Transcript SHOW100
SHOW100 : AD + SAML +
Kerberos + IBM Notes and
Domino = SSO!
Rob Axelrod, Technotics
Andy Pedisich, Technotics
© 2014 IBM Corporation
Meet Your Presenters!
About Technotics, Inc.
Technotics was founded in 1998 as a consultancy to focus on
collaboration in the enterprise. Since that time we have provided
strategic advice, project management and technical support to
organizations world wide, focusing on high levels of customer
engagement and long term relationships.
Rob Axelrod
Our services include environmental audits, premium support, executive
briefings on cloud based collaboration and migrations between
messaging and collaboration systems.
Contact Andy at [email protected] or Rob at [email protected].
Andy Pedisich
2
Legal Stuff
IBM Trademarks
– Domino®
– Lotus Notes®
– Notes®
Microsoft, Windows, Windows NT, ADFS, Active Directory, IIS and the Windows logo are
trademarks of Microsoft Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of
Oracle and/or its affiliates.
Chrome is a trademark of Google Inc.
3
Agenda
Overview of presentation and key concepts
Pre-Requisites
Show & Tell Time!
Testing and Troubleshooting
Wrap Up
4
What kind of presentation is this?
Since this is a Show & Tell we are going to focus on “how” questions as opposed to “why”
questions. Though we will be here for another couple of days and would be glad to talk
about “why” and conceptual issues if you catch up with us after the presentation or email us
after the conference.
If we had an eight hour speaking slot we could go into all of the underlying conceptual issues
and configuration options but that isn’t what Show & Tell is all about.
There is another session on the topic that will be more conceptual “BP104;Simplifying The
S's: Single Sign-On, SPNEGO and SAML”
We are going to focus on the Domino\Notes side of the house rather than the ADFS side
though we will cover the parts of ADFS configuration that are specific to getting Domino and
Notes working with it.
5
Overview
Since you are here, we are going to assume that you are familiar with most of the basic
concepts but it is worth it to level set everyone so we are going to take just a couple of
minutes to go over them.
6
Warning! - This is hard!
Of anything that we’ve ever done with Domino and Notes Administration this is the most
complex. To configure and maintain the setup you should probably have the following
knowledge available to you either in yourself, a colleague or consultant or all combined.
– Strong and comprehensive knowledge of:
• Domino server admin
• Notes client configuration and security
• Active Directory configuration at your company
– General knowledge of:
• ADFS
• SAML concepts
• SSL configuration on Domino & in Windows/IIS
• Enterprise browser configuration
• Even a bit of PowerShell is helpful for configuration of ADFS and AD
If ADFS is already implemented and in use in your organization then you will have a much
easier time of it.
7
Key Concepts
SAML
SAML – Security Assertion Markup Language
– A widely implemented standard for exchanging authentication and authorization
information between systems.
– Identity Providers (IdP) are the entities that will validate the user’s identity and provide
the tokens that are used to identify them. For our purposes today AD FS is our identity
provider but others are Tivoli Federated Identity Manager, Ping, Oracle and SecureAuth.
– Service Providers are the application servers or systems that consume the
authentication information. In this case Domino and Notes.
8
Key Concepts
Kerberos/SPNEGO/IWA
Kerberos/SPNEGO/IWA (Integrated Windows Authentication)
– These are the protocols that allow you to authenticate with the AD Domain and then
allow applications to negotiate seamless authentication. Without these SAML would
require some other form of user validation such as a username/password, biometric or
multifactor authentication.
– IWA specifically is the term that is used to refer to automatic login to applications
predicated on your login to AD
9
Key Concepts
Domino ID Vault
ID Vault is a prerequisite for using SAML and Notes. It was introduced in 8.5 and stores
users ID’s in a database on the server to provide the following capabilities:
– Password reset through a server transaction
– Transparent replacement of id files on workstations
– Server driven delivery of unlocked ID to trusted applications for authentication,
encryption and signing
– For details on setup and configuration check out my old presentation on the topic here:
• https://drive.google.com/file/d/0B_kd3zUkll9OaEdmNXA3S0hlYXM/edit?usp=sharing
– OR the documentation here:
• http://www10.lotus.com/ldd/dominowiki.nsf/xpDocViewer.xsp?lookupName=Administering+IBM
+Domino+9.0.1+Social+Edition#action=openDocument&res_title=Planning_an_ID_v
ault_deploymentd901&content=pdcontent&sa=true
10
Demonstration
We find that when we talk to organizations about implementing SAML they aren’t 100% clear
on what it gives you in the end state we thought it would be a good idea to quickly show you
what you get when you implement it.
– Logging into Domino web apps without a password.
– Logging into Notes without a password.
11
Demo Environment
This is just about the most complex demo to set up that we ever do. For most demos we can
get away with a couple of VM’s running locally or even just a server and client running on the
local machine. NOT THIS TIME! We have set up the demo environment in Microsoft Azure
which was easy to spin up machines and fairly reasonable. Here are the components of the
environment:
– Primary Domain Controller - Windows 2008 R2
– ADFS Server – Windows 2013
– Domino Server 9.0.1 64 bit – Windows 2008 R2
– Domino Administrator Client 9.0.1 (Admin rights to everything)
– Notes client workstation 9.0.1 (Standard user privs)
On the next slide we provide links to help you do this yourself at home on Azure but you can
just as easily do it on Amazon or on IBM’s offerings.
12
Demo Environment
If you want to set up an environment like this yourself you will need to build an Active
Directory forest in Azure and then join machines and users to it. Since this took us a while to
figure out we will give you a short cut by providing all the links here that will walk you through
it.
– Installing AD and joining machines
• Install Active Directory forest in a Windows Azure network
• Guidelines for Deploying Windows Server Active Directory on Windows Azure Virtual
Machines
• Add a virtual machine to a virtual network - Windows Azure
• Create a virtual network - Windows Azure service management
– Installing ADFS (Though it is good to have an expert help out with this)
• Next steps for completing your AD FS installation
• Manually Configure a Service Account for a Federation Server Farm
• Configuring Advanced Options for AD FS 2.0
13
Prerequisites for Implementing
SAML with ADFS & Domino
14
Prerequisites Overview
On the next couple of slides we are going to go over what you need to have in place to make
SAML/ADFS work. All of these items are not specific to using SAML and are general
Domino and AD configurations that you should probably have in place regardless of whether
you are using SAML and they are all well documented.
15
Domino Prerequisites
Security Policies need to be implemented
– You need policies to make just about any new feature of Domino work and security
policies are probably the most important for a variety of reasons.
– Later we will get into the specifics of what you need in the security policy to implement
SAML but get the basics set up before you even try to do SAML.
16
Domino Prerequisites
ID Vault (For Notes client use and some use cases in iNotes)
– ID Vault was just about the best feature in 8.5 so if you haven’t implemented it do it
NOW
– You need to do this well in advance of implementing SAML because you need it to
collect all of the ID’s
– The policy configuration won’t even let you set up SAML until your ID Vault is configured.
17
Domino Prerequisites
At least Domino and Notes 9 preferably 9.0.1
– If you are going to try to do this with 9.0 and you need to call support for any reason
expect them to “suggest” that you upgrade to 9.0.1.
– Do you really want to implement a feature on its “dot zero” release?
18
Domino Prerequisites
SSL Certificates need to be implemented on your Domino servers
– While you can certify these with an internal CA we always recommend that you use a
commercial CA. This is particularly true with the SAML/ADFS configuration. The issue is
not that the commercial CA is more secure it is simply that it means you don’t need to
worry about browsers or Notes trusting the certificates.
– It is just a basic good practice to have SSL running anywhere you have HTTP running. If
you don’t then it is super easy for people within your organization to capture passwords
and all kinds of other goodies.
19
AD Prerequisites
There needs to be a matching key attribute between Active Directory and Domino
– We strongly recommend that you have the users SMTP (InternetMail) address in their
AD mail attribute. This is the easiest model since it is a common and unique attribute to
use in SAML assertions.
– Alternately you could have the AD DN in a Notes attribute or the Notes canonical name
in an attribute in Active Directory but neither of these methods are as useful and easy as
just having the mail attribute populated with the SMTP address.
20
Other Prerequisites
Time synchronization
– Since SAML assertions depend on timestamps it is important that your servers have
correct or at the very least the same times on them. If this is a problem in your
organization for any reason it is important to get that resolved before proceeding
– 9.0.1 Introduced two ini parameters that will let you have some flexibility in this regard.
• SAML_NotOnOrAfterSkewInMinutes = value
- http://www10.lotus.com/ldd/dominowiki.nsf/dx/SAML_NotOnOrAfterSkewInMinutes
• SAML_NotBeforeSkewInMinutes = value
- http://www-10.lotus.com/ldd/dominowiki.nsf/dx/SAML_NotBeforeSkewInMinutes
– These allow for up to 10 minutes of skew in either direction between the Domino server
and the ADFS server but that is cheating…sync your clocks
21
Preparing the ADFS Server For Working with Domino
Make friends with your Active Directory administrators
– This is an important step because you are going to need to work with them for many of
the next steps. Bring this presentation with you as you walk through the setup with them.
We are assuming here that you already have ADFS implemented in your organization but if
you don’t then here are the documents that will get you started with a basic implementation:
– Domino Wiki Article/Cookbook – This is going to be extremely helpful: http://www10.lotus.com/ldd/ndsebetaforum.nsf/topicThread.xsp?action=openDocument&documentI
d=47C65232A4AD876B85257AD300498BA7
– You will want to supplement that with these Microsoft Technotes
• http://technet.microsoft.com/library/c66c7f4b-6b8f-4e44-8331-63fa85f858c2
• http://technet.microsoft.com/en-us/library/dd807078.aspx
22
Preparing the ADFS Server For Working with Domino
Disable Extended Protection
In order to make IWA work with Chrome, Firefox and most importantly Notes you need to
disable a feature of Windows that does not work with any of those. The feature is “extended
protection”
– In Windows 2008 and earlier versions of ADFS you are going to shut this off through the
UI in IIS. You can get to this dialog by selecting on the left panel Sites-Default Web SiteADFS-LS
– Once that is selected then select “Windows Authentication” in the middle panel
– Then select “Advanced Settings” in the right panel.
– Set “Extended Protection” to Off
23
Preparing the ADFS Server For Working with Domino
Disable Extended Protection
If you are running Windows 2012R2 or newer you may need to use PowerShell because
ADFS doesn’t use the IIS interface.
– There are two settings that you need to configure and we have the PowerShell
commands below.
• Disable extended token authentication:
- Set-ADFSProperties –ExtendedProtectionTokenCheck None
• This one determines what browser agents can use IWA. Note that Firefox/Mozilla are
not on the list by default and since that is what Notes uses you are out of luck unless
you update it. Add any other user agents that you want to use IWA. Find the exact
names in your domlog.nsf or weblogs.
- Set-AdfsProperties -WIASupportedUserAgents ("MSIE 6.0", "MSIE 7.0", "MSIE
8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights
Management Client", "Firefox/25.0", "Mozilla/4.0", "Mozilla/5.0")
24
Show & Tell!
25
What to we need to do to set up SAML/ADFS
Create and configure the IDP Catalog (idpcat.nsf)
Create a relying party trust on ADFS
Configure Domino server HTTP settings
Set up Domino user security policies
Configure the ID Vault for SAML
Configure Browsers
26
What to we need to do to set up SAML/ADFS
Create and configure the IDP Catalog (idpcat.nsf)
Create a relying party trust on ADFS
Configure Directory Assistance
Configure Domino server HTTP settings
Set up Domino user security policies
Configure the ID Vault for SAML
Configure Browsers
27
Setting up the IdP Catalog in Domino
idpcat.nsf is the database in Notes that will store the SAML configuration. Before we set up
AD FS it is helpful to get this configured.
Check an see if it is already present on your server.
If it is not then we will create it
28
Creating the idpcat.nsf
Create a new database with the filename of idpcat.nsf (use lower case to make it portable
across OS’s)
Give it a title that makes sense
Use the IdP Catalog (idpcat.ntf) template.
– It is an “Advanced Template” on the server
29
Creating the idpcat.nsf
A replica of this database needs to be on the same
server that has the ID Vault.
It should have a very secure ACL
– Only Admins & servers that host the file should
have access to it.
30
Start to set up the configuration in the idpcat.nsf
Select Add IdP Config
31
Populate the IdP config with Enough Info to Generate
idp.xml
We are going to populate the document with
enough information so that we can export it to an
xml file that we can use to import into AD FS.
– Host names should be the host name for the
server. This is important because it will be
matched to Internet Site documents
– IdP Name is an identifier for administrative use
and can be anything you want
– Protocol Version: If you are using ADFS it
needs to be SAML 2.0
– Federation Product is ADFS (If not you are in
the wrong session)
– Service provider ID is usually the URL of the
server. This links to an entry in the ADFS
config that we will set up later.
32
Populate the IdP config with Enough Info to Generate
idp.xml
The additional attributes on this screen should be
left blank because they will be filled in
automatically when you import the federation
metadata from the ADFS server
(Federationmetadata.xml)
33
Retrieve the FederationMetadata.xml file
The file is available at
https://YOURADFSSERVER.YOURDOMAIN.com/FederationMetadata/200706/FederationMetadata.xml
– Make sure to use a browser that is configured to download xml files as a file rather than
just opening them. Chrome is set to do this by default whereas IE tends to try to open it.
34
Import the federationmetadata.xml file into the IdP Catalog
From the IdP configuration document select Import XML file and navigate to wherever you
downloaded the federation metadata.xml file to. Select the file and click Open
35
Note that the fields get filled in on the first tab
Note that the “Artifact resolution service URL”
is blank. That is OK.
36
Set the Notes Client Settings Tab
Assuming that you will want to use SAML on the Notes
client you will configure this tab.
– Enable Windows Single Sign-On: This is what allows
you to have no password prompt when using ADFS
and Kerberos. If you are using ADFS on domain
joined machines then “Yes” is the answer here.
– Sites that are trusted: This field takes additional host
names that might be serving as Identity Providers
(Maybe different host names on different networks)
– Enforce SSL: As a rule this will enhance security.
Just make sure all your SSL certs are implemented
correctly.
37
Certificate Management Tab
Fill in a company name. This is only used as an
identifier for when you import this into ADFS. It can
be whatever you want. If your AD team has rules
then make sure it conforms to them.
Click the “Create Certificate” button
If you haven’t saved the document you will be
warned that you have to do this.
Save the document and then click the button
again.
38
Certificate Management Tab
Once you generate the key two new fields become
visible.
Domino URL: This is the URL of the Domino server. This
will need to match the URL in the Relay Trust
configuration you are going to create in ADFS. The good
news is that since you are going to export/import this
document it will match.
Input HTTPS://YourDominoServer.YourDomain.com
The single logout URL is
https://YourADFSServer.YourDomain.com/adfs/ls/?wa=
wsignout1.0/slo
39
Export Your IDP.XML File from the idpcat.nsf Document
Now you are ready to generate the IDP.XML
file that you will import into ADFS to help create
your relying party trust.
Click “Export XML” and after a couple of
seconds you will find that on the first tab of the
form there will be an idp.xml attachment.
You can and should save this attachment to
your hard drive just as you would any
attachment.
Save and close the idpcat.nsf document.
40
What to we need to do to set up SAML/ADFS
Create and configure the IDP Catalog (idpcat.nsf)
Create a relying party trust on ADFS
Configure Directory Assistance
Configure Domino server HTTP settings
Set up Domino user security policies
Configure the ID Vault for SAML
Configure Browsers
41
Creating a Relying Party Trust in ADFS
Now we are ready to create the relying party trust in ADFS
The relying party trust is the object in ADFS that tells it how to work with a service provider
like Domino.
Make sure that you have the idp.xml file you created in the last step ready.
Note that the screen shots on the next pages are for ADFS 2.0 running on Windows 2012, if
you are running on Windows 2008 R2 some of the screens might be slightly different but
there shouldn’t be anything of major consequence.
42
Launch the AD FS Management Console
43
Navigate to Relaying Party Trusts
Under AD FS/Trust Relationships
44
Create the Trust
From the right panel in the actions menu select “Add Relaying Party Trust”
45
Walk through the wizard
Select “Start”
46
Select to import data about the relying party from a file
You are going to use the idp.xml file that you
created in the last step.
47
Ignore the warning…
According to this technote: http://www-01.ibm.com/support/docview.wss?uid=swg21634631
you can ignore this warning message and we haven’t seen problems as a result of ignoring
it.
48
Enter a Display Name
This is just a reference value that will be displayed in the management console. Your AD
admins can pick something that makes sense to them
49
Don’t configure multi-factor authentication (Unless you
want to and really know what you are doing)
Just click next here. Since you will hopefully
be working with your AD team at this point
they will be able to guide you if your
organization uses multi factor authentication
and if you need to configure this.
50
Permit all users to use this trust
Leave the default selection and click next.
51
Look over your settings…
Once you click next on this screen you
can’t go back through the wizard though
you can change things through the
properties dialog.
Once you are satisfied or if you never
make mistakes just click next.
52
Get ready to edit the claim rules and close the wizard
Leave the box checked to “Open the Edit Claim…”
since we need to do this anyway. When you close
the dialog it will automatically take us to the next
step in getting the relying party trust set up.
53
Add a Claim Rule
The claim rule is where you will define the
information that is presented in the SAML
assertion that is passed to the Domino server. This
is where we will define how the user name is
presented.
Our goal here is to have ADFS pass the email
address to Domino so that it can match it with the
person’s person document and then render the
Domino distinguished name for authorization.
You would do this differently if you had Domino
distinguished names stored in AD.
Click Add Rule on the first tab.
54
Choose Rule Type
Select “Send LDAP Attributes as
Claims” and click Next
55
Configure the Claim Rule
Claim rule name should be set to
something that is descriptive like:
EmailAddressToNameID
Attribute Store: Active Directory
LDAPAttribute: E-MailAddresses
Outgoing Claim Type: Name ID
Click Finish
Then click OK
56
Now your relying party trust is set up
At this point your Domino server and ADFS servers trust each other. Are you done yet? Not
by a long shot. We still need to:
– Configure server HTTP settings
– Set up user security policies
– Configure the ID Vault for SAML
– Make sure our browsers and Notes clients trust all the SSL certs that are in use
57
What to we need to do to set up SAML/ADFS
Create and configure the IDP Catalog (idpcat.nsf)
Create a relying party trust on ADFS
Configure Directory Assistance
Configure Domino server HTTP settings
Set up Domino user security policies
Configure the ID Vault for SAML
Configure Browsers
58
Directory Assistance
You will want to link AD & Notes names using directory assistance.
The steps:
– Create a Directory Assistance database on your servers if you don’t have one already.
– Reference the directory assistance db on your server docs
– Create an LDAP directory assistance document that points to LDAP
59
Create the DA database (If you don’t have one already)
File-Application-New
Pick your server (you can create replicas when you are done)
Use the advanced template – Directory Assistance from the
server
60
Reference the DA database in the server document
On the first tab of the server document fill in the “directory assistance database name” with
the file name that you just created.
61
Create a DA document in the new database to point to AD
The domain type is “LDAP”
The domain name is a reference field and just
needs to be unique.
Company name is also just for reference
Search order doesn’t really matter as long as you
don’t have other entries
You will probably not need to use this for LDAP
clients so you can disable that
Check Group Authorization so that the additional
fields become visible
Select “Yes” for Use exclusively for group
authorization or credential authentication so that this
directory will not be used for mail addressing.
62
Create a DA document in the new database to point to AD
On the LDAP Tab
– Hostname can be your domain name because a
domain joined machine in AD will go to the domain
controller for that name.
– LDAP vendor is Active Directory
– Your account needs to be an Active Directory
account’s DN. Get this from AD Users and
Computers (It doesn’t need any special rights)
– Make sure the password on this account doesn’t
expire
– You can leave all the other defaults.
63
What to we need to do to set up SAML/ADFS
Create and configure the IDP Catalog (idpcat.nsf)
Create a relying party trust on ADFS
Configure Directory Assistance
Configure Domino server HTTP settings
Set up Domino user security policies
Configure the ID Vault for SAML
Configure Browsers
64
Create an LTPA SSO Document if Desired
More than likely you have one already and you can
use the existing one.
This will allow you to authenticate once and then
move from Domino server to server without
transacting with the ADFS server again.
Make sure to disable/uncheck “Windows single signon integration”
– This was how you could use Kerberos in release
8.5 and will be ignored if you try to use 9.0 SAML
configuration
65
Create Internet Site Document
Assuming you are using internet site documents (if not you will configure these items in the
server document but you should really be using internet site documents)
Navigate to the “Web-Internet Sites” view
Click “Add Internet Site-Web” if you are making a new one
Edit your existing document if you already have one you want to use
66
Configure Web Site Document
Basics Tab
Make sure that the host names are
correct because that is used to match the
site document to the IdPCat document.
If you are using SSL (which of course you
are) reference the IP address in the host
name field.
67
Configure Web Site Document
Domino Web Engine Tab
Set session authentication to “SAML”
You can use a web SSO configuration so that an LTPA token is generated so that
people can move between servers without reauthenticating. This is what you
created in the previous step.
If you have set the host names correctly clicking the IdP Catalog button will open
the appropriate IdPCat document.
68
Configure Web Site Document
Security Tab
One of the prerequisites for this process is to set
up SSL. The security tab on the web site
document should reference your SSL certificate.
69
Creating SSL Cross Certs
You will need create a cross certificate for the SSL cert on the ADFS server. This is a fairly
complex procedure.
1. Navigate to the ADFS server on this URL (Use IE so we can use the same
screenshots if you use another browser then you are on your own)
https://YourADFSServerName.YourDomain.com/adfs/ls/idpinitiatedsignon.htm
70
Creating SSL Cross Certs
2. Click on the padlock next to the URL
3. Click on “View Certificates”
71
Creating SSL Cross Certs
4. Select the details tab
5. Click Copy to File…
72
Creating SSL Cross Certs
6. Click Next to start the wizard
7. You can leave the default of DER format
8. Store the file somewhere you will remember
9. Select Finish
73
Creating SSL Cross Certs
9. Now you will need to import that certificate into the Domino
directory. Open the People tab of the Administrator client and
navigate to the certificates view.
74
Creating SSL Cross Certs
8. Select Actions-Import Internet Certificates
9. Select the file you saved from IE
75
Creating SSL Cross Certs
10. Check the contents of the screen and click “Accept All”
76
Creating SSL Cross Certs
Not done yet!
11. Find the imported certificate in the view. This may be harder than you would think because
of how much stuff is in the view. Just use ctrl-F and look for the server name.
77
Creating SSL Cross Certs
12. Open the document – you can’t do this from the view!
13. Select Actions-Create Cross Certificate
78
Creating SSL Cross Certs
12. Select the listed certificate and click OK
79
Creating SSL Cross Certs
13. Select the a Domino server for server
and pick your root certifier as the as the
certifier.
- You can either use the CA process or the
actual certifier file.
80
Creating SSL Cross Certs
14. Click Cross-Certify
15. Validate that the x-cert document got
created. Keep in mind that if you selected to
use the CA process to create the x-cert it
may take a little while to be created. You
can look in admin4.nsf to check the process.
81
What to we need to do to set up SAML/ADFS
Create and configure the IDP Catalog (idpcat.nsf)
Create a relying party trust on ADFS
Configure Directory Assistance
Configure Domino server HTTP settings
Set up Domino user security policies
Configure the ID Vault for SAML
Configure Browsers
82
Create and Configure Security Policy Settings
Security policy settings are mandatory for making SAML work. We assume that you already
have policies implemented. If you don’t please don’t tell us because it will make us cry.
Seriously if you don’t have any policies implemented make sure that is the first thing you do
when you get home.
83
Configure the Federation Login Tab
Note that if you don’t see the Federated Login tab it
is because you don’t have the ID Vault configured in
this settings document. Remember that ID Vault is a
prerequisite.
Set “Enable Federated login with SAML IdP” to yes.
You can use a machine specific formula to identify
what machines will use SAML. If your domain joined
machines follow a naming convention you can
structure a formula to only use SAML on those
machines.
84
Configure the Federation Login Tab
You can prompt people with standard dialogs or if
you want to do something that is localized you can
select custom dialogs.
85
Configure the push of certificates to the client
You need to get the cross certificate that you created to
the client.
The easiest way to do this is to use the security policy. Go
to the “Keys and Certificates” tab.
At the bottom of the screen click on “Update Links”
Pick “Selected Supported”
86
Configure the push of certificates to the client
Select the Internet Certificates you
created in the previous step and select
Internet Cross Certificates and check off
the certificate that you created in the
previous step.
87
Check to make sure the certificates got copied to the
client
Open the local Names.nsf and navigate to advanced-certificates view.
88
What to we need to do to set up SAML/ADFS
Create and configure the IDP Catalog (idpcat.nsf)
Create a relying party trust on ADFS
Configure Directory Assistance
Configure Domino server HTTP settings
Set up Domino user security policies
Configure the ID Vault for SAML
Configure Browsers
89
Configure your ID Vault for SAML
Open your ID Vault Database
90
Configure your ID Vault for SAML
Navigate to the “Configuration” view
Open your configuration
– Populate the appropriate fields with
the hostname that is specified in the
idpcat.nsf for the service provider
(Domino server)
91
What to we need to do to set up SAML/ADFS
Create and configure the IDP Catalog (idpcat.nsf)
Create a relying party trust on ADFS
Configure Directory Assistance
Configure Domino server HTTP settings
Set up Domino user security policies
Configure the ID Vault for SAML
Configure Browsers
92
Browser Configuration
In order to make IWA work for your Domino web apps you are going to need to do some
browser configuration. The requirements are different for IE, Firefox and Chrome. This is a
case where it is actually easiest to do in IE (Go figure since we are integrating with
AD/ADFS/Windows)
We are going to go through what you need to do to make this work for ONE user. Most
enterprises have tools to manage their desktops such as Group Policies, SCCM, etc. You
should use these tools to push changes out to your browsers universally.
– Since we are talking about IWA we are talking about domain joined machines which by
definition are controlled by your AD administrator. If you want to use SAML for non
domain joined machines your users will need to enter authentication information in
addition to their login to the computer.
93
Certificates
If you are using commercially generated certificates (Verisign, Thawte, GoDaddy, etc) then
your browser will already trust the root certificates. If you are using internally certified ssl
certs then you will want to make sure that all your browsers trust them.
We highly recommend that you use commercial certs because of how much easier it is to
manage them but if you do use an internal certificate authority.
There are so many browsers versions and CA’s that we really can’t go through the process
for each one here but…
– IE & Chrome use the OS certificate store so if you can get the root cert installed for IE
then you should be OK for Chrome
– Firefox keeps its own certificate store so you will need to handle that separately
– Then there are Opera and Safari and whatever else is out there.
94
Getting the Browser to Use IWA
Internet Explorer (Chrome should use these settings)
– The goal is to make sure that your Domino servers are in the “Intranet Zone” and to tell
the browser to use IWA for that zone.
– Select the gear and click “Internet Options”
95
Getting the Browser to Use IWA
Internet Explorer
– Select the Security Tab
– Select Local Intranet at the top
96
Getting the Browser to Use IWA
Internet Explorer
– Click “Sites”
– You can select to Automatically Detect Intranet Network
– Additionally you can define sites in the Advanced settings
97
Getting the Browser to Use IWA
Mozilla Firefox
– This is a bit of a pain.
– Launch Firefox
– Go to the url about:config
– You will get the scary warning that you might void your warranty. Be brave and click the
button saying that you will be careful.
98
Getting the Browser to Use IWA
Mozilla Firefox
– In the search bar type network.a
– The setting you want to change is network.automatic.auth.uris
– Find it and double-click on it
99
Getting the Browser to Use IWA
Mozilla Firefox
– In the search bar type network.a
– The setting you want to change is network.automatic.auth.uris
– Find it and double-click on it
– Enter either the host name of your ADFS server or the domain for the ADFS server
– Click OK
100
Getting the Browser to Use IWA
Mozilla Firefox
– One more setting to take care of. You want to add your ADFS server to the list of trusted
sites.
– Type network.n in the search bar.
– The setting you want to change is network.negotiate-auth.trusted-uris
– Again you should populate this with either the ADFS server’s host name or your domain
name. Multiple entries should be separated with a comma
101
While we are talking about Firefox…
It is worth noting that the Notes client uses the same engine as Firefox so if you are having
trouble getting Notes to work with IWA it might be easier to first troubleshoot with Firefox. If
you can get Firefox to login without prompting for password then the problem is most likely
something in Notes like local copies of certificates or incorrect policies.
On the other hand if you can’t get Firefox to work with IWA then your problem is more likely
in your ADFS or Domino server configuration.
102
Testing & Troubleshooting
103
Testing the Notes Client
Once you have set up the IdPCat, Relying Trust and Domino Security Policies you should be
able to test the Notes Client
Launch the client and log in as usual
Assuming you left the defaults set in the security policy, shortly after login you will get a pop
up that will say “Downloading ID file from the Vault to enable Notes Federated Login”
If everything is working right you will then get a prompt a few seconds later that will say “This
ID is enabled for Notes federated login.
104
Testing the Notes Client
Once you have seen both of those prompts you should be able to restart the Notes client
and not get prompted for your password.
105
Troubleshooting the Notes client
If you don’t get the prompts about downloading the ID then the problem is in your policy.
If you get the first prompt but don’t get the second prompt and Notes hangs
– The problem could be in the configuration of the ADFS server, Relying Trust, IdPCat
Database or that you don’t have the SSL cross certificates on your workstation.
• First confirm that IWA is working using a browser, preferably IE. If doesn’t work there
then you know the problem is either in your Domino server config or ADFS
• If IWA works in IE then test it in Firefox. If it doesn’t work in Firefox then the problem
most likely has to do with Extended Authentication Tokens on the ADFS server. Look
back at the PowerShell commands earlier in this presentation and make sure you
have it right.
• If both IE and Firefox work but Notes doesn’t then it is time to look at the following in
order:
- Policies, IDVault, Certificates/CrossCertificates for SSL certs in the local
directory.
106
Troubleshooting the Notes client
Once you have exhausted the basic configuration it is time to turn on some debugging. On
the client turn on:
– Notes.ini
• DEBUG_CONSOLE=1
• DEBUG_CLOCK=32
• DEBUG_OUTFILE=debugout.txt
• DEBUGGINGWCTENABLED=4294967295
• CONSOLE_LOG_ENABLED=1
• DEBUG_DYNCONFIG=1
• DEBUG_TRUST_MGMT=1
• DEBUG_IDV_TRACE=1
• DEBUG_ROAMING=4
• DEBUG_BSAFE_IDFILE_LOCKED=8
• STX9=2
107
Troubleshooting the Notes client
These ini parameters will put the debugout.txt file in the IBM_TECHNICAL_SUPPORT
directory in the data directory.
It will also bring up debug windows that you can read in real time.
108
Troubleshooting the Notes client
Once you have exhausted the basic configuration it is time to turn on some debugging. On
the client turn on:
– Notesdata\workspace\.config\rcpinstall.properties
• com.ibm.rcp.internal.security.auth.samlsso.level=FINEST
• com.ibm.rcp.internal.security.auth.dialog.level=FINEST
• com.ibm.rcp.core.internal.launcher.level=FINEST
• com.ibm.notes.internal.federated.manager.level=FINEST
• com.ibm.notes.java.api.internal.level=FINEST
• com.ibm.notes.java.init.level=FINEST
• com.ibm.notes.java.init.win32.level=FINEST
• com.ibm.workplace.noteswc.level=FINEST
• com.ibm.workplace.internal.notes.security.auth.level=FINEST
• com.ibm.workplace.internal.notes.security.level=FINEST
109
Troubleshooting the Notes Client
The results of the Java logging will go into the NotesData\workspace\logs directory.
Even if you don’t know exactly what you are looking for you might get a good idea from here
and if you open a ticket, support will certainly ask you for the contents.
110
Troubleshooting Browser & Server Issues
On the server you can set the Notes.ini parameter debug_saml=31
– Watch for errors and other information as the HTTP task starts on your server.
– This will give fairly verbose logging for SAML events on the server. You will see what is
going on each time a user logs into the server.
111
Troubleshooting Browser and Server Issues
For the browser I suggest installing a plugin on your Firefox client called SSOTracer
– https://addons.mozilla.org/En-us/firefox/addon/sso-tracer/?src=cb-dl-created
– This will show the back and forth transactions during the authentication process.
On Internet Explorer you can use tools like Fiddler but be careful because when they proxy
the SSL it may interfere with IWA.
112
Access Connect Online to complete your session surveys using any:
– Web or mobile browser
– Connect Online kiosk onsite
113
Acknowledgements and Disclaimers
Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates.
The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither
intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information
contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise
related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or
its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and
performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you
will result in any specific sales, revenue growth or other results.
© Copyright IBM Corporation 2014. All rights reserved.
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, ibm.com, and Domino®, Lotus Notes® , Notes® , are trademarks or registered trademarks of International Business Machines Corporation in the United States, other
countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S.
registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A
current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml
Microsoft, Windows, Windows NT, ADFS, Active Directory, IIS and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
© 2012 Google Inc. All rights reserved. Chrome is a trademark of Google Inc.
Other company, product, or service names may be trademarks or service marks of others.
114