SlideShare uma empresa Scribd logo

Notes, domino and the single sign on soup

Transferir como PPTX, PDF
Darren Duke
Darren Duke

MWLUG 2017 presentation on Notes/Domino single sign on. SAML. SPNEGO,

Tecnologia
1 de 25
MWLUG 2017 Moving Collaboration Forward Notes, Domino and the Single Sign-on Soup Chef Darren Duke
MWLUG 2017 Moving Collaboration Forward Our Amazing Sponsors
MWLUG 2017 Moving Collaboration Forward About me • Relapsed podcaster http://wtftech.fm/ – Back on the horse with Stuart and Jesse – If you’re not listening, you’re really missing out – No, really, you are – NO, really you are – NO, REALLY YOU ARE!!!! • Hire me by talking to Lisa – She’ll be around here somewhere
MWLUG 2017 Moving Collaboration Forward SSO you say? • Many different things to many different people • Could be (listed in order of complexity): – Offload – Synchronization – Integration • Could be more than one of the above
MWLUG 2017 Moving Collaboration Forward Domino is different • It has two passwords – Because….well…..Domino – Makes it twice as difficult • One size doesn’t fit all – You may combine the following concepts
MWLUG 2017 Moving Collaboration Forward Why do it? • Single password • No password • Get away from ID and password management – You never *really* get away from the ID • It’s what all the cool kids are doing
MWLUG 2017 Moving Collaboration Forward Why do it? • What are you trying to solve? – Answer this and you know which of the following solutions are for you
MWLUG 2017 Moving Collaboration Forward Notes Shared Login (NSL) • Remove Notes password from ID • Well, mostly – Except for the first logon to a new computer account – Policy based – Requires Notes Single Logon Service to be removed from clients – Can be used with Notes Federated Logon (NFL)
MWLUG 2017 Moving Collaboration Forward You will need a (working) ID Vault • If you don’t have one – WHY NOT??? • If you do, is it working? • Several of the following solutions require it
MWLUG 2017 Moving Collaboration Forward Types of SSO…. • Offload – Pass it off • Synchronization – Move the data around • Integration – Link it altogether
MWLUG 2017 Moving Collaboration Forward Offload • Authenticate the password from elsewhere – Usually Active Directory – Uses Directory Assistance and LDAP referrals – Only usable (like this) for the HTTP password • So iNotes, web apps, Traveler, etc • Will also be needed if you do SAML and SPNEGO
MWLUG 2017 Moving Collaboration Forward Offload • Pros – Actually uses the AD password, not HTTP password exists anymore* • Cons – Only web protocols – You need to get the Domino LDAP DN into AD field – Traveler can lock the account out on a regular basis • Think AD password change policy
MWLUG 2017 Moving Collaboration Forward Synchronization • Copy password from “A” to “B” – “A” is usually AD, “B” is usually Domino • Capture AD password change, send to Domino – Can update ID Vault and/or HTTP password • TDI is free entitlement for most of you – And it can do this
MWLUG 2017 Moving Collaboration Forward Synchronization • Pros – Fixes AD lockout issue with “offload” – Notes ID and/or HTTP password thanks to ID Vault • Cons – Usually requires AD schema modification – HTTP password changes need to replicate – Doesn’t really get rid of Notes ID password • Just makes it known to the user
MWLUG 2017 Moving Collaboration Forward Integration • Use a different system (usually AD) to verify user ID and password • Two options – SPNEGO • Reasonably simple • Limited use • HTTP only – SAML/NFL • As far from reasonably simple as you can get • Notes client and/or HTTP
MWLUG 2017 Moving Collaboration Forward SPNEGO • Allows domain connected users using browser apps to login transparently using IWA • Web/Internet site based – All or nothing – Although with good firewall people…… • Two internet documents, one SPNEGO, one not – Source IP, agent sniffing, etc
MWLUG 2017 Moving Collaboration Forward SPNEGO • Pros – Simple(ish) • Cons – HTTP only – Windows desktops only (no Mac)* – Domino authentication server must be Windows – Kind of half-assed implementation • Will not fail back to user name and password – Domino User DN is still needed in AD
MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Uses SAML to connect to ADFS or TAM – Could use others but completely unsupported • Most are (and all of mine have been) ADFS • Can be used to get rid of Notes ID password • Very flexible – WFL for iNotes, web apps – NFL for Notes clients – Use either or both
MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Pros – Standard, cross platform • Client OS – All of them • Domino server OS – All of them – Use AD user name and password – Flexible WFL options • Inside the corporate network, transparent logon • Outside, use forms based logon – Go completely Notes ID password-less
MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Cons • Is pretty complex • Documentation is woeful • Notes requires files be present in the user profile to work – Stub notes.ini with full CN user name – Deploy.nsf for certificates • Requires a custom ADFS SSL cert – Means need to use non-commercial certificate – Create ADFS server specifically for NFL as users may get SSL certificate trust issues unless it is computer trusted roots – Again, a bit half arsed
MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Cons (cont) • Slow logging into Notes client – All this security shenanigans take time • But this can be fixed by also using NSL. – First login uses NFL – Subsequent logins switch to NSL • Domino User DN is still needed in AD • No ADFS 4.0 support – So no Windows 2016 server support – ADFS 3.0 support took 4 years
MWLUG 2017 Moving Collaboration Forward What about Traveler? • Verse client now supports Certificate Authentication – Note, *NOT* SSO, but at least password-less • No native iOS support that I know of – So iOS native still uses HTTP password • Some MDM’s have their own mail clients to address this
MWLUG 2017 Moving Collaboration Forward Common Thread…. • “Domino DN still needed in AD” – (or email address, just some unique ID equal in both systems) – Domino DN = “CN=Darren Duke,OU=blah,O=bob” • It’s the LDAP version of your Domino name – Use TDI to populate AD field with Domino DN • Prereq, needs *existing* common ID between AD and Domino – Email address? – Domino short name = sAMAccountName? • Some orgs use AltSecurityIdentities, some email address • Others use custom field – If custom make sure to AD index that field!!!
MWLUG 2017 Moving Collaboration Forward Notes client setup suggestions • Prepopulate Notes client setup values automatically – https://blog.darrenduke.net/Darren/DDBZ.nsf/dx/ use-a-custom-notes.ini-file-and-prepopulate-user- settings-on-notes-first-startup.htm – Use the above either standalone, with NSL or with NFL – Andy’s and Rob’s SAML LS/Connect Show and Tell • www.andypedisich.com/blogs/andysblog.nsf/dx/SHOW 100.ppt/%24file/SHOW100.ppt
MWLUG 2017 Moving Collaboration Forward Q and A • So if time permitted ask away….. • Also: – https://blog.darrenduke.net – @darrenduke on Twitter

Recomendados

Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Darren Duke
 
LS11 Show101
LS11 Show101LS11 Show101
LS11 Show101Darren Duke
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshell
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshellDominopoint 2012 - IBM Lotus Traveler High Availability in a nutshell
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshellRené Winkelmeyer
 
Fun With SHA2 Certificates
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 CertificatesGabriella Davis
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configurationGabriella Davis
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Serverpanagenda
 

Recomendados

Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Darren Duke
 
LS11 Show101
LS11 Show101LS11 Show101
LS11 Show101Darren Duke
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshell
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshellDominopoint 2012 - IBM Lotus Traveler High Availability in a nutshell
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshellRené Winkelmeyer
 
Fun With SHA2 Certificates
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 CertificatesGabriella Davis
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configurationGabriella Davis
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Serverpanagenda
 
Inform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsInform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsJared Roberts
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016David Hablewitz
 
Rock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityRock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityGabriella Davis
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
HTTP/2 Changes Everything
HTTP/2 Changes EverythingHTTP/2 Changes Everything
HTTP/2 Changes EverythingLori MacVittie
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesGabriella Davis
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceGabriella Davis
 
Web Sockets in Java EE 7
Web Sockets in Java EE 7Web Sockets in Java EE 7
Web Sockets in Java EE 7Siva Arunachalam
 
Working With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesWorking With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesGabriella Davis
 
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerEngage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerBill Malchisky Jr.
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile ExperienceGabriella Davis
 
Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Siva Arunachalam
 
Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015Quentin Adam
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino AdminblastGabriella Davis
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections AdministratorGabriella Davis
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesGabriella Davis
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesGabriella Davis
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The FrontGabriella Davis
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradeGabriella Davis
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and morepanagenda
 
MWLUG 2017 SA110
MWLUG 2017 SA110MWLUG 2017 SA110
MWLUG 2017 SA110Douglas Robinson
 
You don't want to do it like that
You don't want to do it like thatYou don't want to do it like that
You don't want to do it like thatSharon James
 

Mais conteúdo relacionado

Mais procurados

Inform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsInform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsJared Roberts
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016David Hablewitz
 
Rock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityRock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityGabriella Davis
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
HTTP/2 Changes Everything
HTTP/2 Changes EverythingHTTP/2 Changes Everything
HTTP/2 Changes EverythingLori MacVittie
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesGabriella Davis
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceGabriella Davis
 
Working With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesWorking With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesGabriella Davis
 
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerEngage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerBill Malchisky Jr.
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile ExperienceGabriella Davis
 
Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Siva Arunachalam
 
Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015Quentin Adam
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections AdministratorGabriella Davis
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesGabriella Davis
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesGabriella Davis
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The FrontGabriella Davis
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradeGabriella Davis
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and morepanagenda
 

Mais procurados (20)

Inform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsInform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for Admins
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016
 
Rock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityRock Solid Sametime for High Availability
Rock Solid Sametime for High Availability
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
 
HTTP/2 Changes Everything
HTTP/2 Changes EverythingHTTP/2 Changes Everything
HTTP/2 Changes Everything
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-Premises
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
 
Web Sockets in Java EE 7
Web Sockets in Java EE 7Web Sockets in Java EE 7
Web Sockets in Java EE 7
 
Working With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesWorking With Sametime For Mobile Devices
Working With Sametime For Mobile Devices
 
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerEngage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile Experience
 
Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013
 
Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino Adminblast
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections Administrator
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 Certificates
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On Premises
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The Front
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections Upgrade
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and more
 

Semelhante a Notes, domino and the single sign on soup

You don't want to do it like that
You don't want to do it like thatYou don't want to do it like that
You don't want to do it like thatSharon James
 
SharePoint - The hybrid story and beyond
SharePoint - The hybrid story and beyondSharePoint - The hybrid story and beyond
SharePoint - The hybrid story and beyondMikael Svenson
 
SharePoint Saturday San Antonio: Workflow 2013
SharePoint Saturday San Antonio: Workflow 2013SharePoint Saturday San Antonio: Workflow 2013
SharePoint Saturday San Antonio: Workflow 2013Sam Larko
 
Keeping in Touch -- Collaborative Technologies
Keeping in Touch -- Collaborative TechnologiesKeeping in Touch -- Collaborative Technologies
Keeping in Touch -- Collaborative TechnologiesIABC Houston
 
Use Case: integrating a complex e-commerce site - Frenchtoday.com
Use Case: integrating a complex e-commerce site - Frenchtoday.comUse Case: integrating a complex e-commerce site - Frenchtoday.com
Use Case: integrating a complex e-commerce site - Frenchtoday.comOlivier Karfis
 
AdminCamp 2017 - IBM Connections Adminblast
AdminCamp 2017 - IBM Connections AdminblastAdminCamp 2017 - IBM Connections Adminblast
AdminCamp 2017 - IBM Connections AdminblastNico Meisenzahl
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365Dylan Redfield
 
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxGreat new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxDarren Duke
 
Tales from the Platform Trade
Tales from the Platform TradeTales from the Platform Trade
Tales from the Platform TradeWilliam Grosso
 
WordPress Hosting Basics
WordPress Hosting BasicsWordPress Hosting Basics
WordPress Hosting BasicsChris Burgess
 
How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365Kelly Jones
 
Great new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxGreat new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxDarren Duke
 
Pearls and Must-Have Tools for the Modern Web / .NET Developer
Pearls and Must-Have Tools for the Modern Web / .NET DeveloperPearls and Must-Have Tools for the Modern Web / .NET Developer
Pearls and Must-Have Tools for the Modern Web / .NET DeveloperOfer Zelig
 
Webinar: IBM Connections Adminblast
Webinar: IBM Connections AdminblastWebinar: IBM Connections Adminblast
Webinar: IBM Connections Adminblastpanagenda
 
Connections Upgrades and Migrations the Easy Way
Connections Upgrades and Migrations the Easy WayConnections Upgrades and Migrations the Easy Way
Connections Upgrades and Migrations the Easy WayLetsConnect
 
Connections Migrations the easy way Soccnx10
Connections Migrations the easy way Soccnx10Connections Migrations the easy way Soccnx10
Connections Migrations the easy way Soccnx10Sharon James
 
Webinar: IBM Connections Adminblast
Webinar: IBM Connections AdminblastWebinar: IBM Connections Adminblast
Webinar: IBM Connections AdminblastNico Meisenzahl
 
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...David Hablewitz
 
How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365Kelly Jones
 

Semelhante a Notes, domino and the single sign on soup (20)

MWLUG 2017 SA110
MWLUG 2017 SA110MWLUG 2017 SA110
MWLUG 2017 SA110
 
You don't want to do it like that
You don't want to do it like thatYou don't want to do it like that
You don't want to do it like that
 
SharePoint - The hybrid story and beyond
SharePoint - The hybrid story and beyondSharePoint - The hybrid story and beyond
SharePoint - The hybrid story and beyond
 
SharePoint Saturday San Antonio: Workflow 2013
SharePoint Saturday San Antonio: Workflow 2013SharePoint Saturday San Antonio: Workflow 2013
SharePoint Saturday San Antonio: Workflow 2013
 
Keeping in Touch -- Collaborative Technologies
Keeping in Touch -- Collaborative TechnologiesKeeping in Touch -- Collaborative Technologies
Keeping in Touch -- Collaborative Technologies
 
Use Case: integrating a complex e-commerce site - Frenchtoday.com
Use Case: integrating a complex e-commerce site - Frenchtoday.comUse Case: integrating a complex e-commerce site - Frenchtoday.com
Use Case: integrating a complex e-commerce site - Frenchtoday.com
 
AdminCamp 2017 - IBM Connections Adminblast
AdminCamp 2017 - IBM Connections AdminblastAdminCamp 2017 - IBM Connections Adminblast
AdminCamp 2017 - IBM Connections Adminblast
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365
 
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxGreat new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
 
Tales from the Platform Trade
Tales from the Platform TradeTales from the Platform Trade
Tales from the Platform Trade
 
WordPress Hosting Basics
WordPress Hosting BasicsWordPress Hosting Basics
WordPress Hosting Basics
 
How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365
 
Great new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxGreat new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptx
 
Pearls and Must-Have Tools for the Modern Web / .NET Developer
Pearls and Must-Have Tools for the Modern Web / .NET DeveloperPearls and Must-Have Tools for the Modern Web / .NET Developer
Pearls and Must-Have Tools for the Modern Web / .NET Developer
 
Webinar: IBM Connections Adminblast
Webinar: IBM Connections AdminblastWebinar: IBM Connections Adminblast
Webinar: IBM Connections Adminblast
 
Connections Upgrades and Migrations the Easy Way
Connections Upgrades and Migrations the Easy WayConnections Upgrades and Migrations the Easy Way
Connections Upgrades and Migrations the Easy Way
 
Connections Migrations the easy way Soccnx10
Connections Migrations the easy way Soccnx10Connections Migrations the easy way Soccnx10
Connections Migrations the easy way Soccnx10
 
Webinar: IBM Connections Adminblast
Webinar: IBM Connections AdminblastWebinar: IBM Connections Adminblast
Webinar: IBM Connections Adminblast
 
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...
 
How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365
 

Último

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Último (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Notes, domino and the single sign on soup

  • 1. MWLUG 2017 Moving Collaboration Forward Notes, Domino and the Single Sign-on Soup Chef Darren Duke
  • 2. MWLUG 2017 Moving Collaboration Forward Our Amazing Sponsors
  • 3. MWLUG 2017 Moving Collaboration Forward About me • Relapsed podcaster http://wtftech.fm/ – Back on the horse with Stuart and Jesse – If you’re not listening, you’re really missing out – No, really, you are – NO, really you are – NO, REALLY YOU ARE!!!! • Hire me by talking to Lisa – She’ll be around here somewhere
  • 4. MWLUG 2017 Moving Collaboration Forward SSO you say? • Many different things to many different people • Could be (listed in order of complexity): – Offload – Synchronization – Integration • Could be more than one of the above
  • 5. MWLUG 2017 Moving Collaboration Forward Domino is different • It has two passwords – Because….well…..Domino – Makes it twice as difficult • One size doesn’t fit all – You may combine the following concepts
  • 6. MWLUG 2017 Moving Collaboration Forward Why do it? • Single password • No password • Get away from ID and password management – You never *really* get away from the ID • It’s what all the cool kids are doing
  • 7. MWLUG 2017 Moving Collaboration Forward Why do it? • What are you trying to solve? – Answer this and you know which of the following solutions are for you
  • 8. MWLUG 2017 Moving Collaboration Forward Notes Shared Login (NSL) • Remove Notes password from ID • Well, mostly – Except for the first logon to a new computer account – Policy based – Requires Notes Single Logon Service to be removed from clients – Can be used with Notes Federated Logon (NFL)
  • 9. MWLUG 2017 Moving Collaboration Forward You will need a (working) ID Vault • If you don’t have one – WHY NOT??? • If you do, is it working? • Several of the following solutions require it
  • 10. MWLUG 2017 Moving Collaboration Forward Types of SSO…. • Offload – Pass it off • Synchronization – Move the data around • Integration – Link it altogether
  • 11. MWLUG 2017 Moving Collaboration Forward Offload • Authenticate the password from elsewhere – Usually Active Directory – Uses Directory Assistance and LDAP referrals – Only usable (like this) for the HTTP password • So iNotes, web apps, Traveler, etc • Will also be needed if you do SAML and SPNEGO
  • 12. MWLUG 2017 Moving Collaboration Forward Offload • Pros – Actually uses the AD password, not HTTP password exists anymore* • Cons – Only web protocols – You need to get the Domino LDAP DN into AD field – Traveler can lock the account out on a regular basis • Think AD password change policy
  • 13. MWLUG 2017 Moving Collaboration Forward Synchronization • Copy password from “A” to “B” – “A” is usually AD, “B” is usually Domino • Capture AD password change, send to Domino – Can update ID Vault and/or HTTP password • TDI is free entitlement for most of you – And it can do this
  • 14. MWLUG 2017 Moving Collaboration Forward Synchronization • Pros – Fixes AD lockout issue with “offload” – Notes ID and/or HTTP password thanks to ID Vault • Cons – Usually requires AD schema modification – HTTP password changes need to replicate – Doesn’t really get rid of Notes ID password • Just makes it known to the user
  • 15. MWLUG 2017 Moving Collaboration Forward Integration • Use a different system (usually AD) to verify user ID and password • Two options – SPNEGO • Reasonably simple • Limited use • HTTP only – SAML/NFL • As far from reasonably simple as you can get • Notes client and/or HTTP
  • 16. MWLUG 2017 Moving Collaboration Forward SPNEGO • Allows domain connected users using browser apps to login transparently using IWA • Web/Internet site based – All or nothing – Although with good firewall people…… • Two internet documents, one SPNEGO, one not – Source IP, agent sniffing, etc
  • 17. MWLUG 2017 Moving Collaboration Forward SPNEGO • Pros – Simple(ish) • Cons – HTTP only – Windows desktops only (no Mac)* – Domino authentication server must be Windows – Kind of half-assed implementation • Will not fail back to user name and password – Domino User DN is still needed in AD
  • 18. MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Uses SAML to connect to ADFS or TAM – Could use others but completely unsupported • Most are (and all of mine have been) ADFS • Can be used to get rid of Notes ID password • Very flexible – WFL for iNotes, web apps – NFL for Notes clients – Use either or both
  • 19. MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Pros – Standard, cross platform • Client OS – All of them • Domino server OS – All of them – Use AD user name and password – Flexible WFL options • Inside the corporate network, transparent logon • Outside, use forms based logon – Go completely Notes ID password-less
  • 20. MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Cons • Is pretty complex • Documentation is woeful • Notes requires files be present in the user profile to work – Stub notes.ini with full CN user name – Deploy.nsf for certificates • Requires a custom ADFS SSL cert – Means need to use non-commercial certificate – Create ADFS server specifically for NFL as users may get SSL certificate trust issues unless it is computer trusted roots – Again, a bit half arsed
  • 21. MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Cons (cont) • Slow logging into Notes client – All this security shenanigans take time • But this can be fixed by also using NSL. – First login uses NFL – Subsequent logins switch to NSL • Domino User DN is still needed in AD • No ADFS 4.0 support – So no Windows 2016 server support – ADFS 3.0 support took 4 years
  • 22. MWLUG 2017 Moving Collaboration Forward What about Traveler? • Verse client now supports Certificate Authentication – Note, *NOT* SSO, but at least password-less • No native iOS support that I know of – So iOS native still uses HTTP password • Some MDM’s have their own mail clients to address this
  • 23. MWLUG 2017 Moving Collaboration Forward Common Thread…. • “Domino DN still needed in AD” – (or email address, just some unique ID equal in both systems) – Domino DN = “CN=Darren Duke,OU=blah,O=bob” • It’s the LDAP version of your Domino name – Use TDI to populate AD field with Domino DN • Prereq, needs *existing* common ID between AD and Domino – Email address? – Domino short name = sAMAccountName? • Some orgs use AltSecurityIdentities, some email address • Others use custom field – If custom make sure to AD index that field!!!
  • 24. MWLUG 2017 Moving Collaboration Forward Notes client setup suggestions • Prepopulate Notes client setup values automatically – https://blog.darrenduke.net/Darren/DDBZ.nsf/dx/ use-a-custom-notes.ini-file-and-prepopulate-user- settings-on-notes-first-startup.htm – Use the above either standalone, with NSL or with NFL – Andy’s and Rob’s SAML LS/Connect Show and Tell • www.andypedisich.com/blogs/andysblog.nsf/dx/SHOW 100.ppt/%24file/SHOW100.ppt
  • 25. MWLUG 2017 Moving Collaboration Forward Q and A • So if time permitted ask away….. • Also: – https://blog.darrenduke.net – @darrenduke on Twitter