In many organizations, users are still faced with entering multiple passwords and even some configuration data to gain access to their Notes Client, Sametime Client and Connections Plugins.
In this session I will show you how you can provide a secure IBM Notes Client experience without the user entering any configuration data or passwords at all.
Buzzword Bingo for this session: ID Vault, SSO, LTPA, SPNEGO, SAML, Domino Policies, Account Documents, Citrix
2. Thanks to our sponsors!
7th Sutol Conference, November 2015
3. 7th Sutol Conference, November 2015
● IBM Collaboration Solutions IT-Specialist
with IBM Austria
● ICS product stack since 1995
(Notes 3.3 on OS/2 on an i368)
● IBM e-mail: martin.leyrer@at.ibm.com
● E-mail: leyrer@gmail.com
● Twitter: http://www.twitter.com/leyrer
● Facebook: https://www.facebook.com/leyrer
● Blog: http://www.leyon.at
● LinkedIn: http://at.linkedin.com/in/leyrer
Martin Leyrer - IBM
7. 7th Sutol Conference, November 2015
Navigation
● The What And Why
● The Quick Win
– Notes Shared Login / ID Vault
– Automatic Client Configuration
– SPNEGO For iNotes And Webapps
● Expanding The Possibilities – SAML
● Q & A
8. 7th Sutol Conference, November 2015
Remove Notes Password Prompts with NSL – Notes
Shared Login
● Enabled via policy (or manually by the end user)
● Locks and encrypts the Notes ID in the current Windows Profile using the
PC SID (Security Identifier) and Microsoft's Data Protection API (DPAPI).
● Certificates within the ID are locked and bound to that PC and that OS
profile.
● The old “Notes Single
Logon” feature has to be
uninstalled.
● Limited to Windows.
● Need ID Vault
● Need Notes/Domino 8.5
9. 7th Sutol Conference, November 2015
Uninstall/Remove “Notes Single Logon” for NSL To
Work
10. 7th Sutol Conference, November 2015
ID Vault
● Optional
● Server-based database
● Holds protected copies of IBM Notes user Ids
● Users are assigned to a vault through policy configuration
● Copies of user IDs are uploaded to a vault automatically once the policy
has taken effect
11. 7th Sutol Conference, November 2015
The Benefits Of Using An ID Vault
● Authorized personnel can change (reset) passwords on IDs without access to the
ID files or the vault
● Custom application to reset passwords
● Easy recovery of lost or damaged user IDs
● Automatic synchronization of multiple ID copies
● No user involvement during ID renames
● No user involvement during ID key rollover
23. 7th Sutol Conference, November 2015
AND IT WORKS !
We have Single Sign On with Windows!
24. 7th Sutol Conference, November 2015
ID Vault – If It Does NOT Work
● Check whether the policies are actually coming down to the client
– Check Policy Synopsis for that user in the Admin Client
– Check the “($Policies)” view in the PNAB
– Modify the person entry in the Domino Directory & access mail server to
initiate a policy push
● Roaming user? Did you remove the ID file from the PNAB?
– https://ibm.biz/BdFnm9
– 8.5.3 provides a new detachid.zip utility and
“javaAgentForDetachid.java” (in utilityNotesCustomizationKit_1_0.zip
– RoamingIDIsInNAB=0 in the person document
25. 7th Sutol Conference, November 2015
Navigation
● The What And Why
● The Quick Win
– Notes Shared Login / ID Vault
– Automatic Client Configuration
– Token Based Single Sign On for Sametime And Connections
– SPNEGO For iNotes And Webapps
● Expanding The Possibilities – SAML
● Q & A
27. 7th Sutol Conference, November 2015
ConfigFile To The Rescue
● It IS possible to install and configure the Notes Client completely
WITHOUT user interaction*
– See https://ibm.biz/BdFnmd for details
● The notes.ini parameter, ConfigFile= points to a text (.TXT) file that
contains the parameters that the wizard needs. For example:
ConfigFile=C:Program FilesLotusNotesDatasetup.txt
* … except from the one time password prompt for the ID Vault
28. 7th Sutol Conference, November 2015
ConfigFile With Environment Variables
Starting with 8.5.1 the parameter CONFIGFILE= can contain system environment
variables, too. In case the setup configuration file is stored next to the template
notes.ini the following setting would apply to all Windows flavors:
CONFIGFILE=%ALLUSERSPROFILE%Application
DataLotusNotesDataconfig.txt
which resolves to...
CONFIGFILE=C:Documents and SettingsAll UsersApplication
DataLotusNotesDataconfig.txt
29. 7th Sutol Conference, November 2015
Setup.txt
Username=User Name/Acme
KeyfileName=c:Program FilesLotusNotesDatausername.id ID Vault!
Domino.Name=servername/Acme
Domino.Address=servername.acme.com
Domino.Port=TCPIP
Domino.Server=1
AdditionalServices=0
AdditionalServices.NetworkDial=0
Replication.Threshold=9999
Replication.Schedule=0
Starting with 8.5 the scripted setup code can resolve system environment
variables on any line of the configuration file that is read in.
31. 7th Sutol Conference, November 2015
Navigation
● The What And Why
● The Quick Win
– Notes Shared Login / ID Vault
– Automatic Client Configuration
– Token Based Single Sign On for Sametime And Connections
– SPNEGO For iNotes And Webapps
● Expanding The Possibilities – SAML
● Q & A
32. 7th Sutol Conference, November 2015
Token Based Single Sign On for Sametime And
Connections
● Works for Sametime Connect
Embedded Client
● Works for Connections Plugins
● Prerequisite: Properly configured
“Multiple Server SSO” on Domino
Server
33. 7th Sutol Conference, November 2015
LTPA Token
● The LTPA token is sent to the User Agent (Browser) as a Set-Cookie
response header
● The user agent sends this to the target HTTP server as a Cookie request
header for subsequent actions.
● Because browser user agents only send Cookie request headers to
servers whose host name matches the issuer of the cookie, the server
must share the same DNS (“DNS domain”) space as the other LTPA
servers in the SSO group.
● The LTPA token, which includes user information and an expiration time, is
signed by the issuer to ensure data integrity and is encrypted to ensure
data privacy.
● LTPA tokens can be used only for SSO among LTPA servers that share
the same key material (LTPA key)
34. 7th Sutol Conference, November 2015
Websphere LTPA Version 1 (“LtpaToken”)
● Contains
– the token expiration time
– the user identity (usually the LDAP distinguished name)
– a digital signature
● LTPA1 signatures are generated using SHA-1/RSA 1024-bit key
● After the digital signature has been attached, the user data and signature
are encrypted with a 3DES key obtained from the LTPA key file
35. 7th Sutol Conference, November 2015
Websphere LTPA Version 2
● Same format as LTPA1 tokens
● can contain additional information relating to the security context of the
authenticated user
● LTPA2 signatures are generated using SHA-1/RSA 1024-bit key
● After the digital signature has been attached, the user data and signature
are encrypted with a 3DES or AES key obtained from the LTPA key file
36. 7th Sutol Conference, November 2015
Domino LTPA Version
● Contains
– a fixed-size and value header starting field
– a token creation time
– a token expiration time
– the authenticated user name (Domino FQDN)
– a message authentication code (MAC) covering all content
● Domino uses a shared key and SHA-1 to calculate a MAC over the
content
● After the MAC has been attached, the user data and MAC are encrypted
with a 3DES key obtained from the LTPA key file
37. 7th Sutol Conference, November 2015
LTPA Websphere vs. Domino
● Domino can consume (decrypt, parse and process) and generate (create
and encrypt) either the Domino or Websphere formats
● WebSphere cannot consume or generate the Domino format.
45. 7th Sutol Conference, November 2015
Push Account Documents To Users via Document
Settings/Policy
46. 7th Sutol Conference, November 2015
AND IT WORKS !
Automatic Configuration & Login for
Connections and Sametime Plugin!
47. 7th Sutol Conference, November 2015
Navigation
● The What And Why
● The Quick Win
– ID Vault
– Automatic Client Configuration
– Token Based Single Sign On for Sametime And Connections
– SPNEGO For iNotes And Webapps
● Expanding The Possibilities – SAML
● Q & A
48. 7th Sutol Conference, November 2015
Windows Single Sign-on for Web Clients (SPNEGO)
● Available since Lotus Domino 8.5.1
● User acquires Kerberos credentials when starting Windows.
– Windows verifies user's password.
– Password never travels over the wire via HTTP.
● SSO technology leveraging the Windows credentials sometimes called
by these names:
– SPNEGO (Simple and Protected GSS-API Negotiation Mechanism)
– Integrated Windows Authentication” for the Windows Intranet
49. 7th Sutol Conference, November 2015
Windows Single Sign-on for Web Clients (SPNEGO)
● SPNEGO-aware browsers know how to
● ask Windows for a Kerberos ticket, based on
● browser configuration, and
● the user's requested URL.
● send the Kerberos ticket as part of SPNEGO protocol request
● SPNEGO-aware Domino validates the ticket to authenticate the user.
50. 7th Sutol Conference, November 2015
Setting Up SPNEGO
● Create a Domino Web SSO document (enable Windows single sign-on
integration)
● Set up a SPN (Service Principal Name) for the Domino server in Active
Directory
– Domino must run under an Active Directory account you set up for it
● Run domspnego
– Take the output and give it to your AD administrator to run setspn with
● Run setspn -a http://<dominohostname>
<accountnamerunningdomino>
● Update person documents with AD name appended to FullName (and
optional others like krbPrincipalName and LTPA User Name)
51. 7th Sutol Conference, November 2015
Update Domino Person Document for SPNEGO
● Update person documents with AD name appended to FullName
(and optional others like krbPrincipalName and LTPA User Name)
52. 7th Sutol Conference, November 2015
AND IT WORKS !
Automatic Login to Domino in
Internet Explorer and Firefox on Windows!
53. 7th Sutol Conference, November 2015
Navigation
● The What And Why
● The Quick Win
– ID Vault
– Automatic Client Configuration
– Token Based Single Sign On for Sametime And Connections
– SPNEGO For iNotes And Webapps
● Expanding The Possibilities – SAML
● Q & A
54. 7th Sutol Conference, November 2015
SAML – Security Assertion Markup Language
● Provides ease of use for end users – reduce the # of passwords to
memorize
● The only “Notes password” is the IdP's password
– And SPNEGO/Kerberos to Microsoft's ADFS can eliminate that prompt as
well
– Once a user has authenticated with the IdP they won’t be asked again
● Notes client uses SAML to fetch the user's ID file from the vault
– ID file is stored in memory instead of being written to disk
● Works on Citrix, Linux, and Mac as well as Windows
– Requires Notes Standard client
– Support for Notes, iNotes, and Web Clients
55. 7th Sutol Conference, November 2015
SAML – IdP - Identity Provider (SSO)
● ADFS (Active Directory Federation Services in Windows 2008 and
Windows 2012)
– SAML 2.0 only
– can be combined with SPNEGO
– Enhances Integrated Windows Authentication (IWA)
● TFIM (Tivoli Federated Identity Manager)
– SAML 1.1 and 2.0
56. 7th Sutol Conference, November 2015
SAML – Assertions
● IdP (Identity Providers) use HTTP or SOAP to communicate to SP
(Service Providers) via XML based assertions
● Assertions have three roles
● Authentication
● Authorisation
● Retrieving Attributes
57. 7th Sutol Conference, November 2015
Notes Federated Login with SAML
1) User launches Notes and Notes
connects to the ID Vault
2) The ID Vault (configured for
SAML authentication) reaches
out to IdP.
3) IdP prompts user for
credentials.
4) Correct credentials are
supplied.
5) IdP provides SAML
artifact (XML) to ID Vault.
6) ID Vault provides ID to Notes.
Once Notes session is completed,
ID is removed from machine.
58. 7th Sutol Conference, November 2015
SAML – Installation
● Warning! - This is hard!
– One of the most complex Domino based things I have seen so far.
● Find help with comprehensive knowledge of:
– Domino server admin
– Notes client configuration and security
– Active Directory configuration at your company
– ADFS
– SAML concepts
– SSL configuration on Domino & in Windows/IIS
– Enterprise browser configuration
● It's worth the effort, especially in the long run.
Read the Connect 2014 presentation “SHOW100 : AD+SAML+Kerberos+IBM Notes &
Domino = SSO!” by Rob Axelrod and Andy Pedisich, Technotics https://ibm.biz/BdFnyF
59. 7th Sutol Conference, November 2015
NSL/SPNEGO vs. SAML
● NSL/SPNEGO
● SPNEGO requires Windows
Environment
– Active Directory
– Windows Domain Login
– Microsoft Supported
browsers
– Domino on Windows
● Requires Windows clients for the
users
● Citrix not supported
● Requires Domino on Windows
● Has a very specific use case
SAML
● Not everything supports it (yet)
– Traveler doesn’t
– Sametime doesn’t*
– Citrix does!
● ID Vault is a requirement so IDs
that can’t be vaulted can’t be used
(multiple passwords, smartcards,
etc)
● Complex to set up
* Sametime for IBM Verse integration via
SAML based SSO https://ibm.biz/BdHqd4
60. 7th Sutol Conference, November 2015
Navigation
● The What And Why
● The Quick Win
– ID Vault
– Automatic Client Configuration
– Token Based Single Sign On for Sametime And Connections
– SPNEGO For iNotes And Webapps
● Expanding The Possibilities – SAML
● Q & A
61. 7th Sutol Conference, November 2015
Frequently Questioned Answers
Martin Leyrer
IBM Collaboration Solutions IT-Specialist with IBM Austria
IBM e-mail: martin.leyrer@at.ibm.com
E-mail: leyrer@gmail.com
Twitter: http://www.twitter.com/leyrer
Facebook: https://www.facebook.com/leyrer
Blog: http://www.leyon.at
LinkedIn: http://at.linkedin.com/in/leyrer
62. 7th Sutol Conference, November 2015
Further Reading
“Upgrading from Notes client single logon to Notes shared login” by Nancy
E. Kho
https://ibm.biz/BdFnM6
“Single Sign-on (SSO) technologies for the Domino Web Server” by Jane
Marcus
https://ibm.biz/BdFnyT
“Connect 2014 SHOW100 : AD + SAML + Kerberos + IBM Notes and
Domino = SSO!” by Rob Axelrod and Andy Pedisich, Technotics
https://ibm.biz/BdFnyF
“Simplifying The S's: Single Sign-On, SPNEGO and SAML” by Gabriella
Davis
https://ibm.biz/BdFnfq