SlideShare une entreprise Scribd logo

IBM Single Sign-On

Télécharger en tant que PPTX, PDF
V
Van Staub, MBA

This document provides an overview of different techniques for implementing single sign-on (SSO): - LTPA is IBM's default SSO mechanism, using a Base64 encoded token containing user identity and expiration time. - SAML resolves domain boundaries using cookies and requires additional software, using XML assertion tokens between an identity provider and service provider. - OAuth allows external apps to access user data in Connections by obtaining a token after the user logs into Connections. - SPNEGO provides SSO by logging into Windows and accessing IBM software without additional logins. External security managers can also manage access to protected resources across applications.

Technologie
1  sur  32
Introduction to Single Sign-On Worldwide Business Partner Technical Enablement 2016 Van Staub – North America Embedded Solution Agreement Technical Sales 1
Agenda • General Idea • SSO techniques • LTPA • SAML • OAuth • SPNEGO • External Authentication Managers
Definitions • Single Sign-On (SSO): not having to login again (or for a while) • Authentication: the user’s identity, who they are • Authorization: what the user has access to
General Idea • a set of servers will share something secret – the key • after successful user login, a cookie is placed on the user’s browser – the token • the cookie is encrypted with the key • the cookie identifies the user • participating servers will look for the cookie/token/something to authenticate the user
Browser Cookies • cookies are valid for a domain or host • http://machine-name/resource • http://192.168.1.2/resource • http://portal.ibmcollabcloud.com/… • expires “At end of session” • where are my cookies?
LTPA • Lightweight Third Party Authentication • IBM’s default SSO mechanism • a Base64 encoded token that includes the following information: • a realm value • user identity – the distinguished name from the directory • expiration time ZoXfr6CuP1wYHSzjcxSGyli rmzQrshpWMFInqcvNPHG PyCa4frfg63tdlR96gPGkL2 B1vf1gi9WaJoCL9/UrYR+n xUuhUGFUDZ4QgPLQjCM MdIRfCIg6y6dW6Nu4I/oSL LMU5VUsXkBbAc1t//5u1X XsNY54Ttp/4xSjW32RnhW ovmRLPdL8BXZVHl11wDJ 8u9v7K2XxU7wPDIIxe14Ab hXaeK88ZD+q2d0QVGiUIe rT5EriBozIUF2cM3/v5v4Aat j80OruDUdgBwK/XJ5BKMi KscKq+/oxb6ij4hA58udIvm Fim0xkRGnlbUTmCPcjQho VnqHctMFdLF/e0uPyiklQpk m/5uY1TFL5Lihv5SY=
WebSphere SSO Settings • Open WAS Console and go to Security -> Global Security -> Single Sign- on (SSO) • specify most inclusive domain name needed • defaults seen are most often sufficient
Configuring WebSphere SSO 1. Export LTPA key from source WebSphere server 2. For each additional server, import token the password is only used when you export/import • Open WAS Console and go to Security -> Global Security -> LTPA
Configuring Domino SSO 1. create web SSO configuration document 2. import LTPA key file that was export from WebSphere 3. configure/verify the realm LtpaToken or LtpaToken2 newer servers are more likely defaultWIMFileBasedRealm
Pitfalls • expiration time is relative to the server that created the LTPAToken2 • session timeouts are not the same as LTPAToken2 expiration • different directories …
Dual Directory • dual directory describes when the same user has different distinguished names • solution is to map the names WebSphere Portal Domino DN: uid=duser1,cn=users,dc=ibm,dc=com cn: Domino User1 uid: duser1 mail: duser1@acme.com DN: CN=Dom User1,O=ibm cn: Dom User1 uid: duser1 mail: duser1@acme.com WebSphere Portal Domino DN: uid=duser1,cn=users,dc=ibm,dc=com cn: Domino User1 uid: duser1 mail: duser1@acme.com notesdn: CN=Dom User1,O=ibm UserName: Dom User1/ibm UserName: uid=duser1/cn=users/dc=ibm/dc=com cn: Dom User1 uid: duser1 mail: duser1@acme.com
Dual Directory (Option 1) 1. add LDAP distinguished name to person document 2. swap the comma delimiter for a slash
Dual Directory (Option 1) 1. ensure the web SSO document has “Map names in LTPA tokens” 2. add the other distinguished name to the LTPA user name field
Dual Directory (Option 2) 1. create directory assistance document 2. add the external directory’s attribute that contains the Domino distinguished name
Dual Directory (Option 2) 1. ensure the $DN value is used to add the LDAP distinguished name into the LTPAToken
LTPA Resources Understanding single sign-on (SSO) between IBM WebSphere Portal and IBM Lotus Domino http://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal- domino/ vanstaub.me http://vanstaub.me/category/cognos
SAML • SAML stands for Security Assertion Markup Language • resolves domain boundary using cookies • requires additional software: Tivoli Federated Identity Manager, Active Directory Federation Service, etc. • uses XML based assertion tokens used in between an Identity Provider (IdP) and a Service Provider (SP). • SAML 2.0 is the latest version – not compatible with 1.1 and 1.0
SAML • See yesterday’s NWTL topic Active Directory Single Sign-On • Install and configure Active Directory Federation Service 2.0 with WebSphere Portal
Connections Cloud SAML
Connections Cloud SAML 1.1 Encrypted XML Connections Cloud SAML 1.1 IdP My SAML SP entityID My identity http://vanstaub.me/1277
Connections Cloud SAML • SAML registration form • requires PMR to provide either manual information (SAML 1.1) or the SAML 2.0 metadata
WebSphere SAML • WebSphere is SAML SP ready – not IdP • supports SAML 2.0 IdP initiated SSO our old friend, the
Connections On-Prem SAML • “IBM supports SAML 2.0 implementations within IBM Connections on a case-by-case basis depending on your unique environment and deployment.”
SAML Resources Understanding the WebSphere Application Server SAML Trust Association Interceptor http://www.ibm.com/developerworks/websphere/techjournal/1307_lansche/1307_lansc he.html Step by step guide to implement SAML 2.0 for Portal 8.5 https://developer.ibm.com/digexp/docs/docs/customization-administration/step-step- guide-implement-saml-2-0-portal-8-5/ Front Side SAML SSO with microsoft product (ADFS -> WAS SAML TAI) https://www.ibm.com/developerworks/community/blogs/8f2bc166-3bdc-4a9d-bad4- 3620dbb3e46c/entry/Front_Side_SAML_SSO_with_microsoft_product_ADFS_WAS_S AML_TAI?lang=en Enabling Federated Identity or Integration Server for use with IBM Connections Cloud http://www-01.ibm.com/support/docview.wss?uid=swg21626501 AD + SAML + Kerberos + IBM Notes and Domino = SSO! http://www.andypedisich.com/blogs/andysblog.nsf/dx/robs-saml-presentation-from- mwlug-has-been-posted.htm vanstaub.me http://vanstaub.me/?s=saml
OAuth • Is OAuth SSO? Maybe - authorization. 1. external app asks for Connections data 2. you log in to Connections 3. Connections sends the external app a token 4. external app uses the token to access your data
OAuth Connections Cloud 3rd Party Application User’s Browser
OAuth Resources Connection Allowing third-party applications access to data via the OAuth2 protocol https://www.ibm.com/support/knowledgecenter/SSYGQH_5.5.0/admin/admin/c_admin_ common_oauth.dita Connections Cloud Using OAuth for API Authorization https://www- 10.lotus.com/ldd/appdevwiki.nsf/xpAPIViewer.xsp?lookupName=API+Reference#action =openDocument&res_title=Open_Authorization_sbt&content=apicontent Developing an IBM SmartCloud for Social Business application https://www.ibm.com/developerworks/lotus/documentation/developingsmartcloudapp/ Building an IBM OAuth Consumer in PHP http://vanstaub.me/679
SPNEGO • Simple and Protected GSS-API Negotiation Mechanism • login in to Windows, SSO to IBM Software – pretty simple
SPNEGO Resources Step-by-Step guide to Configure Single sign-on for HTTP requests using SPNEGO web authentication https://www-10.lotus.com/ldd/portalwiki.nsf/dx/Step-by- Step_guide_to_Configure_Single_sign- on_for_HTTP_requests_using_SPNEGO_web_authentication BP104 Simplifying The S’s: Single Sign-On, SPNEGO and SAML (2014) http://www.idonotes.com/IdoNotes/IdoConnect2013.nsf/dx/bp104-simplifying-the-ss- single-sign-on-spnego-and-saml-2014.htm
External Security Managers • a server that manages access to ”protected” resources • IBM Security Access Manager, CA Siteminder for example Directory and Policy Server ESM Application
Things to Consider • the LTPA token is still very relevant • after SAML is done, LTPA is still used • after SPNEGO is done, LTPA is still used • OAuth applies more to developers than users • External Security Managers do more than just authenticate
Thank You 32

Recommandé

Microsoft Office 365 Advanced Threat Protection
Microsoft Office 365 Advanced Threat ProtectionMicrosoft Office 365 Advanced Threat Protection
Microsoft Office 365 Advanced Threat Protection
David J Rosenthal
 
Enterprise single sign on
Enterprise single sign onEnterprise single sign on
Enterprise single sign on
Archit Sharma
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
Sam Bowne
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSO
Ajit Dadresa
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?
WSO2
 
User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-id
Alberto Rivai
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
 

Recommandé

Microsoft Office 365 Advanced Threat Protection
Microsoft Office 365 Advanced Threat ProtectionMicrosoft Office 365 Advanced Threat Protection
Microsoft Office 365 Advanced Threat Protection
David J Rosenthal
 
Enterprise single sign on
Enterprise single sign onEnterprise single sign on
Enterprise single sign on
Archit Sharma
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
Sam Bowne
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
Single sign on - SSO
Single sign on - SSOSingle sign on - SSO
Single sign on - SSO
Ajit Dadresa
 
Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?Why upgrade your MFA to Adaptive Authentication?
Why upgrade your MFA to Adaptive Authentication?
WSO2
 
User expert forum user-id
User expert forum user-idUser expert forum user-id
User expert forum user-id
Alberto Rivai
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
Akshay Kurhade
 
Port scanning
Port scanningPort scanning
Port scanning
Hemanth Pasumarthi
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli
 
AAA Best Practices
AAA Best PracticesAAA Best Practices
AAA Best Practices
Sagar Gor
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed Adam
Mohammed Adam
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
ChandanChandu928137
 
Overview of Microsoft Exchange Server
Overview of Microsoft Exchange ServerOverview of Microsoft Exchange Server
Overview of Microsoft Exchange Server
bedekarpm
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
Deepanshu Gajbhiye
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
Rayudu Babu
 
Multi cloud security architecture
Multi cloud security architecture Multi cloud security architecture
Multi cloud security architecture
Maganathin Veeraragaloo
 
Microsoft Defender for Endpoint
Microsoft Defender for EndpointMicrosoft Defender for Endpoint
Microsoft Defender for Endpoint
Cheah Eng Soon
 
Metasploit
MetasploitMetasploit
Metasploit
Lalith Sai
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
Dave Monahan
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
Aidy Tificate
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id concepts
Mostafa El Lathy
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Dmitriy Scherbina
 
3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD
Andrew Bettany
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
Dinesh582831
 
Active Directory Single Sign-On with IBM
Active Directory Single Sign-On with IBMActive Directory Single Sign-On with IBM
Active Directory Single Sign-On with IBM
Van Staub, MBA
 
IBM Social Business Toolkit
IBM Social Business ToolkitIBM Social Business Toolkit
IBM Social Business Toolkit
Van Staub, MBA
 

Contenu connexe

Tendances

Tendances (20)

Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
 
Port scanning
Port scanningPort scanning
Port scanning
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
 
AAA Best Practices
AAA Best PracticesAAA Best Practices
AAA Best Practices
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed Adam
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 
Overview of Microsoft Exchange Server
Overview of Microsoft Exchange ServerOverview of Microsoft Exchange Server
Overview of Microsoft Exchange Server
 
Metasploit framwork
Metasploit framworkMetasploit framwork
Metasploit framwork
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
 
Multi cloud security architecture
Multi cloud security architecture Multi cloud security architecture
Multi cloud security architecture
 
Microsoft Defender for Endpoint
Microsoft Defender for EndpointMicrosoft Defender for Endpoint
Microsoft Defender for Endpoint
 
Metasploit
MetasploitMetasploit
Metasploit
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
 
11 palo alto user-id concepts
11 palo alto user-id concepts11 palo alto user-id concepts
11 palo alto user-id concepts
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
 

En vedette

Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
Oliver Mueller
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
Anil Saldanha
 

En vedette (20)

Active Directory Single Sign-On with IBM
Active Directory Single Sign-On with IBMActive Directory Single Sign-On with IBM
Active Directory Single Sign-On with IBM
 
IBM Social Business Toolkit
IBM Social Business ToolkitIBM Social Business Toolkit
IBM Social Business Toolkit
 
IBM Digital Experience Theme Customization
IBM Digital Experience Theme CustomizationIBM Digital Experience Theme Customization
IBM Digital Experience Theme Customization
 
IBM Watson Work Services Development
IBM Watson Work Services DevelopmentIBM Watson Work Services Development
IBM Watson Work Services Development
 
Single sign on using SAML
Single sign on using SAML Single sign on using SAML
Single sign on using SAML
 
Introduction to SAML
Introduction to SAMLIntroduction to SAML
Introduction to SAML
 
Single Sign On 101
Single Sign On 101Single Sign On 101
Single Sign On 101
 
Introduction to SAML 2.0
Introduction to SAML 2.0Introduction to SAML 2.0
Introduction to SAML 2.0
 
Mobile SSO using NAPPS
Mobile SSO using NAPPSMobile SSO using NAPPS
Mobile SSO using NAPPS
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID ConnectSecuring RESTful APIs using OAuth 2 and OpenID Connect
Securing RESTful APIs using OAuth 2 and OpenID Connect
 
SAML Protocol Overview
SAML Protocol OverviewSAML Protocol Overview
SAML Protocol Overview
 
Enterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSOEnterprise Single Sign-On - SSO
Enterprise Single Sign-On - SSO
 
IdP, SAML, OAuth
IdP, SAML, OAuthIdP, SAML, OAuth
IdP, SAML, OAuth
 
Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?Saml vs Oauth : Which one should I use?
Saml vs Oauth : Which one should I use?
 
Single sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancySingle sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancy
 
Single Sign On Considerations
Single Sign On ConsiderationsSingle Sign On Considerations
Single Sign On Considerations
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best Practices
 
Single Sign On - The Basics
Single Sign On - The BasicsSingle Sign On - The Basics
Single Sign On - The Basics
 
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-onFast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
Fast and Free SSO: A Survey of Open-Source Solutions to Single Sign-on
 
SäKerhet I Molnen
SäKerhet I MolnenSäKerhet I Molnen
SäKerhet I Molnen
 

Similaire à IBM Single Sign-On

CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
panagenda
 
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-ReloadedCollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
Christoph Adler
 
Mobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best PracticesMobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best Practices
Andrew Ferrier
 
Best ofmms scsm - iaas
Best ofmms scsm - iaasBest ofmms scsm - iaas
Best ofmms scsm - iaas
Kenny Buntinx
 

Similaire à IBM Single Sign-On (20)

A Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM ConnectionsA Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM Connections
 
A hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connectionsA hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connections
 
DACHNUG50 Roadmap.pdf
DACHNUG50 Roadmap.pdfDACHNUG50 Roadmap.pdf
DACHNUG50 Roadmap.pdf
 
IBM Connect Switzerland - Der entspannte Administrator
IBM Connect Switzerland - Der entspannte AdministratorIBM Connect Switzerland - Der entspannte Administrator
IBM Connect Switzerland - Der entspannte Administrator
 
Practical solutions for connections administrators lite
Practical solutions for connections administrators litePractical solutions for connections administrators lite
Practical solutions for connections administrators lite
 
The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...
 
The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...
 
MS LAPS protection: portal for secure access to local admin passwords
MS LAPS protection: portal for secure access to local admin passwordsMS LAPS protection: portal for secure access to local admin passwords
MS LAPS protection: portal for secure access to local admin passwords
 
CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
CollabSphere 2020 - INF105 - HCL Notes 11.0.1 FP1 - Performance Boost Re-Relo...
 
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-ReloadedCollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
CollabSphere 2020 Live - HCL Notes 11.0.1 FP1 - Performance Boost Re-Reloaded
 
SharePoint on demand with System Center - Matija Blagus
SharePoint on demand with System Center - Matija BlagusSharePoint on demand with System Center - Matija Blagus
SharePoint on demand with System Center - Matija Blagus
 
PACLUG sametime presentation
PACLUG sametime presentationPACLUG sametime presentation
PACLUG sametime presentation
 
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
Hi! Ho! Hi! Ho! SQL Server on Linux We Go!
 
Mobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best PracticesMobile and IBM Worklight Best Practices
Mobile and IBM Worklight Best Practices
 
Social Connections 13 - Troubleshooting Connections Pink
Social Connections 13 - Troubleshooting Connections PinkSocial Connections 13 - Troubleshooting Connections Pink
Social Connections 13 - Troubleshooting Connections Pink
 
Best ofmms scsm - iaas
Best ofmms scsm - iaasBest ofmms scsm - iaas
Best ofmms scsm - iaas
 
Best ofmms scsm - iaas
Best ofmms scsm - iaasBest ofmms scsm - iaas
Best ofmms scsm - iaas
 
The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...The lazy administrator, how to make your life easier by using tdi to automate...
The lazy administrator, how to make your life easier by using tdi to automate...
 
Dutch Lotus User Group 2009 - Domino Tuning Presentation
Dutch Lotus User Group 2009 - Domino Tuning PresentationDutch Lotus User Group 2009 - Domino Tuning Presentation
Dutch Lotus User Group 2009 - Domino Tuning Presentation
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
 

Dernier

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Dernier (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

IBM Single Sign-On

  • 1. Introduction to Single Sign-On Worldwide Business Partner Technical Enablement 2016 Van Staub – North America Embedded Solution Agreement Technical Sales 1
  • 2. Agenda • General Idea • SSO techniques • LTPA • SAML • OAuth • SPNEGO • External Authentication Managers
  • 3. Definitions • Single Sign-On (SSO): not having to login again (or for a while) • Authentication: the user’s identity, who they are • Authorization: what the user has access to
  • 4. General Idea • a set of servers will share something secret – the key • after successful user login, a cookie is placed on the user’s browser – the token • the cookie is encrypted with the key • the cookie identifies the user • participating servers will look for the cookie/token/something to authenticate the user
  • 5. Browser Cookies • cookies are valid for a domain or host • http://machine-name/resource • http://192.168.1.2/resource • http://portal.ibmcollabcloud.com/… • expires “At end of session” • where are my cookies?
  • 6. LTPA • Lightweight Third Party Authentication • IBM’s default SSO mechanism • a Base64 encoded token that includes the following information: • a realm value • user identity – the distinguished name from the directory • expiration time ZoXfr6CuP1wYHSzjcxSGyli rmzQrshpWMFInqcvNPHG PyCa4frfg63tdlR96gPGkL2 B1vf1gi9WaJoCL9/UrYR+n xUuhUGFUDZ4QgPLQjCM MdIRfCIg6y6dW6Nu4I/oSL LMU5VUsXkBbAc1t//5u1X XsNY54Ttp/4xSjW32RnhW ovmRLPdL8BXZVHl11wDJ 8u9v7K2XxU7wPDIIxe14Ab hXaeK88ZD+q2d0QVGiUIe rT5EriBozIUF2cM3/v5v4Aat j80OruDUdgBwK/XJ5BKMi KscKq+/oxb6ij4hA58udIvm Fim0xkRGnlbUTmCPcjQho VnqHctMFdLF/e0uPyiklQpk m/5uY1TFL5Lihv5SY=
  • 7. WebSphere SSO Settings • Open WAS Console and go to Security -> Global Security -> Single Sign- on (SSO) • specify most inclusive domain name needed • defaults seen are most often sufficient
  • 8. Configuring WebSphere SSO 1. Export LTPA key from source WebSphere server 2. For each additional server, import token the password is only used when you export/import • Open WAS Console and go to Security -> Global Security -> LTPA
  • 9. Configuring Domino SSO 1. create web SSO configuration document 2. import LTPA key file that was export from WebSphere 3. configure/verify the realm LtpaToken or LtpaToken2 newer servers are more likely defaultWIMFileBasedRealm
  • 10. Pitfalls • expiration time is relative to the server that created the LTPAToken2 • session timeouts are not the same as LTPAToken2 expiration • different directories …
  • 11. Dual Directory • dual directory describes when the same user has different distinguished names • solution is to map the names WebSphere Portal Domino DN: uid=duser1,cn=users,dc=ibm,dc=com cn: Domino User1 uid: duser1 mail: duser1@acme.com DN: CN=Dom User1,O=ibm cn: Dom User1 uid: duser1 mail: duser1@acme.com WebSphere Portal Domino DN: uid=duser1,cn=users,dc=ibm,dc=com cn: Domino User1 uid: duser1 mail: duser1@acme.com notesdn: CN=Dom User1,O=ibm UserName: Dom User1/ibm UserName: uid=duser1/cn=users/dc=ibm/dc=com cn: Dom User1 uid: duser1 mail: duser1@acme.com
  • 12. Dual Directory (Option 1) 1. add LDAP distinguished name to person document 2. swap the comma delimiter for a slash
  • 13. Dual Directory (Option 1) 1. ensure the web SSO document has “Map names in LTPA tokens” 2. add the other distinguished name to the LTPA user name field
  • 14. Dual Directory (Option 2) 1. create directory assistance document 2. add the external directory’s attribute that contains the Domino distinguished name
  • 15. Dual Directory (Option 2) 1. ensure the $DN value is used to add the LDAP distinguished name into the LTPAToken
  • 16. LTPA Resources Understanding single sign-on (SSO) between IBM WebSphere Portal and IBM Lotus Domino http://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal- domino/ vanstaub.me http://vanstaub.me/category/cognos
  • 17. SAML • SAML stands for Security Assertion Markup Language • resolves domain boundary using cookies • requires additional software: Tivoli Federated Identity Manager, Active Directory Federation Service, etc. • uses XML based assertion tokens used in between an Identity Provider (IdP) and a Service Provider (SP). • SAML 2.0 is the latest version – not compatible with 1.1 and 1.0
  • 18. SAML • See yesterday’s NWTL topic Active Directory Single Sign-On • Install and configure Active Directory Federation Service 2.0 with WebSphere Portal
  • 20. Connections Cloud SAML 1.1 Encrypted XML Connections Cloud SAML 1.1 IdP My SAML SP entityID My identity http://vanstaub.me/1277
  • 21. Connections Cloud SAML • SAML registration form • requires PMR to provide either manual information (SAML 1.1) or the SAML 2.0 metadata
  • 22. WebSphere SAML • WebSphere is SAML SP ready – not IdP • supports SAML 2.0 IdP initiated SSO our old friend, the
  • 23. Connections On-Prem SAML • “IBM supports SAML 2.0 implementations within IBM Connections on a case-by-case basis depending on your unique environment and deployment.”
  • 24. SAML Resources Understanding the WebSphere Application Server SAML Trust Association Interceptor http://www.ibm.com/developerworks/websphere/techjournal/1307_lansche/1307_lansc he.html Step by step guide to implement SAML 2.0 for Portal 8.5 https://developer.ibm.com/digexp/docs/docs/customization-administration/step-step- guide-implement-saml-2-0-portal-8-5/ Front Side SAML SSO with microsoft product (ADFS -> WAS SAML TAI) https://www.ibm.com/developerworks/community/blogs/8f2bc166-3bdc-4a9d-bad4- 3620dbb3e46c/entry/Front_Side_SAML_SSO_with_microsoft_product_ADFS_WAS_S AML_TAI?lang=en Enabling Federated Identity or Integration Server for use with IBM Connections Cloud http://www-01.ibm.com/support/docview.wss?uid=swg21626501 AD + SAML + Kerberos + IBM Notes and Domino = SSO! http://www.andypedisich.com/blogs/andysblog.nsf/dx/robs-saml-presentation-from- mwlug-has-been-posted.htm vanstaub.me http://vanstaub.me/?s=saml
  • 25. OAuth • Is OAuth SSO? Maybe - authorization. 1. external app asks for Connections data 2. you log in to Connections 3. Connections sends the external app a token 4. external app uses the token to access your data
  • 27. OAuth Resources Connection Allowing third-party applications access to data via the OAuth2 protocol https://www.ibm.com/support/knowledgecenter/SSYGQH_5.5.0/admin/admin/c_admin_ common_oauth.dita Connections Cloud Using OAuth for API Authorization https://www- 10.lotus.com/ldd/appdevwiki.nsf/xpAPIViewer.xsp?lookupName=API+Reference#action =openDocument&res_title=Open_Authorization_sbt&content=apicontent Developing an IBM SmartCloud for Social Business application https://www.ibm.com/developerworks/lotus/documentation/developingsmartcloudapp/ Building an IBM OAuth Consumer in PHP http://vanstaub.me/679
  • 28. SPNEGO • Simple and Protected GSS-API Negotiation Mechanism • login in to Windows, SSO to IBM Software – pretty simple
  • 29. SPNEGO Resources Step-by-Step guide to Configure Single sign-on for HTTP requests using SPNEGO web authentication https://www-10.lotus.com/ldd/portalwiki.nsf/dx/Step-by- Step_guide_to_Configure_Single_sign- on_for_HTTP_requests_using_SPNEGO_web_authentication BP104 Simplifying The S’s: Single Sign-On, SPNEGO and SAML (2014) http://www.idonotes.com/IdoNotes/IdoConnect2013.nsf/dx/bp104-simplifying-the-ss- single-sign-on-spnego-and-saml-2014.htm
  • 30. External Security Managers • a server that manages access to ”protected” resources • IBM Security Access Manager, CA Siteminder for example Directory and Policy Server ESM Application
  • 31. Things to Consider • the LTPA token is still very relevant • after SAML is done, LTPA is still used • after SPNEGO is done, LTPA is still used • OAuth applies more to developers than users • External Security Managers do more than just authenticate