Single sign-on, single identity and even password synchronization—in this session, we will take you through all the options available to minimize or eradicate logins across IBM's Collaboration Solutions (ICS); whether it is a Domino web server, IHS, Notes client, Traveler, Sametime, Connections or Verse, on-premises or cloud. The discussion will cover security certificates, password synchronization, IWA, SPNEGO and SAML Federation. We will explain what you can (and can't) do, and how to do it. Presented at Think 2018
2. THINK CONFERENCE
3685: A Guide To Single Sign-On for IBM
Collaboration Solutions
Gabriella Davis - IBM Lifetime Champion
Technical Director - The Turtle Partnership
gabriella@turtlepartnership.com @gabturtle
3. • Admin of all things and especially quite complicated
things where the fun is
• Working with the design, deployment and security of
IBM technologies within global infrastructures
• working with the real world security and privacy
aspects of expanding data ecosystems
• Stubborn and relentless problem solver
• http://turtleblog.info
• https://www.turtlepartnership.com
4. This Session
• What Is Single Identity
• Technologies
• Federation Use Cases
• Protecting Data
6. Identity & Access Management
• A way of identifying me as an individual who has access to
this system
• SSO uses tokens or cookies to set and read my identity
• Federation allows me to take my identity into different
systems each of which has common information about me
and unique information about me
• I carry my identity across different systems without breaking
the rules for single origin access
7. Why Is Having A Single Identity Valuable?
Preferences Behaviour &
History
Patterns
BeingPresent
how i use the system,
how i prefer to work with
it, what parts of it i prefer
to see / engage with
what I do, what i
have interacted with
in the past, what I
reuse or repeat
spotting ways in which I reuse
or repeat in order to present
information to me that I might
not be aware of or highlight
information that the pattern
says I should be interested in
just because i’m using
system A doesn’t mean
someone in system B can’t
find and interact with me. I
have one identity if signed
onto multiple systems.
8. Technology Is Not The Start
• It’s where we end up
• All IAM does in principal is authorise someone to access multiple systems
• Other decisions include
• what access does someone get
• what attributes are shared across systems
• what systems need to be supported now and in the future
• who owns those systems and how much control do you have over them
• All of these things help define the requirements for the technology(ies) to be used
9. Things get more complicated
• Multiple systems and standards including SAML, OpenID, OAuth, Facebook, Twitter
• Federation can be done using Enterprise systems such as Active Directory, LDAP, SAML or
3rd party applications
• Users require logins across personal, consumer, and enterprise systems using multi factor
authentication
• Authentication often needs to encompass on premises, private cloud and public cloud hosted
systems
• New and more secure methods of authentication appear every day
10. Authentication is critical to ensure Gab
Davis in SystemA is the same as Gab Davis
in SystemB and the information that goes
with that ‘Gab Davis” is correct
Authentication is not Authorization
12. Federated Attributes
• Access rights
• Identity data such as name or email
• System specific attributes such as your areas of responsibility or authority
• Deciding what attributes to share between systems and expose across systems is a critical
part of federation planning
• It’s not just a technology solution
14. Password Synchronisation Not Single Identity
Synchronising passwords across
different systems
Sametime
LDAP
Connections
LDAP
Traveler
Authentication
Password
Synchronisation
Tool
You’re not the same person, you don’t have the same identity,
you’re just using the same password
15. Single LDAP Source - Simple Single Identity
Authenticating against a single password in a single place
Sametime
Network Login
Web Applications
Mail
Active Directory
Password
Technically you are the same person as you authenticate using the same identity but
that’s it, there are no attributes being held or exchanged.
16. IWA/Kerberos/SPNEGO SSO
1 2 3 4 5
ACTIVE
DIRECTORY
GENERATES
TOKEN
USER TRIES
TO ACCESS
A WEBSITE
BROWSER SENDS
IWA TOKEN TO
THE WEB SERVER
ALONG WITH
USER NAME
THE WEB SERVER
CONTACTS
ACTIVE
DIRECTORY TO
VALIDATE TOKEN
AND RETRIEVE
THE USER’S NAME
STEPS
USER LOGS
INTO
WINDOWS
17. Same Origin Policy Problem
• A key concept in web application security it specifies that data stored by one server or
creator of information cannot be accessed by another
• This prevents Server B accessing anything stored by Server A and thereby any script
reading information its source did not create
• This presents problems with carrying authorisations across multiple systems in different
environments and domains
• Which is where federation comes in
18. Federated Login Is Single Identity
Security Assertion Markup Language
18
1 2 3 4 5
USER
ATTEMPTS TO
LOG IN TO A
WEBSITE
USER IS
REDIRECTED
TO IDENTITY
PROVIDER
IDENTITY PROVIDER
REQUESTS
AUTHENTICATION OR
(IF USER IS LOGGED
IN) RETURNS
CREDENTIALS
USER IS
REDIRECTED BACK
TO ORIGINAL SITE
WITH SAML
ASSERTION
ATTACHED
ORIGINAL SITE USES ITS
SAML SERVICE
PROVIDER TO CONFIRM
SAML ASSERTION AND
GRANT ACCESS
STEPS
19. SAML - Federated Single Identity
19
• IdP - Identity Provider (SSO)
• ADFS (Active Directory Federation Services)
• can be combined with IWA
• TFIM (Tivoli Federated Identity Manager)
• SP - Service Provider
• IBM Domino (web federated login)
• IBM SmartCloud
• IBM Notes (requires ID Vault) (notes federated login)
20. SAML Behaviour
• IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service
Providers) via XML based assertions
• Assertions have three roles
• Authentication
• Authorisation
• Retrieving Attributes
• Many kinds of authentication methods are supported depending on your chosen
IdP
• Once initially federated no subsequent password or credentials are requested
21. Federation For Social Systems
OAuth / OpenID / Facebook / Twitter
• Consumer and Social Based Federation
• OpenID is identity federation / authentication
• OAuth is authorisation
• OpenID Connect is built on OAuth2 providing authentication and
authorisation mechanisms
22. Simplified OAuth Process
1 2 3 4 5
USER ASKS
FACEBOOK (THE
CONSUMER) TO
POST ON THEIR
ACTIVITY STREAM
FACEBOOK GOES
TO CONNECTIONS
(THE SERVICE
PROVIDER) AND
ASKS FOR
PERMISSION TO
POST
THE SERVICE PROVIDER
GIVES THE CONSUMER
A SECRET KEY TO GIVE
TO THE USER AND A
URL FOR THE USER TO
CLICK ON
THE USER CLICKS
ON THE URL AND
AUTHENTICATES
WITH THE SERVICE
PROVIDER
THE SERVICE PROVIDER ,
SATISFIED THE SECRET
KEY IS GOOD, WILL NOW
ALLOW THE CONSUMER
ACCESS TO ITS
SERVICES
STEPS
24. Business to Business (B2B)
• Connecting your business to another you need to work with
• Streamlining processes
• more efficient delivery
• lead to increased revenue
25. Business to Consumer (B2C)
• Connecting your customers to your systems without requiring them to create an identity
specifically for you
• Less overhead maintaining your own directories and authentication credentials
• less data responsibility means less risk
• increased ease of purchase
• leads to increased revenue
26. Business to Enterprise (B2E)
• Connecting your employees to your systems
• Few individual and isolated authentication systems
• mean fewer passwords to maintain and remember
• delivers increased security and data protection
27. These are often 3 separate departments if they
exist at all.
A federated solution must include every use case
29. • Do you understand where your most important data that must be protected is?
• Are you sure the people using your systems are who they say they are?
• How compliant does you remain with HIPAA, GDPR etc
• Are you exposing or storing attributes unnecessarily
30. Data Responsibility & GDPR
• You must know
• what data you have
• why you have it
• who has access to it
• how to erase it
31. User Awareness & Responsibility
• Once authenticated all systems can be accessed
• Identities are personal and individual
• Sharing biometric information with 3rd party systems
• Does the user know what data they have access to and their role in keeping it secure
• Learn to logout
32. Now & Next?
Passwordless Systems that use personal
devices like mobile phones or biometric data
to federate
33. Biometrics
• FAR - False Acceptance Rate
• FRR - False Rejection Rate
• Biometric systems are increasingly developing to minimise both of these - ask what the FAR
and FRR values are for any system you are adopting
34. Biometrics
• In one way they remove the risk of passwords being exploited however
• Biometric data can be spoofed, especially face recognition or using high definition photographs
• Unlike passwords biometric data cannot be changed
• As 3rd parties are accepting your biometric data for access they also have to store that data
• how secure is their data model
• are they are target for hacking?
• once your fingerprints are accessed from one system they can be used on another
• Ensuring whatever technology you are using is up to date and kept up to date is your primary
protection
35. Summary
• There is unlikely to be a single technology, instead multiple technologies to serve on premises,
cloud, enterprise, consumer and social requirements are more likely to deliver what is needed
• Consider all current and potential use cases, work with B2B, B2C, B2E teams
• Extensibility of any solution is key to ensure longevity - is there an API?
• Consider your data responsibility around regulations such as GDPR - don’t expose or retain
more than you can justify
• There are many 3rd party IAM products specifically designed to bridge platforms and
technologies several of which you may see exhibiting this week
37. ® 2018 IBM Collaboration Solutions
37
Monday
5306 Be Smart and Unleash the Power of your Department
Application using SmartNSF
7743 DIY: How to build your SmartCloud Notes Hybrid
environment. Easy as 1-2-3
2781 IBM Notes Performance Boost – Reloaded
1160 How to adopt team development and Source Control
for Collaborative Application Development
Tuesday
8647 A New Chapter Begins: Domino V10
8633 Domino App Modernization: Client Success Cases
9328 Using Domino to scale 3 people to drive a $1B
business!
8640 Deep Dive: What's new in Notes, Sametime, Verse
on Premises for Users and Administrators
Wednesday
ICS Community Day (8:30-12:30pm)
8943 10 for Domino 10: Top 10 items from the #domino2025
Jams (Think Tank)
8942 Domino Top Secret: Get hands on and personal (Think
Tank)
Thursday
8675 Domino App Modernization Success Stories - Travel
and Transportation
8662 Tips and Tricks: Mobilizing your Domino Apps Master
Class
8508 Tips and Tricks: Domino and JavaScript Development
Master Class
8513 Domino Top-Secret and Domino Full-Stack
Development: The Lab (HOL)
8514 Mobilizing Your IBM Domino Apps (HOL)
And there’s more...