Presentation from Connections 2015 with Terri Warren
In this directory, data integration and single sign on session, we'll explore best practices for successful integration of social software with your existing directory data. Learn how to utilize Single Sign On across your environment as well as how to successfully utilize directory information across all of the Connections applications.
Connections Directory Integration: A Tour Through Best Practices for Directory and Security Integration With IBM Connections
1.
2. Let’s talk about me for a minute
§ Admin of all things and especially quite
complicated things where the fun is
– Working with security , healthchecks, single sign on,
design and deployment of Domino, ST, Connections and
things that they talk to
§ Stubborn and relentless problem solver
§ Lives in London about half of the time
§ Anything I say in this presentation is
entirely mine & not endorsed by IBM or the
woman on stage with me J
3. Why This Session?
§ Every user within Connections must have a consistent identity
§ That identity originates from a LDAP directory
§ It’s then stored in Connections and used by each of the individual Connections
applications
– Except they each use the identity differently
– Except some functionality calls back to LDAP
– Except it’s IBM which means many different directory types and versions have to be supported
– Except IBM have little control over how these directories behave
§ Ensuring an identity always points to the same user and that user is the right user is critical
to ensure Connections works
§ This session is to help you understand how to make your directory play nice with
Connections and what can stop it doing that
5. Authenticating Using LDAP
§ Connections requires us to have a directory to authenticate against
– There needs to be one good authority for validating users
§ Several methods of single sign on and single identity are supported including 3rd party
tools
§ The quality and reliability of your authoritative LDAP drives more than just user logins
– Poor LDAP data means poor profile data, technical problems and user disatisfaction
– Poor LDAP performance means poor Connections performance and user disatisfaction
§ LDAP is used primarily during Profile population, authentication and group membership
lookups
– More on this later
6. Simple LDAP Configuration In WebSphere
§ Under Global Security – Federated Repositories
– What are federated repositories?
§ The correct directory type tells WebSphere the correct construct for sending an LDAP
query
§ Connections uses the directories configured in your deployment manager
– So does Filenet when installed as CCM and directed to use WebSphere
– Filenet installed standalone has its own directory configuration (SSO alert!)
§ Multiple directories must use unique authentication account names and unique base dn
searches
– WebSphere gets confused otherwise
7. Testing LDAP
§ Always backup your deployment manager before making ANY LDAP changes
– Dmgrbinbackupconfig.sh / bat
§ Once LDAP is configured in Websphere , test that it works via the ISC for the deployment
manager
– The xml file that contains the LDAP configuration details is wimconfig.xml
§ Search for users by email address and make sure their login names are what you expect
§ Search for groups, especially if using Domino for LDAP and make sure they appear
8. What Happens When LDAP Is Down
§ WebSphere has a significant amount of caching for directory access
§ It can’t authenticate users with no LDAP though
§ Users already logged in will continue to work with a gradual loss of features
§ New users won’t be able to login
9. WebSphere Load Balanced LDAP
§ If you tell WebSphere to use a load balancer for LDAP the following happens
– The LB directs WebSphere to a LDAP server to use
– WebSphere caches that connection and continues to use it
– If that server goes down but the LB is still up it will take WebSphere 30 minutes or more to
request a new server connection from the LB
§ If however you give WebSphere a list of LDAP servers to use for failover, it will
immediately failover to an alternate if its initial connection fails
10. Let’s talk about the other woman on stage for a minute
§ Advisory Software Engineer
Connections Directory Services
– Working on Connections Directory (Waltz), LDAP, Security, CCM and
integration of Connections and applications it talks to! ,
– My previous gig was a working on Domino Directory: LDAP, DA, Directory
Catalogs, NameLookup, Single Sign-On and all things Directory
§ I work for IBM, so anything I say in this presentation
should appropriately represent IBM (and be polite to
the extremely intelligent woman on stage with me J)
12. User Data across Connections applications: The Basics!
§ User Data consists:
– ID: GUID (we’ll get to that)
– Attributes of that user
– Membership
Ø LDAP Group Membership
(we’ll get to that)
Ø Community Membership
ID (GUID): 05978bab-2c2c-40c0-9745-1f6cb771dff7
DN: cn=ajones…
uid: ajones
email: ajones@...
14. User Data: Login Names
§ User Data prerequisites (Login Names)
– Login names (the user name you log into Connections with) must exist in both
Profiles (various columns) AND LDAP
§ Configured in the “login properties”
dialog in WAS for that particular directory
§ When profiles is populated– the “login table” is built with mail and uid by default
and adds additional attributes from mapdbrepos_from source.properties
ldapsearch -h ldapdirectory.iris.com -b "ou=users,dc=iris,dc=com"
-D "uid=Admin ou=users,dc=iris,dc=com" -w adminpass
"(cn=Amy Jones2)"
dn: cn=Amy Jones2,ou=users,dc=iris,dc=com
objectclass=top
objectclass=organizationalPerson
objectclass=inetOrgPerson
objectclass=person
uid=Amy Jones2
cn=Amy Jones2
mail=ajones2@janet.iris.com
15. User Data: Login Names
§ Configured in the “login properties” dialog in WAS for that particular directory:
§ If Connections Content Management (CCM) is installed:
– By default, Filenet (CCM) assumes uid for the "Security Principal"
– If the value of login properties is something other than uid, or if uid is not the first value:
• modify profiles-config.xml, moving the attribute that matches up with the principal to be the first
attribute in the <loginAttributes> section (e.g. email):
16. User Data: Login Names
§ If CCM is installed (cont’):
– prof_uid or prof_mail must be the same value as what’s in the login properties
– A JVM argument needs to be configured on the Filenet (CCM) server and set to the value in the
login properties dialog: (note this is done by default in 5.0 by the connections installer)
www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/install/
t_inst_config_libraries_newfn.dita
17. User Data: IDs (GUIDs): The Basics
§ IDs (GUIDS): used internal to Connections for persistent representations of the user.
– The ID (GUID) is distinct and different from the user's login name.
– Users identify themselves to the system with their login name.
– The login name is not generally used to persist a reference to the user :
• Name may change
• different users may acquire the same login name over time,
• Users may have multiple login names.
– Access control lists and community membership lists do not use the login name, they use IDs!
§ Think about other apps, such as Domino
– Domino uses the Distinguished Name as the ID (and that comes with issues
because DN’s can change)
§ MORE on IDs in a minute!
18. User Data: Mail Addresses
§ Mail Addresses:
– Must exist in both Profiles AND LDAP
– The value should be the same in Profiles as in LDAP:
• However, if the value is different, mail cannot be used as “login name”.
ldapsearch -h ldapdirectory.iris.com -b "ou=users,dc=iris,dc=com"
-D "uid=Admin ou=users,dc=iris,dc=com" -w adminpass
"(cn=Amy Jones2)"
dn: cn=Amy Jones2,ou=users,dc=iris,dc=com
objectclass=top
objectclass=organizationalPerson
objectclass=inetOrgPerson
objectclass=person
uid=Amy Jones2
cn=Amy Jones2
mail=ajones2@janet.iris.com
20. Connections, Directories and IDs: What are IDs?
§ The ID is used by Connections for persistent
representations of the user.
§ By Default: Connections uses as its “ID” the Globally Unique Identifier (GUID) for Users and
Groups:
– It is fixed- a GUID for an object does not change *
– If an object is deleted, and recreated in LDAP, that object is recreated with a NEW ID (GUID)
– The terms “GUID” and “ID” can be used interchangeably UNTIL an admin decides they
need to choose something “other” than the default! (e.g. uid, employee ID etc).
WALTZ: [ID=4fda6cc0-0101-102e-88dd-f78755f7e0ed]
§ Connections also generates a GUID for Community Objects (same format as GUID)
21. Connections, Directories and IDs (GUIDS): What are IDs?
§ To solidify it in your mind: You can search an LDAP to find a GUID for a user:
– e.g: Searching IBM Tivoli Directory Server- the GUID is referred to as “ibm-entryUUID
ldapsearch -h ldapdirectory.iris.com -b "ou=users,dc=iris,dc=com" -D "uid=Admin
u=users,dc=iris,dc=com" -w adminpass "(cn=Amy Jones2)“ ibm-entryUUID
cn=Amy Jones2,ou=users,dc=iris,dc=com
ibm-entryuuid=4fda6cc0-0101-102e-88dd-f78755f7e0ed
LDAP Server GUIDS
22. How does Connections utilize IDs?
§ Connections Applications will persist that ID
in it’s tables
§ Connections Applications will search using that ID
§ Community Membership will be searched using that ID
§ LDAP Group Membership, Group Expansion will be
searched using that ID
Log in to
Connections
uid=ajones2
LDAP
Profiles
ID: (GUID): 05978bab-2c2c-40c0-9745-1f6cb771dff7
DN: cn=ajones2…
uid: ajones2
email: ajones2@...
23. § There are business scenarios when the ID used to identify the object cannot be a GUID.
– Company has offices all over the world. Employees move from one region to another so they are
deleted from 1 LDAP and re-added to another.
– Company identifies it’s employees by a guaranteed unique “Employee ID”
§ Remember- when a user is deleted and re-added- the GUID of a directory object changes,
– Affects IBM Connections applications that may have knowledge of a particular GUID for those objects.
– When a GUID changes, you must synchronize the LDAP with the Profiles database before that user
logs in again.
– If you don’t, the user will have two accounts in IBM Connections. One with the old GUID and one with
the new “ID”.
§ It is NOT recommended to change IDs for customers who have Connections Content Manager
(CCM): The user may lose access to content created with a particular ID
Custom IDs: Why?
24. § The ID must be globally unique. The ID must not ever be reassigned to a different user or group
in the directory.
– This makes DN, email, Microsoft Active Directory sAMAccountName and most UID and CN values poor
choices since those might be reused after a user leaves an organization.
§ Must not exceed 252 characters in length. To achieve faster search results, use a fixed-length
attribute for the ID if possible..
§ Must have a one-to-one mapping per directory object.
– Can’t use an attribute with multiple values as a unique ID. Users- one and only one ID!
§ The object must exist in both the LDAP schema as well as Websphere Virtual Member Manger
(VMM) schema
– If it does not, it must be added to wimxmlextension.xml (may have to be created)
AIX®:/usr/IBM/WebSphere/AppServer/profiles/<profile_name>/config/cells/<cell_name>/wim
Linux™:/opt/IBM/WebSphere/AppServer/profiles/<profile_name>/config/cells/<cell_name>/wim
Windows™: C:IBMWebSphereAppServerprofiles<profile_name>configcells<cell_name>wim
Custom IDs: Considerations for the selection of an ID:
25. § Profiles database contains the value of each user's ID in the PROF_GUID column of the
EMPLOYEE table:
– The value used in the PROF_GUID must match some attribute in your LDAP directory.
§ Connections must be made aware of which attribute from your directory to use for the ID
– Modify LotusConnections-config.xml:
• e.g your custom ID is “uid”: locate the “serviceName” tag in your xml:
<sloc:serviceReference profiles_directory_service_extension_enabled="true“
serviceName="directory" custom_user_id_attribute="uid"/>
• To customize your group ID: custom_group_id_attribute=“uid"/>
– Check ID (GUID) value in the map_dbrepos_from_source.properties file
– Note! prof_source_uid must be the distinguished name of the user in WebSphere LDAP
distinguishedName=$dn
Custom IDs: Specifying them in Connections (LotusConnections-Config.xml
Note- the attribute used must exist for
a group object!
26. Modifying wimconfig.xml instead of LotusConnections-Config.xml
§ wimconfig.xml governs a single ID attribute for all supported objects such as users
(PersonAccount), Groups, and organizations (OrgContainer) in the WebSphere Application
Server.
§ An administrator chooses to make the custom ID modifications in wimconfig.xml when:
– An administrator has choses a custom ID that does NOT exist in LDAP and/or VMM Schema.
– An administrator determines there is one LDAP attribute that exists for ALL VMM entity types
(e.g PersonAccount and Groups, OrgContainers)
• If attribute is NOT available within each object class (e.g. 'employeeID' exists for inetOrgPerson but
it is not available for the groupsOfUniqueName objectclass (group objects), then that attribute
CANNOT be used to specify the custom ID in wimconfig.xml. NOPE!
§ An administrator must modify wimxmlextension.xml when:
– An admin chooses to use an “LDAP extended attribute” for a custom ID Modify LDAP (not there!)
• Modify VMM
• Add the new VMM Schema property to wimxmlextension.xml
28. Tivoli Directory Integrator - The Engine
§ TDI acts as the translator to convert data from one source to another
– In this case from whatever the LDAP directory is to db2, sql or oracle
§ There is no way for companies to create profiles on premises without TDI
§ TDI needs to be installed so the engine and libraries are present
§ How much you customise or work with it is then entirely down to your company’s
requirements
29. Moving Data Into Connections
Population Wizard
Simple: Manual
1 LDAP Source > Profile
XML Files From
TDISOL
1 LDAP Source > Profile
Some data
manipulation
Assemblyline
Advanced: Realtime
Multiple Data Sources
Full data manipulation
30. The DB Wizard
§ The simplest method to move LDAP data to Connections is using the supplied DB Wizard
§ Backup PeopleDB before starting
§ DBWizard is great if you have only a single LDAP source and good data
– It also helps you get started with customising TDISol (more later)
§ Each step of DBWizard is validated so you can’t progress through to population unless
your LDAP server details are correct
– That’s a good thing
31. TDISol
§ The TDISol directory extracts as part of the Connections install
– You should always check for an updated version on Fix Central
§ It contains all the custom scripts you need to build your own population engine
– All you need do is complete 4 simple properties files
– And a batch file
– And install TDI
– But that’s it
32. Important TDISol Files
§ Profiles_tdi.properties
– Pay attention to guid property in particular
– Also delete or inactivate users
§ map_dbrepos_from_source
§ map_dbrepos_to_source
– You can only map an attribute in one direction so verify
the same attribute isn’t mapped in both files or the updates
will keep overwriting each other
§ Profiles_functions.js
§ Solution.properties
§ Tdienv.bat / tdienv.sh
33. Assemblylines
§ What is a TDI Assemblyline?
§ Why would I write my own?
§ Why don’t IBM supply standard ones?
§ What functions are available to me?
§ Working with the Configuration Editor
34. Multiple Directories
§ Each person must only appear in one directory
§ Multiple directories cannot be deployed using DBWizard
§ Instead use multiple TDISol configurations
– or a custom Assemblyline
36. Populating Connections From A Different Directory Than LDAP
§ It’s possible that you would want to authenticate users from one directory but populate
profiles from another
§ This is supported and technically it’s not difficult however
– The user data in both directories must match up with the same unique key
– The user should ideally have the same email address in both directories
– It significantly increases the complexity of the data and the chances or poor or mismatched
information being returned to the users
§ It’s an advanced solution for a very specific use case
– Far better to be able to use your LDAPauthentication server(s) as your data source
37. Connections Security Users vs Groups
§ Application Security
§ User Access in Communities, Wikis, Activities, Blogs
§ Browsing to grant authority n applications
§ Cached security and group memberships in WAS
§ Nested group behaviour (more on that later from Terri)
39. Groups Overview: Overview
§ Group Expansion: “Given a group name, return all it's members”
– A list of members in a particular group
– Functionality is provided through a series of “type-ahead” or “ Group Browse Dialogs”
– Search for groups using type-ahead
• Type in exact group names, OR partial
• Nested groups- can expand groups at each level of nesting
§ Group Membership: “Give me all the groups that a given user or group is a member of”
– Used to compute user, group and community membership across Connections applications (Activities,
Communities, Files and Wikis)
– Used by each application to grant access to content, adding or modifying membership etc.
– LDAP directories can be deployed to use nested groups (groups that contain group members)
40. Groups: An overview (cont’d)
§ Determining group membership has the potential to affect the performance of Connections
Applications, as well as directory providers (LDAP).
– Computing membership can affect performance
– Nested groups can have an impact on performance
§ Connections makes every attempt to act "responsibly" and optimize
it's membership checking functionality
– determined by enumerating through all member attributes for a particular group entry
– Attribute differs depending on each LDAP service provider
– If nested groups are deployed in LDAP and enabled in WAS, those groups will be enumerated as well
§ Nested groups require an operational attribute:
– Why? (That is why I had the BIG BLUE CLOUD APPEAR!)
– Enables Connections to utilize the efficient manner that LDAP Providers use to enumerate group
membership.
41. Groups: Membership Configuration in Websphere (WAS):
§ Operational attributes:
– attributes that have special meaning to the Directory Server
– maintained by the server and reflect information the server manages about an entry/server operation.
§ Necessary items to configure in WAS for group membership functionality.
– Member: an attribute that indicates the groups to which an entry belongs
• distinguished Name Syntax, is multi-valued, and has an objectclass
associated with it. (objectclass basically
defines the collection of attributes
that can be used to define an entry)
– Membership (using Operation Attributes)
§ LDAP example we’ll go through configuring
in Websphere (WAS)
42. Groups: Membership Configuration in (WAS):
§ Connections requires that Group membership be configured in WAS
§ From the WAS Admin Console:
§ Navigate to Global Security Tab → Federated Repositories → Manage repositories → select
your LDAP:
§ Select “Group attribute definition” from the Additional Properties section:
§ Add the membership attribute
§ Nested Groups? Use the operational attribute for nested
Why? (Remember that big blue cloud?)
connections uses the performance-minded operational attribute for membership checking!
43. Groups: Membership Configuration in Websphere (WAS):
§ Choosing the Name of the group Membership operational attribute:
– Dependent upon the LDAP repository configured in WAS!
§ Choose scope of the group membership attribute:
44. Groups: Member Configuration in WAS
§ Connections requires that group member attributes be configured in WAS:
– Necessary for Connection's support of group expansion
– Also a factor in Connection's support of group membership (as previously mentioned)
§ From the WAS Admin Console:
– Navigate to Global Security Tab → Federated Repositories → Manage repositories →Select
your LDAP -> Select the member attribute from the additional properties section
§ Enter the Member attribute/Objectclass pairing
required for your particular LDAP service:
46. Nested Groups: (Now the hard part!)- “A few twists and turns”
IBM Tivoli Directory Server…
§ IBM Tivoli Directory Server (ITDS) requires a specific set of Attribute/Objectclass pairings
to be deployed in the LDAP directory for nested groups:
§ Membership:
– The LDAP operational attribute for ITDS is “ibm-allGroups”
– ITDS must be configured to contain nested group entries
using the auxiliary objectclass “ibm-nestedGroup”
§ Member:
– Add the “ibm-memberGroup” member attribute
in the “Name of member attribute” dialog
– Add the auxiliary objectclass “ibm-nestedGroup”
denoting the objectclass of the nested group
entries in the ITDS directory itself.
– Select “Direct” (applies to members themselves)
47. Nested Groups: ITDS and Member:
§ ITDS should also have groups deployed using the standard supported default attribute/
objectclass pairings:
– *uniquemember/groupOfUniqueNames (as documented in the upcoming table)
§ The Connections / WAS administrator may not be the same person as the LDAP
administrator: i.e- there needs to be coordination!
48. Nested Groups: “A few twists and turns”- Domino Directory Server…
§ Groups in Domino are “Flat Groups”
§ What is a Flat Group?
– A group that exists in the root level of a LDAP directory.
– Unlike a hierarchical group, it does not have a tree-like structure- “cn=group1”
§ How to Configure WebSphere to find Domino flatgroups?
– wimconfig.xml is your customization tool!
– Edit and replace:<config:baseEntries name="o=ORGX" nameInRepository="o=ORGX"/
>with<config:baseEntries name="" nameInRepository=""/>Replace<config:participatingBaseEntries
name="o=ORGX"/>with<config:participatingBaseEntries name=""/>
§ The wimconfig.xml file is stored in the following location:
Linux:/opt/IBM/WebSphere/AppServer/profiles/<profile_name>/config/cells/<cell_name>/wim/config
Windows:<drive>:IBMWebSphereAppServerprofiles<profile_name>configcells<cell_name>wimconfig
49. Nested Groups: “A few twists and turns”- Active Directory
§ The LDAP Operational Attribute for Active Directory is “memberOf”
§ However, by default- Active Directory does NOT expand nested groups
§ Websphere has compensated for this:
– Configure WAS using “memberOf”
– Set the group membership scope to
DIRECT (telling VMM not to depend on LDAP to do the nested expansion for us!)
§ Connections also must do it’s part!
– Connections 4.5- get the iFix (LO80435)
– Connections 5.0 CR1 –fixed in that
– Enable JVM to indicate you WANT it to chase nested groups:
• Add following to Generic JVM arguments
-Dcom.ibm.connections.recursively.search.membership=true
50. Nested Groups: CCM Integration
§ Connections/CCM Integration
– In Connections 4.5, CCM (Filenet) makes an effort to manually expand nested groups on it’s own
• To disable this functionality it is recommended you set the JVM argument:
-Dibm.filenet.security.connectionsProvider.disableRecursiveParentCall=true
– In Connections 5.0 and above, the Connections Installer does this for you!
60. As A Visitor
§ You can add tags but not see existing tag lists
§ You can view partial business cards but not full profiles
§ You can search for content but that only finds things that are shared with you
§ You can share files but only with the Communities you are part of, not with people directly
63. SPNEGO Example For WebSphere
1
2
3
4
5
ACTIVE
DIRECTORY
GENERATES
SPNEGO
TOKEN
USER TRIES TO
ACCESS
CONNECTIONS
BROWSER
SENDS
SPNEGO
TOKEN TO
WEBSPHERE
ALONG WITH
USER NAME
WEBSPHERE
CONTACTS
ACTIVE
DIRECTORY TO
VALIDATE
TOKEN AND
RETRIEVE THE
USER’S NAME
STEPS
USER LOGS
INTO
WINDOWS
64. Setting Up SPNEGO
Set up a SPN for the IHS and Connections application servers in Active Directory
Use a dedicated account that you use to start WebSphere as a service
Run setspn -a http://<ihs hostname> <accountnamerunningwas>
If AD isn’t the LDAP being used then the LDAP entry should be updated with the AD name
e.g for Domino update person documents with AD name appended to FullName (and optional
others like krbPrincipalName and LTPA User Name)
65. Why Not SPNEGO
It requires Active Directory
It requires users to login to Active Directory
It requires Microsoft Supported browsers*
It requires a Windows client for the users*
It requires a Windows platform*
It doesn’t work at all if the user is remotely connecting and not logging into Active Directory
It has a very specific use case
* all these asterisks mean there are ways to extend to other platforms often using 3rd party
addons
67. Assertion
Markup
Language
SAML is a protocol and process for exchanging
authorisation and authentication data for a user between
services and servers
Security
70. SAML Example
1
2
3
4
5
USER
ATTEMPTS TO
LOG IN TO A
WEBSITE
USER IS
REDIRECTED TO
IDENTITY
PROVIDER
IDENTITY PROVIDER
REQUESTS
AUTHENTICATION OR (IF
USER IS LOGGED IN)
RETURNS CREDENTIALS
USER IS REDIRECTED
BACK TO ORIGINAL
SITE WITH SAML
ASSERTION
ATTACHED
ORIGINAL SITE USES
ITS SAML SERVICE
PROVIDER TO
CONFIRM SAML
ASSERTION AND
GRANT ACCESS
STEPS
71. Definitions
§ IdP - Identity Provider (SSO)
– ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012)
• SAML 2.0 only
• can be combined with SPNEGO
• Enhances Integrated Windows Authentication (IWA)
– TFIM (Tivoli Federated Identity Manager)
• SAML 1.1 and 2.0
72. definitions
§ SP - Service Provider
– IBM WebSphere
• By extension some applications installed under WebSphere
– IBM Domino (web federated login)
– IBM Notes (requires ID Vault) (notes federated login)
73. More Definitions
§ IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via
XML based assertions
§ Assertions have three roles
– Authentication
– Authorisation
– Retrieving Attributes
74. An IdP can
service many service providers
A SP can be connected to
several IdPs
An IdP can
use a variety of authentication
methods including multi factor
75. Setting Up SAML
§ Choose your IdP if you don’t already have one
– which fits best in your business
§ Build the IdP
§ Configure the SP
§ Sounds easy doesn’t it?
– It’s really not easy by any means but it is worth the investment in time
76. SAML Support In Connections
§ WebSphere supports SAML but that doesn’t mean all applications run under WebSphere
support it
§ Where SAML is configured for authentication and can’t be used by an external application,
WebSphere can generate a LTPA token
§ FileNet / CCM does not support SAML
§ Metrics/Cognos can’t run in a SAML enabled cell and must be deployed in its own cell with
LTPA
§ Connections Mail, Desktop and Mobile applications cannot use SAML
§ Browser access to the rest of the Connections applications (homepage, profiles, activities,
communities etc) is supported
77. IBM PreApproval Process - SAML Isn’t Supported Without It
§ SAML integration with IBM Connections is supported in specific circumstances
§ WebSphere supports SAML but that doesn’t mean all applications that run under
WebSphere do
§ Specific configuration instructions and fixes are only available from IBM Support once pre-
approval has been completed
§ The pre-approval process is a questionnaire that must be completed and submitted to IBM
so support can evaluate if your environment can be supported
– IBM will also advise the best deployment for SAML to meet your needs
– There is no one size fits all solution
78. Configuring SAML With IBM Connections
§ There are two methods for configuring SAML with IBM Connections
§ For both the IdP (Identity Provider) tested are ADFS and TFIM
– Those are the IdP’s publicly documented for WebSphere
– That’s not to say other IdP wouldn’t be supported if accepted for pre-approval
§ WebSphere acts as a SP (service provider) and configuration is completed in the cell
under Global Security
– This means SAML instructions are applied to all applications in the cell
§ SAML can be deployed using WebSphere’s default authenticator or using SAML
redirection
– Using default authenticator gives more scope for external applications
– IBM will advise the best deployment based on your completed questionnaire
79. Engage Online
§ SocialBiz User Group socialbizug.org
– Join the epicenter of Notes and Collaboration user groups
§ Social Business Insights blog ibm.com/blogs/socialbusiness
– Read and engage with our bloggers
§ Follow us on Twitter
– @IBMConnect and @IBMSocialBiz
§ LinkedIn http://bit.ly/SBComm
– Participate in the IBM Social Business group on LinkedIn
§ Facebook https://www.facebook.com/IBMConnected
– Like IBM Social Business on Facebook