTTP (usually HTTPS)
– iNotes will participate in SAML on behalf of the ID vault
§  iNotes communicates with the ID vault using Notes NRPC.
– NRPC encrypted channel protects communication with the vault instead
of SSL.
76
Web federated login
Web Browser
SAML IdP
iNotes
[Web server SAML authentication resulting in a session cookie]
77
ID
vault
Web federated login
Web Browser
SAML IdP
iNotes
ID
vault
[Web server SAML authentication resulting in a session cookie]
NRPC request for id download
vault returns IdP URL
78
Which IdP will be used to authenticate users to vault?
§  The Notes ID vault administrator decides whether SAML authentication to the
vault is allowed.
– Edits the vault control document to name any approved idpcat
configuration documents
79
On the ID vault server, idpcat.nsf contains a vault partnership
§  For vault partnership, prepend “vault.” to the iNotes server name.
– iNotes server: domino1.us.renovations.com
– vault partnership name: vault.domino1.us.renovations.com
§  The name given to the vault partnership need not be a valid DNS, but must
look valid to the IdP.
– The IdP wants entries to look like DNS names with HTTPS URLs.
– IdP does NOT send anything directly to the vault server.
§  Do NOT specify an ip address.
80
Web federated login
Web Browser
SAML IdP
iNotes
ID
vault
[Web server SAML authentication resulting in a session cookie]
NRPC request for id download
vault returns IdP URL
iNotes redirects browser to SAML IdP
81
Web federated login
Web Browser
SAML IdP
iNotes
ID
vault
[Web server SAML authentication resulting in a session cookie]
NRPC request for id download
vault returns IdP URL
iNotes redirects browser to SAML IdP
User authenticates to IdP
IdP returns SAML assertion
82
Metadata for the vault partnership is exported to bring to IdP
§  Domino URL contains the URL of the iNotes server
– Domino URL does NOT contain the partnership name
vault.domino1.us.renovations.com
– Domino URL is a (partial) URL where the server will receive the SAML
assertion
•  iNotes server receives the SAML assertion
•  iNotes server sends assertion to vault server over NRPC
83
At IdP, iNotes URL configured for ID download
§  iNotes URL to redirect to with the user's SAML assertion:
– Domino Web server command: SAMLIDLogin
– When receiving this command, iNotes knows that ID download from vault
is in progress. NRPC to vault will be used to send assertion.
84
Web federated login
Web Browser
SAML IdP
iNotes
ID
vault
[Web server SAML authentication resulting in a session cookie]
NRPC request for id download
vault returns IdP URL
iNotes redirects browser to SAML IdP
User authenticates to IdP
IdP returns SAML assertion
POST containing SAML assertion sent to iNotes
85
Web federated login
Web Browser
SAML IdP
iNotes
ID
vault
[Web server SAML authentication resulting in a session cookie]
NRPC request for id download
vault returns IdP URL
iNotes redirects browser to SAML IdP
User authenticates to IdP
IdP returns SAML assertion
POST containing SAML assertion sent to iNotes
Assertion sent via NRPC
vault returns unlocked id file
86
9.x Web federated login requirements summary
§  iNotes server is configured for SAML authentication.
– Usually the session cookie will be LTPA (instead of single server session
cookie) to achieve SSO with Sametime awareness.
§  A SAML partnership with the IdP is set up on behalf of the ID vault.
– Setup required at the IdP.
– Idpcat document for the vault, and SAML certificate for SAML 2.0.
§  Vault administrator configures the ID vault to allow SAML authentication.
§  User's policy supports federated login
– User's id is stored in the ID vault.
– User's policy enables Web federated login.
87
Policy can require SAML-only authentication to ID vault
l 
88
Download of id from vault could be done by:
l 
SAML authentication.
OR
l 
(optional) Password last known to id vault
Idpcat.nsf deployment best practice
§  Typically all vault server replicas will share the same idpcat.nsf.
§  Typically all vault server replicas will share the same SAML Internet
certificate.
– Desirable to have an encrypted assertion be decrypted by any vault
server replica.
89
Agenda
§  Single sign-on introduction
§  SAML concepts
§  Domino 9.x web server authentication using SAML
– Troubleshooting
§  Web federated login
– Troubleshooting
§  Notes Federated Login
– Troubleshooting
§  Q&A
90
Common problem: only one partnership
§  Web federated login ALWAYS requires 2 partnerships for the iNotes
server, declared at the IdP and in idpcat.nsf
1. iNotes server
•  SSO service URL includes SAMLLogin command
2. iNotes server communicating with the ID vault
•  vault. is prepended to the iNotes DNS name
•  SSO service URL includes SAMLIDLogin command
91
Other useful server ini settings in addition to DEBUG_SAML
§  iNotes and the ID vault server each needs to resolve the email name in the
SAML assertion to the Domino name.
– Server ini: WEBAUTH_VERBOSE_TRACE=1
§  Diagnosing vault transaction problems:
– Server ini: Secure_log = 2
§  Problem with in-memory id file
– Server ini: DEBUG_MMFILE=1
92
Agenda
§  Single sign-on introduction
§  SAML concepts
§  Domino 9.x web server authentication using SAML
– Troubleshooting
§  Web federated login
– Troubleshooting
§  Notes Federated Login
– Troubleshooting
§  Q&A
93
8.5x Notes Login
§  User is challenged for the password of Notes ID file.
94
9.x Notes Federated Login
Use SAML authentication to log in to Notes
– The SAML IdP authenticates the Notes user.
•  IdP usually configured for Kerberos-based
authentication to avoid password prompt for
user.
– Notes id is downloaded from ID vault, and
stored in memory when being used.
Directory
ID Files
ID vault
– User is operating online.
•  Works great with Notes on Citrix!
Domino
95
Notes Federated Login: No password prompt
§  User logs into Notes without entering Notes password
– SAML IdP is configured to use IWA (Kerberos) authentication on Windows.
96
Notes Federated Login: Form-based authentication
§  User logs into Notes by providing username/password in SAML IdP's login
page
97
Prerequisites
Directory
l 
l 
l 
Notes Client 9.x
l  Notes standard client
l  Not supported: Notes basic client
Domino Server 9.x
User ID must be stored in the Notes ID
vault.
ID Files
ID vault
Domino
98
Prerequisite: Users must remove old feature Notes client single
logon
l 
l 
l 
99
Notes “single logon” synchronizes Notes id password with the
Windows password.
The policy to deploy Notes federated login will not be applied if Notes
client single logon feature has been installed.
l 
Client single logon is not supported with ID vault, and cannot
coexist with Notes federated login.
Remove single logon. See full details in Domino wiki
l 
Notes installation program, de-select the Client Single Logon
Or
l 
Use the Windows utility SC.exe
Notes federated login
Standard Notes
Check user’s policy, find the user’s vault
100
SAML IdP
Domino
ID
vault
Notes federated login
Standard Notes
Check user’s policy, find the user’s vault
NRPC request for id download
101
SAML IdP
Domino
ID
vault
Notes federated login
Standard Notes
SAML IdP
Domino
ID
vault
Check user’s policy, find the user’s vault
NRPC request for id download
vault returns IdP URL
102
Notes federated login
Standard Notes
SAML IdP
Domino
ID
vault
Check user’s policy, find the user’s vault
NRPC request for id download
vault returns IdP URL
Notes embedded browser HTTP request to SAML IdP
103
Notes federated login
Standard Notes
SAML IdP
Domino
ID
vault
Check user’s policy, find the user’s vault
NRPC request for id download
vault returns IdP URL
Notes embedded browser HTTP request to SAML IdP
User authenticates to IdP
IdP returns SAML assertion
104
Notes federated login
Standard Notes
SAML IdP
Domino
ID
vault
Check user’s policy, find the user’s vault
NRPC request for id download
vault returns IdP URL
Notes embedded browser HTTP request to SAML IdP
User authenticates to IdP
IdP returns SAML assertion
Extract assertion from IdP’s response (DOM API)
Send assertion via NRPC
105
Notes federated login
Standard Notes
SAML IdP
Domino
ID
vault
Check user’s policy, find the user’s vault
NRPC request for id download
vault returns IdP URL
Notes embedded browser HTTP request to SAML IdP
User authenticates to IdP
IdP returns SAML assertion
Extract assertion from IdP’s response (DOM API)
Send assertion via NRPC
vault returns unlocked id file
106
Not compatible, or only partially compatible with Notes
Federated Login
■ 
■ 
Notes roaming user whose ID file is stored on the server in
a roaming personal address book
■ 
Notes on a USB device
■ 
Notes user IDs with multiple passwords
■ 
107
Smartcard protected ID
Server-based password checking for Notes users
■  Domino 9.x servers will ignore password checking if
configured in policy with federated login.
idpcat.nsf and the IdP configuration typically are similar to
Web federated login, but fewer restrictions
§  Follow “vault.” recommendation similar to Web federated login
or
§  It is possible for Notes federated login to re-use an existing partnership
for Domino web server on the same host (shown below)
108
Client settings tab
109
Configuring the ID vault for Notes federated login
§  The Notes ID vault administrator decides whether SAML authentication
to the vault is allowed.
– Edits the vault control document to name any approved idpcat
configuration documents
110
Security settings policy to apply Notes federated login
configuration to users
§  Be careful about the Domino administrator’s login policy!
111
New user with Notes federated login: Provide an administrative
deploy.nsf
l 
112
New user starting for the first time
l 
Notes.ini set up on the local machine, with the user’s Notes name.
New user with Notes federated login: Provide an administrative
deploy.nsf
l 
l 
New user starting for the first time
l 
Notes.ini set up on the local machine, with the user’s Notes name.
Administrator facilitates automated id file download from id vault:
l 
l 
113
deploy.nsf ensures required certificates are available:
Ø  Notes organization certifier certificate
Ø  Internet cross certificate to the SAML IdP’s SSL certificate.
If deploy.nsf is available, no password prompting needed, unless required
by the SAML IdP.
New user with roaming and Notes federated login
Current required deployment order:
1.  Enable roaming for the Notes user, and ensure roaming policy is applied.
2.  Enable Notes Federated Login after roaming is in place.
114
Notes federated login in combination with Notes shared login
supports offline usage (Windows only)
Notes Shared Login for offline support. It will be the primary authentication method.
Notes federated login feature used only if user's ID file is missing, or local copy is
corrupted.
115
Roaming users with Notes shared login and Notes federated login:
Provide an administrative deploy.nsf
l 
l 
116
Notes shared login user has his id file on his local machine.
Roaming user might move to new machine.
l 
User security “Copy ID” to assist manually moving id file to new machine.
OR
l 
Download id file from id vault.
l  If deploy.nsf is available, no password prompting needed, unless
required by the SAML IdP.
l  In deploy.nsf:
Ø  Notes organization certifier certificate
Ø  Internet cross certificate to the SAML IdP’s SSL certificate.
Roaming users with Notes shared login and Notes federated login:
Provide an administrative deploy.nsf
l 
l 
Notes shared login user has his id file on his local machine.
Roaming user might move to new machine.
l 
User security “Copy ID” to assist manually moving id file to new machine.
OR
l 
Download id file from id vault.
l  If deploy.nsf is available, no password prompting needed, unless
required by the SAML IdP.
l  In deploy.nsf:
Ø  Notes organization certifier certificate
Ø  Internet cross certificate to the SAML IdP’s SSL certificate.
If adding Notes roaming:
1. Enable roaming for the Notes user, and ensure roaming policy is applied.
2. Enable Notes federated login after roaming is in place.
117
In memory id, vs id file written to disk
ID Files
ID vault
l 
l 
Notes shared login
l 
User’s id is written to disk.
l 
User’s id is available for offline usage.
l 
Id is downloaded from vault only if missing, or local copy is
corrupted.
Notes federated login (NOT in combination with Notes shared login)
l 
Id is always downloaded from vault.
l 
118
User’s ID is in memory only.
Tighten security after (Notes/Web) federated login deployment in a
stable state.
l 
l 
119
Download of id from vault could be done by:
l 
SAML authentication.
OR
(optional) Password last known to id vault
Notes client can use SAML to authenticate with other services
Directory
l 
Account framework is leveraged in
this scenario.
IBM SmartCloud Sametime
IBM SmartCloud Connections
Embedded/external browser access to
SmartCloud services
Domino web resources
Feeds
120
Federated login for services used in Notes sidebars and other
embedded elements
§  Domino directory, Policies->Accounts view. (Policy applied as desktop settings.)
§  Create a SAML account for the SAML IdP.
–  (Basics tab) Account server name: enter the DNS name of the IdP server, for example
adfs01.us.renovations.com
–  (Advanced tab) Authentication URL: enter the IdP’s login URL, for example an ADFS login for IBM
SmartCloud.
https://adfs01.us.renovations.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=https://
apps.na.collabserv.com/sps/sp/saml/v2_0
121
Link accounts that are using the same SAML IdP
For example:
– IBM SmartCloud Connections
– IBM SmartCloud Sametime chat
§  Create a managed account for each service using the same IdP, and
link to the SAML account.
§  See Domino wiki for examples and full instructions.
122
Agenda
§  Single sign-on introduction
§  SAML concepts
§  Domino 9.x web server authentication using SAML
– Troubleshooting
§  Web federated login
– Troubleshooting
§  Notes Federated Login
– Troubleshooting
§  Q&A
123
Debug Tips
Use server debugging similar to Web federated login
Also, add Notes console logging with debug flags in client notes.ini:
DEBUG_CONSOLE=1
DEBUG_CLOCK=32
DEBUG_OUTFILE=c:\temp\debugout.txt
DEBUGGINGWCTENABLED=4294967295
CONSOLE_LOG_ENABLED=1
DEBUG_DYNCONFIG=1
DEBUG_TRUST_MGMT=1
DEBUG_IDV_TRACE=1
DEBUG_ROAMING=4
DEBUG_BSAFE_IDFILE_LOCKED=8
STX9=2
124
Debug Tips
Java logging with rcpinstall.properties
com.ibm.rcp.internal.security.auth.samlsso.level=FINEST
com.ibm.rcp.internal.security.auth.dialog.level=FINEST
com.ibm.rcp.core.internal.launcher.level=FINEST
com.ibm.notes.internal.federated.manager.level=FINEST
com.ibm.notes.java.api.internal.level=FINEST
com.ibm.notes.java.init.level=FINEST
com.ibm.notes.java.init.win32.level=FINEST
com.ibm.workplace.noteswc.level=FINEST
com.ibm.workplace.internal.notes.security.auth.level=FINEST
com.ibm.workplace.internal.notes.security.level=FINEST
Find logs in the Notes data\workspace\logs folder, for example
C:\Program Files\IBM\Lotus\Notes\Data\workspace\logs
125
Debug Tips
Sample log:
NFL Response XML from native code:
<response><NFLResponse IDPurl='https://secadfsb.sec.test/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=https://secwplccdlvm219.cn.sec.test'
IDPUserName='CN=John Doe/O=renovations' IsKerberosEnabled='false' IsSSLEnforced='true'
SuppressErrorDisplay='false' CurrentLocation='Online' CurrentLocationOnline='true'><AllLocations
><Location name='Home' file=''/><Location name='Offline' file=''/><Location
name='Online' file=''/><Location name='Travel' file=''/></AllLocations><TrustedSites
><TrustedSite url='https://secadfsb.sec.test'/></TrustedSites></NFLResponse></response>
126
Agenda
§  Single sign-on introduction
§  SAML concepts
§  Domino 9.x web server authentication using SAML
– Troubleshooting
§  Web federated login
– Troubleshooting
§  Notes Federated Login
– Troubleshooting
§  Q&A
127
Legal disclaimer
© IBM Corporation 2014. All Rights Reserved.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify
the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any
kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject
to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related
to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of,
creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the
applicable license agreement governing the use of IBM software.
References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries
in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at
IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future
product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of,
stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results.
Performance is based on measurements and projections using standard IBM benchmarks in a controlled environment. The
actual throughput or performance that any user will experience will vary depending upon many factors, including
considerations such as the amount of multiprogramming in the user's job stream, the I/O configuration, the storage
configuration, and the workload processed. Therefore, no assurance can be given that an individual user will achieve results
similar to those stated here.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
Intel, Intel Centrino, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of
Intel Corporation or its subsidiaries in the United States and other countries.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Mac and Mac OS X are trademarks or registered trademarks of Apple Inc.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. Other company, product, or
service names may be trademarks or service marks of others.
All references to Renovations and secnfla refer to fictitious companies and are used for illustration purposes only.