SlideShare une entreprise Scribd logo

Notes, domino and the single sign on soup

Télécharger en tant que PPTX, PDF
Darren Duke
Darren Duke

MWLUG 2017 presentation on Notes/Domino single sign on. SAML. SPNEGO,

Technologie
1  sur  25
MWLUG 2017 Moving Collaboration Forward Notes, Domino and the Single Sign-on Soup Chef Darren Duke
MWLUG 2017 Moving Collaboration Forward Our Amazing Sponsors
MWLUG 2017 Moving Collaboration Forward About me • Relapsed podcaster http://wtftech.fm/ – Back on the horse with Stuart and Jesse – If you’re not listening, you’re really missing out – No, really, you are – NO, really you are – NO, REALLY YOU ARE!!!! • Hire me by talking to Lisa – She’ll be around here somewhere
MWLUG 2017 Moving Collaboration Forward SSO you say? • Many different things to many different people • Could be (listed in order of complexity): – Offload – Synchronization – Integration • Could be more than one of the above
MWLUG 2017 Moving Collaboration Forward Domino is different • It has two passwords – Because….well…..Domino – Makes it twice as difficult • One size doesn’t fit all – You may combine the following concepts
MWLUG 2017 Moving Collaboration Forward Why do it? • Single password • No password • Get away from ID and password management – You never *really* get away from the ID • It’s what all the cool kids are doing
MWLUG 2017 Moving Collaboration Forward Why do it? • What are you trying to solve? – Answer this and you know which of the following solutions are for you
MWLUG 2017 Moving Collaboration Forward Notes Shared Login (NSL) • Remove Notes password from ID • Well, mostly – Except for the first logon to a new computer account – Policy based – Requires Notes Single Logon Service to be removed from clients – Can be used with Notes Federated Logon (NFL)
MWLUG 2017 Moving Collaboration Forward You will need a (working) ID Vault • If you don’t have one – WHY NOT??? • If you do, is it working? • Several of the following solutions require it
MWLUG 2017 Moving Collaboration Forward Types of SSO…. • Offload – Pass it off • Synchronization – Move the data around • Integration – Link it altogether
MWLUG 2017 Moving Collaboration Forward Offload • Authenticate the password from elsewhere – Usually Active Directory – Uses Directory Assistance and LDAP referrals – Only usable (like this) for the HTTP password • So iNotes, web apps, Traveler, etc • Will also be needed if you do SAML and SPNEGO
MWLUG 2017 Moving Collaboration Forward Offload • Pros – Actually uses the AD password, not HTTP password exists anymore* • Cons – Only web protocols – You need to get the Domino LDAP DN into AD field – Traveler can lock the account out on a regular basis • Think AD password change policy
MWLUG 2017 Moving Collaboration Forward Synchronization • Copy password from “A” to “B” – “A” is usually AD, “B” is usually Domino • Capture AD password change, send to Domino – Can update ID Vault and/or HTTP password • TDI is free entitlement for most of you – And it can do this
MWLUG 2017 Moving Collaboration Forward Synchronization • Pros – Fixes AD lockout issue with “offload” – Notes ID and/or HTTP password thanks to ID Vault • Cons – Usually requires AD schema modification – HTTP password changes need to replicate – Doesn’t really get rid of Notes ID password • Just makes it known to the user
MWLUG 2017 Moving Collaboration Forward Integration • Use a different system (usually AD) to verify user ID and password • Two options – SPNEGO • Reasonably simple • Limited use • HTTP only – SAML/NFL • As far from reasonably simple as you can get • Notes client and/or HTTP
MWLUG 2017 Moving Collaboration Forward SPNEGO • Allows domain connected users using browser apps to login transparently using IWA • Web/Internet site based – All or nothing – Although with good firewall people…… • Two internet documents, one SPNEGO, one not – Source IP, agent sniffing, etc
MWLUG 2017 Moving Collaboration Forward SPNEGO • Pros – Simple(ish) • Cons – HTTP only – Windows desktops only (no Mac)* – Domino authentication server must be Windows – Kind of half-assed implementation • Will not fail back to user name and password – Domino User DN is still needed in AD
MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Uses SAML to connect to ADFS or TAM – Could use others but completely unsupported • Most are (and all of mine have been) ADFS • Can be used to get rid of Notes ID password • Very flexible – WFL for iNotes, web apps – NFL for Notes clients – Use either or both
MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Pros – Standard, cross platform • Client OS – All of them • Domino server OS – All of them – Use AD user name and password – Flexible WFL options • Inside the corporate network, transparent logon • Outside, use forms based logon – Go completely Notes ID password-less
MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Cons • Is pretty complex • Documentation is woeful • Notes requires files be present in the user profile to work – Stub notes.ini with full CN user name – Deploy.nsf for certificates • Requires a custom ADFS SSL cert – Means need to use non-commercial certificate – Create ADFS server specifically for NFL as users may get SSL certificate trust issues unless it is computer trusted roots – Again, a bit half arsed
MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Cons (cont) • Slow logging into Notes client – All this security shenanigans take time • But this can be fixed by also using NSL. – First login uses NFL – Subsequent logins switch to NSL • Domino User DN is still needed in AD • No ADFS 4.0 support – So no Windows 2016 server support – ADFS 3.0 support took 4 years
MWLUG 2017 Moving Collaboration Forward What about Traveler? • Verse client now supports Certificate Authentication – Note, *NOT* SSO, but at least password-less • No native iOS support that I know of – So iOS native still uses HTTP password • Some MDM’s have their own mail clients to address this
MWLUG 2017 Moving Collaboration Forward Common Thread…. • “Domino DN still needed in AD” – (or email address, just some unique ID equal in both systems) – Domino DN = “CN=Darren Duke,OU=blah,O=bob” • It’s the LDAP version of your Domino name – Use TDI to populate AD field with Domino DN • Prereq, needs *existing* common ID between AD and Domino – Email address? – Domino short name = sAMAccountName? • Some orgs use AltSecurityIdentities, some email address • Others use custom field – If custom make sure to AD index that field!!!
MWLUG 2017 Moving Collaboration Forward Notes client setup suggestions • Prepopulate Notes client setup values automatically – https://blog.darrenduke.net/Darren/DDBZ.nsf/dx/ use-a-custom-notes.ini-file-and-prepopulate-user- settings-on-notes-first-startup.htm – Use the above either standalone, with NSL or with NFL – Andy’s and Rob’s SAML LS/Connect Show and Tell • www.andypedisich.com/blogs/andysblog.nsf/dx/SHOW 100.ppt/%24file/SHOW100.ppt
MWLUG 2017 Moving Collaboration Forward Q and A • So if time permitted ask away….. • Also: – https://blog.darrenduke.net – @darrenduke on Twitter

Recommandé

Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Darren Duke
 
LS11 Show101
LS11 Show101LS11 Show101
LS11 Show101Darren Duke
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshell
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshellDominopoint 2012 - IBM Lotus Traveler High Availability in a nutshell
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshellRené Winkelmeyer
 
Fun With SHA2 Certificates
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 CertificatesGabriella Davis
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configurationGabriella Davis
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Serverpanagenda
 

Recommandé

Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Darren Duke
 
LS11 Show101
LS11 Show101LS11 Show101
LS11 Show101Darren Duke
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshell
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshellDominopoint 2012 - IBM Lotus Traveler High Availability in a nutshell
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshellRené Winkelmeyer
 
Fun With SHA2 Certificates
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 CertificatesGabriella Davis
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configurationGabriella Davis
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Serverpanagenda
 
Inform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsInform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsJared Roberts
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016David Hablewitz
 
Rock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityRock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityGabriella Davis
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
HTTP/2 Changes Everything
HTTP/2 Changes EverythingHTTP/2 Changes Everything
HTTP/2 Changes EverythingLori MacVittie
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesGabriella Davis
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceGabriella Davis
 
Web Sockets in Java EE 7
Web Sockets in Java EE 7Web Sockets in Java EE 7
Web Sockets in Java EE 7Siva Arunachalam
 
Working With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesWorking With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesGabriella Davis
 
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerEngage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerBill Malchisky Jr.
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile ExperienceGabriella Davis
 
Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Siva Arunachalam
 
Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015Quentin Adam
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino AdminblastGabriella Davis
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections AdministratorGabriella Davis
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesGabriella Davis
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesGabriella Davis
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The FrontGabriella Davis
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradeGabriella Davis
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and morepanagenda
 
MWLUG 2017 SA110
MWLUG 2017 SA110MWLUG 2017 SA110
MWLUG 2017 SA110Douglas Robinson
 
You don't want to do it like that
You don't want to do it like thatYou don't want to do it like that
You don't want to do it like thatSharon James
 

Contenu connexe

Tendances

Inform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsInform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsJared Roberts
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016David Hablewitz
 
Rock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityRock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityGabriella Davis
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
HTTP/2 Changes Everything
HTTP/2 Changes EverythingHTTP/2 Changes Everything
HTTP/2 Changes EverythingLori MacVittie
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesGabriella Davis
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceGabriella Davis
 
Working With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesWorking With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesGabriella Davis
 
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerEngage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerBill Malchisky Jr.
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile ExperienceGabriella Davis
 
Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Siva Arunachalam
 
Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015Quentin Adam
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections AdministratorGabriella Davis
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesGabriella Davis
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesGabriella Davis
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The FrontGabriella Davis
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradeGabriella Davis
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and morepanagenda
 

Tendances (20)

Inform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsInform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for Admins
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016
 
Rock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityRock Solid Sametime for High Availability
Rock Solid Sametime for High Availability
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
 
HTTP/2 Changes Everything
HTTP/2 Changes EverythingHTTP/2 Changes Everything
HTTP/2 Changes Everything
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-Premises
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
 
Web Sockets in Java EE 7
Web Sockets in Java EE 7Web Sockets in Java EE 7
Web Sockets in Java EE 7
 
Working With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesWorking With Sametime For Mobile Devices
Working With Sametime For Mobile Devices
 
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerEngage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile Experience
 
Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013
 
Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino Adminblast
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections Administrator
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 Certificates
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On Premises
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The Front
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections Upgrade
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and more
 

Similaire à Notes, domino and the single sign on soup

You don't want to do it like that
You don't want to do it like thatYou don't want to do it like that
You don't want to do it like thatSharon James
 
SharePoint - The hybrid story and beyond
SharePoint - The hybrid story and beyondSharePoint - The hybrid story and beyond
SharePoint - The hybrid story and beyondMikael Svenson
 
SharePoint Saturday San Antonio: Workflow 2013
SharePoint Saturday San Antonio: Workflow 2013SharePoint Saturday San Antonio: Workflow 2013
SharePoint Saturday San Antonio: Workflow 2013Sam Larko
 
Keeping in Touch -- Collaborative Technologies
Keeping in Touch -- Collaborative TechnologiesKeeping in Touch -- Collaborative Technologies
Keeping in Touch -- Collaborative TechnologiesIABC Houston
 
Use Case: integrating a complex e-commerce site - Frenchtoday.com
Use Case: integrating a complex e-commerce site - Frenchtoday.comUse Case: integrating a complex e-commerce site - Frenchtoday.com
Use Case: integrating a complex e-commerce site - Frenchtoday.comOlivier Karfis
 
AdminCamp 2017 - IBM Connections Adminblast
AdminCamp 2017 - IBM Connections AdminblastAdminCamp 2017 - IBM Connections Adminblast
AdminCamp 2017 - IBM Connections AdminblastNico Meisenzahl
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365Dylan Redfield
 
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxGreat new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxDarren Duke
 
Tales from the Platform Trade
Tales from the Platform TradeTales from the Platform Trade
Tales from the Platform TradeWilliam Grosso
 
WordPress Hosting Basics
WordPress Hosting BasicsWordPress Hosting Basics
WordPress Hosting BasicsChris Burgess
 
How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365Kelly Jones
 
Great new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxGreat new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxDarren Duke
 
Pearls and Must-Have Tools for the Modern Web / .NET Developer
Pearls and Must-Have Tools for the Modern Web / .NET DeveloperPearls and Must-Have Tools for the Modern Web / .NET Developer
Pearls and Must-Have Tools for the Modern Web / .NET DeveloperOfer Zelig
 
Webinar: IBM Connections Adminblast
Webinar: IBM Connections AdminblastWebinar: IBM Connections Adminblast
Webinar: IBM Connections Adminblastpanagenda
 
Connections Upgrades and Migrations the Easy Way
Connections Upgrades and Migrations the Easy WayConnections Upgrades and Migrations the Easy Way
Connections Upgrades and Migrations the Easy WayLetsConnect
 
Connections Migrations the easy way Soccnx10
Connections Migrations the easy way Soccnx10Connections Migrations the easy way Soccnx10
Connections Migrations the easy way Soccnx10Sharon James
 
Webinar: IBM Connections Adminblast
Webinar: IBM Connections AdminblastWebinar: IBM Connections Adminblast
Webinar: IBM Connections AdminblastNico Meisenzahl
 
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...David Hablewitz
 
How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365Kelly Jones
 

Similaire à Notes, domino and the single sign on soup (20)

MWLUG 2017 SA110
MWLUG 2017 SA110MWLUG 2017 SA110
MWLUG 2017 SA110
 
You don't want to do it like that
You don't want to do it like thatYou don't want to do it like that
You don't want to do it like that
 
SharePoint - The hybrid story and beyond
SharePoint - The hybrid story and beyondSharePoint - The hybrid story and beyond
SharePoint - The hybrid story and beyond
 
SharePoint Saturday San Antonio: Workflow 2013
SharePoint Saturday San Antonio: Workflow 2013SharePoint Saturday San Antonio: Workflow 2013
SharePoint Saturday San Antonio: Workflow 2013
 
Keeping in Touch -- Collaborative Technologies
Keeping in Touch -- Collaborative TechnologiesKeeping in Touch -- Collaborative Technologies
Keeping in Touch -- Collaborative Technologies
 
Use Case: integrating a complex e-commerce site - Frenchtoday.com
Use Case: integrating a complex e-commerce site - Frenchtoday.comUse Case: integrating a complex e-commerce site - Frenchtoday.com
Use Case: integrating a complex e-commerce site - Frenchtoday.com
 
AdminCamp 2017 - IBM Connections Adminblast
AdminCamp 2017 - IBM Connections AdminblastAdminCamp 2017 - IBM Connections Adminblast
AdminCamp 2017 - IBM Connections Adminblast
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365
 
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxGreat new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
 
Tales from the Platform Trade
Tales from the Platform TradeTales from the Platform Trade
Tales from the Platform Trade
 
WordPress Hosting Basics
WordPress Hosting BasicsWordPress Hosting Basics
WordPress Hosting Basics
 
How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365
 
Great new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxGreat new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptx
 
Pearls and Must-Have Tools for the Modern Web / .NET Developer
Pearls and Must-Have Tools for the Modern Web / .NET DeveloperPearls and Must-Have Tools for the Modern Web / .NET Developer
Pearls and Must-Have Tools for the Modern Web / .NET Developer
 
Webinar: IBM Connections Adminblast
Webinar: IBM Connections AdminblastWebinar: IBM Connections Adminblast
Webinar: IBM Connections Adminblast
 
Connections Upgrades and Migrations the Easy Way
Connections Upgrades and Migrations the Easy WayConnections Upgrades and Migrations the Easy Way
Connections Upgrades and Migrations the Easy Way
 
Connections Migrations the easy way Soccnx10
Connections Migrations the easy way Soccnx10Connections Migrations the easy way Soccnx10
Connections Migrations the easy way Soccnx10
 
Webinar: IBM Connections Adminblast
Webinar: IBM Connections AdminblastWebinar: IBM Connections Adminblast
Webinar: IBM Connections Adminblast
 
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...
 
How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365
 

Dernier

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 

Dernier (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 

Notes, domino and the single sign on soup

  • 1. MWLUG 2017 Moving Collaboration Forward Notes, Domino and the Single Sign-on Soup Chef Darren Duke
  • 2. MWLUG 2017 Moving Collaboration Forward Our Amazing Sponsors
  • 3. MWLUG 2017 Moving Collaboration Forward About me • Relapsed podcaster http://wtftech.fm/ – Back on the horse with Stuart and Jesse – If you’re not listening, you’re really missing out – No, really, you are – NO, really you are – NO, REALLY YOU ARE!!!! • Hire me by talking to Lisa – She’ll be around here somewhere
  • 4. MWLUG 2017 Moving Collaboration Forward SSO you say? • Many different things to many different people • Could be (listed in order of complexity): – Offload – Synchronization – Integration • Could be more than one of the above
  • 5. MWLUG 2017 Moving Collaboration Forward Domino is different • It has two passwords – Because….well…..Domino – Makes it twice as difficult • One size doesn’t fit all – You may combine the following concepts
  • 6. MWLUG 2017 Moving Collaboration Forward Why do it? • Single password • No password • Get away from ID and password management – You never *really* get away from the ID • It’s what all the cool kids are doing
  • 7. MWLUG 2017 Moving Collaboration Forward Why do it? • What are you trying to solve? – Answer this and you know which of the following solutions are for you
  • 8. MWLUG 2017 Moving Collaboration Forward Notes Shared Login (NSL) • Remove Notes password from ID • Well, mostly – Except for the first logon to a new computer account – Policy based – Requires Notes Single Logon Service to be removed from clients – Can be used with Notes Federated Logon (NFL)
  • 9. MWLUG 2017 Moving Collaboration Forward You will need a (working) ID Vault • If you don’t have one – WHY NOT??? • If you do, is it working? • Several of the following solutions require it
  • 10. MWLUG 2017 Moving Collaboration Forward Types of SSO…. • Offload – Pass it off • Synchronization – Move the data around • Integration – Link it altogether
  • 11. MWLUG 2017 Moving Collaboration Forward Offload • Authenticate the password from elsewhere – Usually Active Directory – Uses Directory Assistance and LDAP referrals – Only usable (like this) for the HTTP password • So iNotes, web apps, Traveler, etc • Will also be needed if you do SAML and SPNEGO
  • 12. MWLUG 2017 Moving Collaboration Forward Offload • Pros – Actually uses the AD password, not HTTP password exists anymore* • Cons – Only web protocols – You need to get the Domino LDAP DN into AD field – Traveler can lock the account out on a regular basis • Think AD password change policy
  • 13. MWLUG 2017 Moving Collaboration Forward Synchronization • Copy password from “A” to “B” – “A” is usually AD, “B” is usually Domino • Capture AD password change, send to Domino – Can update ID Vault and/or HTTP password • TDI is free entitlement for most of you – And it can do this
  • 14. MWLUG 2017 Moving Collaboration Forward Synchronization • Pros – Fixes AD lockout issue with “offload” – Notes ID and/or HTTP password thanks to ID Vault • Cons – Usually requires AD schema modification – HTTP password changes need to replicate – Doesn’t really get rid of Notes ID password • Just makes it known to the user
  • 15. MWLUG 2017 Moving Collaboration Forward Integration • Use a different system (usually AD) to verify user ID and password • Two options – SPNEGO • Reasonably simple • Limited use • HTTP only – SAML/NFL • As far from reasonably simple as you can get • Notes client and/or HTTP
  • 16. MWLUG 2017 Moving Collaboration Forward SPNEGO • Allows domain connected users using browser apps to login transparently using IWA • Web/Internet site based – All or nothing – Although with good firewall people…… • Two internet documents, one SPNEGO, one not – Source IP, agent sniffing, etc
  • 17. MWLUG 2017 Moving Collaboration Forward SPNEGO • Pros – Simple(ish) • Cons – HTTP only – Windows desktops only (no Mac)* – Domino authentication server must be Windows – Kind of half-assed implementation • Will not fail back to user name and password – Domino User DN is still needed in AD
  • 18. MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Uses SAML to connect to ADFS or TAM – Could use others but completely unsupported • Most are (and all of mine have been) ADFS • Can be used to get rid of Notes ID password • Very flexible – WFL for iNotes, web apps – NFL for Notes clients – Use either or both
  • 19. MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Pros – Standard, cross platform • Client OS – All of them • Domino server OS – All of them – Use AD user name and password – Flexible WFL options • Inside the corporate network, transparent logon • Outside, use forms based logon – Go completely Notes ID password-less
  • 20. MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Cons • Is pretty complex • Documentation is woeful • Notes requires files be present in the user profile to work – Stub notes.ini with full CN user name – Deploy.nsf for certificates • Requires a custom ADFS SSL cert – Means need to use non-commercial certificate – Create ADFS server specifically for NFL as users may get SSL certificate trust issues unless it is computer trusted roots – Again, a bit half arsed
  • 21. MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Cons (cont) • Slow logging into Notes client – All this security shenanigans take time • But this can be fixed by also using NSL. – First login uses NFL – Subsequent logins switch to NSL • Domino User DN is still needed in AD • No ADFS 4.0 support – So no Windows 2016 server support – ADFS 3.0 support took 4 years
  • 22. MWLUG 2017 Moving Collaboration Forward What about Traveler? • Verse client now supports Certificate Authentication – Note, *NOT* SSO, but at least password-less • No native iOS support that I know of – So iOS native still uses HTTP password • Some MDM’s have their own mail clients to address this
  • 23. MWLUG 2017 Moving Collaboration Forward Common Thread…. • “Domino DN still needed in AD” – (or email address, just some unique ID equal in both systems) – Domino DN = “CN=Darren Duke,OU=blah,O=bob” • It’s the LDAP version of your Domino name – Use TDI to populate AD field with Domino DN • Prereq, needs *existing* common ID between AD and Domino – Email address? – Domino short name = sAMAccountName? • Some orgs use AltSecurityIdentities, some email address • Others use custom field – If custom make sure to AD index that field!!!
  • 24. MWLUG 2017 Moving Collaboration Forward Notes client setup suggestions • Prepopulate Notes client setup values automatically – https://blog.darrenduke.net/Darren/DDBZ.nsf/dx/ use-a-custom-notes.ini-file-and-prepopulate-user- settings-on-notes-first-startup.htm – Use the above either standalone, with NSL or with NFL – Andy’s and Rob’s SAML LS/Connect Show and Tell • www.andypedisich.com/blogs/andysblog.nsf/dx/SHOW 100.ppt/%24file/SHOW100.ppt
  • 25. MWLUG 2017 Moving Collaboration Forward Q and A • So if time permitted ask away….. • Also: – https://blog.darrenduke.net – @darrenduke on Twitter