More Related Content Similar to New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT) (20) More from We4IT Group (20) New Single Sign-on Options for IBM Lotus Notes & Domino (We4IT)2. IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawal
without notice at IBM’s sole discretion.
Information regarding potential future products is intended to outline our general product direction
and it should not be relied on in making a purchasing decision.
The information mentioned regarding potential future products is not a commitment, promise, or
legal obligation to deliver any material, code or functionality. Information about potential future
products may not be incorporated into any contract. The development, release, and timing of any
future features or functionality described for our products remains at our sole discretion.
2 | © 2012 IBM Corporation
3. Agenda
■ Standards based SSO using SAML
■ SAML for IBM Lotus Domino web server and IBM Lotus iNotes®
■ SAML for IBM Lotus Notes client
3 | © 2012 IBM Corporation
4. User accesses many different IBM services with
browser or Lotus Notes
IBM Connections® LotusLive® Engage®
IBM Sametime®
Browser
Lotus Domino Lotus Quickr®
User doesn't want multiple password prompts.
4 | © 2012 IBM Corporation
5. User might also access third party services.
IBM Sametime IBM Connections LotusLive Engage
Browser
Facebook®
Lotus Domino Lotus Quickr
User doesn't want multiple password prompts.
5 | © 2012 IBM Corporation
6. SSO Mission:
Fewer password prompts, fewer passwords in general
■ We need SSO because:
─ High administrative cost for managing passwords.
─ Users can't remember a lot of passwords.
─ Password prompts are annoying.
─ Many “different” passwords leads to lower security.
■ If we use cryptographic mechanisms instead of passwords, we can improve
security and minimize cost.
■ For best interoperability across IBM and third party applications, we look to adopt
standards based SSO.
6 | © 2012 IBM Corporation
7. Security Assertion Markup Language (SAML)
■ Standard to address Internet SSO.
■ OASIS publishes the standards documents.
■ Many implementations available, including open source.
■ SSO across cooperating domains and across cooperating corporations.
■ IBM LotusLive® Notes implements SAML.
7 | © 2012 IBM Corporation
8. SAML identity assertion
■ Security is based on PKI.
─ User's identity is represented in a signed XML assertion.
─ Private key, public key pair:
– Server creating the assertion signs it using its private key.
– Servers processing assertions validate signature using the trusted signer's public
key.
─ Standards based, Internet certificates and keys are used.
■ Service identifies the user based on the user's assertion.
─ Assertion contains the authenticated user's name (e.g. email address).
8 | © 2012 IBM Corporation
9. SAML Identity provider (IdP) authenticates the user
Directory
■ IdP implements “federated identity”.
─ Knows about user names, passwords.
─ Might be able to authenticate the user via SPNEGO/Kerberos, or alternate non-
password method.
─ Prepares credentials (SAML identity assertion) for the user to target service.
– IdP authenticated user x at time y
─ Can be used by services from different vendors.
■ Common IdPs
─ IBM Tivoli® Federated Identity Manager (TFIM®)
─ Microsoft® ADFS® 2.0 integrated with Active Directory®
─ many others
9 | © 2012 IBM Corporation
10. Federated Identity using SAML assertions
■ Why is it a good thing for security?
─ Minimized use of password (only handled by IdP, if required).
─ Authenticate once to IdP. The IdP may “remember” the user.
─ Customers can use/control their own on-premises IdP.
─ Less user data redundancy.
─ Goal: password info is unavailable to crackers wanting to launch an offline password
guessing attack
Directory
10 | © 2012 IBM Corporation
11. Services accepting SAML assertions
■ SAML service provider (SP) receives authentication decision from the IdP.
■ SP authenticates a user by successful verification of the user's SAML assertion.
Directory
Service
11 | © 2012 IBM Corporation
12. Remove risk using SSL
■ HTTP protocols in use
■ If SSL (HTTPS) is not used to encrypt the channels
─ Eavesdropper steals user login information, e.g. password.
─ Eavesdropper steals the identity assertion.
– Good for short period of time.
─ Eavesdropper steals any cookies.
– Good for configured period of time.
Directory
Service
12 | © 2012 IBM Corporation
13. Agenda
■ Standards based SSO using SAML
■ SAML for IBM Lotus Domino web server and IBM Lotus iNotes
■ SAML for IBM Lotus Notes client
13 | © 2012 IBM Corporation
14. (future release)
Domino web server as a SAML service provider (SP)
■ Domino SP receives authentication decision from the IdP.
■ Domino authenticates a user by successful verification of the user's SAML
assertion.
Directory
Browser
Domino
14 | © 2012 IBM Corporation
15. Web client: user accessing Domino via browser (1)
Directory
Browser
http://domino1.renovations.com/db.nsf
Domino
User browses to a protected Domino URL, but hasn't logged in yet.
15 | © 2012 IBM Corporation
16. Web client: user accessing Domino via browser (2)
Directory
Browser
SAML request and Redirect
Domino
Domino redirects the browser to the IdP's URL with a SAML request.
16 | © 2012 IBM Corporation
17. Web client: user accessing Domino via browser (3)
URL might look something like this
https://idp.renovations.com/sps/saml11/login?TARGET=....
Directory
Browser
Domino
Browser redirects to SAML IdP.
17 | © 2012 IBM Corporation
18. Web client: user accessing Domino via browser (4)
Directory
Browser
Login info
Domino
User may be prompted to authenticate to IdP, or the IdP may be configured
to authenticate user with non-password method (e.g. SPNEGO/Kerberos).
18 | © 2012 IBM Corporation
19. Web client: user accessing Domino via browser (5)
SAML response, Directory
redirect back to Domino
Browser
Domino
IdP has authenticated the user and sends the SAML assertion.
19 | © 2012 IBM Corporation
20. Web client: user accessing Domino via browser (6)
Directory
Browser
(Http post containing SAML assertion)
Domino
SAML assertion received at Domino is verified using the IdP's public key.
Domino needs to map the name in the assertion to user's Domino name.
20 | © 2012 IBM Corporation
21. Web client: user accessing Domino via browser (7)
Directory
Browser
Redirect to URL to display
Session
cookie
Domino
User is logged in at Domino. User's browser now has credentials to access
protected Domino URLs.
21 | © 2012 IBM Corporation
22. Web client: user accessing Domino via browser (8)
Directory
http://domino1.renovations.com/db.nsf
Browser
Session
cookie
Domino
Now the user will see the protected Domino URL.
22 | © 2012 IBM Corporation
23. User accesses other Domino SAML servers
IdP remembers the user, and issues SAML assertions transparently to the user.
Directory
Browser
Session cookie
only for
Domino 2
Domino2
Domino1
Each Domino server can use SAML assertion and issue the user a single
server session cookie. SSO achieved by use of common IdP.
23 | © 2012 IBM Corporation
24. Administrator sets up Domino SAML in environment
with non-SAML IBM servers
Directory
Browser
LTPA
Session
cookie
Domino3
Instead of a single server session cookie, Domino SAML is configured to
use an LTPA session cookie that can be shared with other IBM servers.
24 | © 2012 IBM Corporation
25. Web client: Third party browser application
IdP remembers the user.
Assertions from IdP may be accepted by a variety of applications. Directory
Browser
Facebook
Domino
Administrator has registered the on-premises IdP with Facebook®, so that
Facebook can verify SAML assertions from the IdP.
25 | © 2012 IBM Corporation
26. iNotes may authenticate the user via SAML assertion
Directory
Browser
● HTTP flows (as shown in previous ID Files
slides) to authenticate
iNotes ID vault
26 | © 2012 IBM Corporation
27. iNotes secure mail: Using SAML to avoid prompting for
password to Notes id file
Directory
Browser
ID Files
User's
iNotes ID File ID vault
The ID vault server using new Notes RPC channel to receive user's
assertion, and to return user's unlocked id file to iNotes. 27 | © 2012 IBM Corporation
28. Deployment steps for Domino web server SAML
■ Deploy a SAML IdP on-premises.
─ (Optimal) To avoid password prompting by the IdP, configure IdP for SPNEGO/Kerberos user
authentication.
─ Tell the IdP about each participating Domino server.
■ Configure Domino.
─ Domino web server settings for SAML.
─ Declare trust in the IdP to login Domino users.
─ Set up name mapping (map user's email address to a Domino distinguished name).
─ (for iNotes secure mail users) Deploy security policy for id file in ID vault.
─ (for iNotes secure mail users) Declare trust in the IdP to authenticate to ID vault.
28 | © 2012 IBM Corporation
29. Agenda
■ Standards based SSO using SAML
■ SAML for IBM Lotus Domino web server and IBM Lotus iNotes
■ SAML for IBM Lotus Notes client
29 | © 2012 IBM Corporation
30. Notes Shared Login providing SSO at Notes startup
■ Notes Shared Login is a great feature.
─ User does not have a Notes password.
─ User's id file can be managed in the ID vault.
─ Administrator's policy determines which users have Notes Shared Login.
■ Notes Shared Login can't be used in virtual environments (e.g. Citrix).
─ SAML may provide a useful alternative.
30 | © 2012 IBM Corporation
31. Notes on Citrix: Virtual environment
Active
Windows Domain Directory
Controller
(Kerberos security,
ADFS IdP)
ID Files
ID vault
Domino
31 | © 2012 IBM Corporation
32. (future release)Notes on Citrix: User's home server
checks policy to determine whether this is a SAML user.
Windows Domain
Active
Controller Directory
(Kerberos security,
ADFS IdP)
➢ Administrator has picked one of these ID Files
policy choices to enforce for user:
● User is a SAML user.
● User should be prompted for password. ID vault
Domino
32 | © 2012 IBM Corporation
33. Notes on Citrix can leverage the Windows environment
for a SAML user.
Active
Windows Domain Directory
Controller
(Kerberos security,
ADFS IdP)
ID Files
ID vault
Domino
For Citrix Windows environment, it may be convenient to deploy Microsoft
ADFS 2.0 for the SAML IdP.
33 | © 2012 IBM Corporation
34. Notes on Citrix: Use SAML to avoid password prompt
to start Notes
Active
Windows Domain Directory
Controller
(Kerberos security,
ADFS IdP)
● Notes embedded browser handles
authentication to SAML IdP via ID Files
SPNEGO/Kerberos over HTTP.
ID vault
Domino
User has already logged into Windows. User doesn't need to prove who he
is to the Microsoft ADFS IdP.
34 | © 2012 IBM Corporation
35. Notes on Citrix: Use SAML to avoid password prompt
to start Notes (by retrieving unlocked id file)
Windows Domain
Active
Controller Directory
(Kerberos security,
ADFS IdP)
● Send SAML assertion to ID vault server ID Files
via Notes RPC channel.
● ID vault server returns user's unlocked
id file via Notes RPC channel. ID vault
Domino
ID vault server evaluates whether the assertion comes from trusted IdP.
35 | © 2012 IBM Corporation
36. Deployment steps for Notes client use of SAML at
startup
■ Deploy a SAML IdP on-premises.
─ (Optimal) To avoid password prompting by the IdP, configure IdP for SPNEGO/Kerberos user
authentication.
─ Tell the IdP about the Domino SAML service provider for the ID vault.
■ Configure server settings.
─ Deploy security policy to assign SAML users, and managing id files in ID vault.
─ Declare trust in the IdP to login Notes users by SAML authentication to ID vault.
─ Set up name mapping (map user's email address to a Domino distinguished name).
36 | © 2012 IBM Corporation
37. User accesses many different IBM services with Notes
IBM Connections
IBM Sametime LotusLive Engage
Lotus Domino Lotus Quickr
User doesn't want multiple password prompts.
37 | © 2012 IBM Corporation
38. Notes plug-ins
● After login to Notes, Notes
may attempt authentication to
Internet servers.
─ Notes sidebars:
– Sametime
– Activities (Connections)
– Feeds.....
─ Browser applications running in
Notes
38 | © 2012 IBM Corporation
39. Notes plug-ins
● After login to Notes, Notes
may attempt authentication to
Internet servers.
─ Notes sidebars:
– Sametime
– Activities (Connections)
– Feeds.....
─ Browser applications running in
Notes
● Authentication mechanism is
specified in Notes account
─ In user's personal Name and
Address book
39 | © 2012 IBM Corporation
40. Notes plug-ins
● After login to Notes, Notes
may attempt authentication to
Internet servers.
─ Notes sidebars:
– Sametime
– Activities (Connections)
– Feeds.....
─ Browser applications running in
Notes
● Authentication mechanism is
specified in Notes account
─ In user's personal Name and
Address book
● Notes already has an option
for SAML to LotusLive Notes
40 | © 2012 IBM Corporation
41. Optimally Notes plug-ins can use SAML in the future
■ Notes embedded browser can make requests to an IdP.
─ No login prompts if IdP using SPNEGO/Kerberos.
─ Issue: not all target servers will be able to accept a SAML assertion.
■ Notes could send a SAML assertion to Domino to authenticate and receive a
session token (LTPA) for use by Notes plug-in
41 | © 2012 IBM Corporation
42. 8.5.2 Notes managed accounts
■ Administrator manages Account documents in Domino Directory.
─ Domino policy mechanism pushes accounts to Notes client.
─ We may need some tweaks to Account documents for SAML.
42 | © 2012 IBM Corporation
43. Legal disclaimer
© IBM Corporation 2012. All Rights Reserved.
The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it
is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM
shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the
effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.
References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in
this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other
results.
IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, Lotuslive, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in the
United States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.
Facebook is a registered trademark of Facebook, Inc in the United States, other countries, or both.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Other company, product, or service names may be trademarks or service marks of others.
All references to Renovations refer to a fictitious company and are used for illustration purposes only.
43 | © 2012 IBM Corporation