SlideShare une entreprise Scribd logo

Connections Directory Integration: A Tour Through Best Practices for Directory and Security Integration With IBM Connections

Gabriella Davis
Gabriella Davis

Presentation from Connections 2015 with Terri Warren In this directory, data integration and single sign on session, we'll explore best practices for successful integration of social software with your existing directory data. Learn how to utilize Single Sign On across your environment as well as how to successfully utilize directory information across all of the Connections applications.

Logiciels
1  sur  80
Télécharger pour lire hors ligne
Let’s talk about me for a minute §  Admin of all things and especially quite complicated things where the fun is –  Working with security , healthchecks, single sign on, design and deployment of Domino, ST, Connections and things that they talk to §  Stubborn and relentless problem solver §  Lives in London about half of the time §  Anything I say in this presentation is entirely mine & not endorsed by IBM or the woman on stage with me J
Why This Session? §  Every user within Connections must have a consistent identity §  That identity originates from a LDAP directory §  It’s then stored in Connections and used by each of the individual Connections applications –  Except they each use the identity differently –  Except some functionality calls back to LDAP –  Except it’s IBM which means many different directory types and versions have to be supported –  Except IBM have little control over how these directories behave §  Ensuring an identity always points to the same user and that user is the right user is critical to ensure Connections works §  This session is to help you understand how to make your directory play nice with Connections and what can stop it doing that
Connections and LDAP
Authenticating Using LDAP §  Connections requires us to have a directory to authenticate against –  There needs to be one good authority for validating users §  Several methods of single sign on and single identity are supported including 3rd party tools §  The quality and reliability of your authoritative LDAP drives more than just user logins –  Poor LDAP data means poor profile data, technical problems and user disatisfaction –  Poor LDAP performance means poor Connections performance and user disatisfaction §  LDAP is used primarily during Profile population, authentication and group membership lookups –  More on this later
Simple LDAP Configuration In WebSphere §  Under Global Security – Federated Repositories –  What are federated repositories? §  The correct directory type tells WebSphere the correct construct for sending an LDAP query §  Connections uses the directories configured in your deployment manager –  So does Filenet when installed as CCM and directed to use WebSphere –  Filenet installed standalone has its own directory configuration (SSO alert!) §  Multiple directories must use unique authentication account names and unique base dn searches –  WebSphere gets confused otherwise
Testing LDAP §  Always backup your deployment manager before making ANY LDAP changes –  Dmgrbinbackupconfig.sh / bat §  Once LDAP is configured in Websphere , test that it works via the ISC for the deployment manager –  The xml file that contains the LDAP configuration details is wimconfig.xml §  Search for users by email address and make sure their login names are what you expect §  Search for groups, especially if using Domino for LDAP and make sure they appear
What Happens When LDAP Is Down §  WebSphere has a significant amount of caching for directory access §  It can’t authenticate users with no LDAP though §  Users already logged in will continue to work with a gradual loss of features §  New users won’t be able to login
WebSphere Load Balanced LDAP §  If you tell WebSphere to use a load balancer for LDAP the following happens –  The LB directs WebSphere to a LDAP server to use –  WebSphere caches that connection and continues to use it –  If that server goes down but the LB is still up it will take WebSphere 30 minutes or more to request a new server connection from the LB §  If however you give WebSphere a list of LDAP servers to use for failover, it will immediately failover to an alternate if its initial connection fails
Let’s talk about the other woman on stage for a minute §  Advisory Software Engineer Connections Directory Services –  Working on Connections Directory (Waltz), LDAP, Security, CCM and integration of Connections and applications it talks to! , –  My previous gig was a working on Domino Directory: LDAP, DA, Directory Catalogs, NameLookup, Single Sign-On and all things Directory §  I work for IBM, so anything I say in this presentation should appropriately represent IBM (and be polite to the extremely intelligent woman on stage with me J)
Connections and User Data
User Data across Connections applications: The Basics! §  User Data consists: –  ID: GUID (we’ll get to that) –  Attributes of that user –  Membership Ø  LDAP Group Membership (we’ll get to that) Ø  Community Membership ID (GUID): 05978bab-2c2c-40c0-9745-1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@...
User Data: The Basics! Connections Websphere Node VMM GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... To confirm the default (Profiles is enabled): ü  Open LotusConnections-Config.xml ü  confirm that “profiles_directory_service_extension_enabled="true". LDAP Server Local repository Search Wikis Homepage Profiles Blogs Bookmarks Files Forums Moderation Metrics Mobile News communities Filenet Cognos Etc GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones…
User Data: Login Names §  User Data prerequisites (Login Names) –  Login names (the user name you log into Connections with) must exist in both Profiles (various columns) AND LDAP §  Configured in the “login properties” dialog in WAS for that particular directory §  When profiles is populated– the “login table” is built with mail and uid by default and adds additional attributes from mapdbrepos_from source.properties ldapsearch -h ldapdirectory.iris.com -b "ou=users,dc=iris,dc=com" -D "uid=Admin ou=users,dc=iris,dc=com" -w adminpass "(cn=Amy Jones2)" dn: cn=Amy Jones2,ou=users,dc=iris,dc=com objectclass=top objectclass=organizationalPerson objectclass=inetOrgPerson objectclass=person uid=Amy Jones2 cn=Amy Jones2 mail=ajones2@janet.iris.com
User Data: Login Names §  Configured in the “login properties” dialog in WAS for that particular directory: §  If Connections Content Management (CCM) is installed: –  By default, Filenet (CCM) assumes uid for the "Security Principal" –  If the value of login properties is something other than uid, or if uid is not the first value: •  modify profiles-config.xml, moving the attribute that matches up with the principal to be the first attribute in the <loginAttributes> section (e.g. email):
User Data: Login Names §  If CCM is installed (cont’): –  prof_uid or prof_mail must be the same value as what’s in the login properties –  A JVM argument needs to be configured on the Filenet (CCM) server and set to the value in the login properties dialog: (note this is done by default in 5.0 by the connections installer) www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/install/ t_inst_config_libraries_newfn.dita
User Data: IDs (GUIDs): The Basics §  IDs (GUIDS): used internal to Connections for persistent representations of the user. –  The ID (GUID) is distinct and different from the user's login name. –  Users identify themselves to the system with their login name. –  The login name is not generally used to persist a reference to the user : •  Name may change •  different users may acquire the same login name over time, •  Users may have multiple login names. –  Access control lists and community membership lists do not use the login name, they use IDs! §  Think about other apps, such as Domino –  Domino uses the Distinguished Name as the ID (and that comes with issues because DN’s can change) §  MORE on IDs in a minute!
User Data: Mail Addresses §  Mail Addresses: –  Must exist in both Profiles AND LDAP –  The value should be the same in Profiles as in LDAP: •  However, if the value is different, mail cannot be used as “login name”. ldapsearch -h ldapdirectory.iris.com -b "ou=users,dc=iris,dc=com" -D "uid=Admin ou=users,dc=iris,dc=com" -w adminpass "(cn=Amy Jones2)" dn: cn=Amy Jones2,ou=users,dc=iris,dc=com objectclass=top objectclass=organizationalPerson objectclass=inetOrgPerson objectclass=person uid=Amy Jones2 cn=Amy Jones2 mail=ajones2@janet.iris.com
Connections, Directories and IDs:
Connections, Directories and IDs: What are IDs? §  The ID is used by Connections for persistent representations of the user. §  By Default: Connections uses as its “ID” the Globally Unique Identifier (GUID) for Users and Groups: –  It is fixed- a GUID for an object does not change * –  If an object is deleted, and recreated in LDAP, that object is recreated with a NEW ID (GUID) –  The terms “GUID” and “ID” can be used interchangeably UNTIL an admin decides they need to choose something “other” than the default! (e.g. uid, employee ID etc). WALTZ: [ID=4fda6cc0-0101-102e-88dd-f78755f7e0ed] §  Connections also generates a GUID for Community Objects (same format as GUID)
Connections, Directories and IDs (GUIDS): What are IDs? §  To solidify it in your mind: You can search an LDAP to find a GUID for a user: –  e.g: Searching IBM Tivoli Directory Server- the GUID is referred to as “ibm-entryUUID ldapsearch -h ldapdirectory.iris.com -b "ou=users,dc=iris,dc=com" -D "uid=Admin u=users,dc=iris,dc=com" -w adminpass "(cn=Amy Jones2)“ ibm-entryUUID cn=Amy Jones2,ou=users,dc=iris,dc=com ibm-entryuuid=4fda6cc0-0101-102e-88dd-f78755f7e0ed LDAP Server GUIDS
How does Connections utilize IDs? §  Connections Applications will persist that ID in it’s tables §  Connections Applications will search using that ID §  Community Membership will be searched using that ID §  LDAP Group Membership, Group Expansion will be searched using that ID Log in to Connections uid=ajones2 LDAP Profiles ID: (GUID): 05978bab-2c2c-40c0-9745-1f6cb771dff7 DN: cn=ajones2… uid: ajones2 email: ajones2@...
§  There are business scenarios when the ID used to identify the object cannot be a GUID. –  Company has offices all over the world. Employees move from one region to another so they are deleted from 1 LDAP and re-added to another. –  Company identifies it’s employees by a guaranteed unique “Employee ID” §  Remember- when a user is deleted and re-added- the GUID of a directory object changes, –  Affects IBM Connections applications that may have knowledge of a particular GUID for those objects. –  When a GUID changes, you must synchronize the LDAP with the Profiles database before that user logs in again. –  If you don’t, the user will have two accounts in IBM Connections. One with the old GUID and one with the new “ID”. §  It is NOT recommended to change IDs for customers who have Connections Content Manager (CCM): The user may lose access to content created with a particular ID Custom IDs: Why?
§  The ID must be globally unique. The ID must not ever be reassigned to a different user or group in the directory. –  This makes DN, email, Microsoft Active Directory sAMAccountName and most UID and CN values poor choices since those might be reused after a user leaves an organization. §  Must not exceed 252 characters in length. To achieve faster search results, use a fixed-length attribute for the ID if possible.. §  Must have a one-to-one mapping per directory object. –  Can’t use an attribute with multiple values as a unique ID. Users- one and only one ID! §  The object must exist in both the LDAP schema as well as Websphere Virtual Member Manger (VMM) schema –  If it does not, it must be added to wimxmlextension.xml (may have to be created) AIX®:/usr/IBM/WebSphere/AppServer/profiles/<profile_name>/config/cells/<cell_name>/wim Linux™:/opt/IBM/WebSphere/AppServer/profiles/<profile_name>/config/cells/<cell_name>/wim Windows™: C:IBMWebSphereAppServerprofiles<profile_name>configcells<cell_name>wim Custom IDs: Considerations for the selection of an ID:
§  Profiles database contains the value of each user's ID in the PROF_GUID column of the EMPLOYEE table: –  The value used in the PROF_GUID must match some attribute in your LDAP directory. §  Connections must be made aware of which attribute from your directory to use for the ID –  Modify LotusConnections-config.xml: •  e.g your custom ID is “uid”: locate the “serviceName” tag in your xml: <sloc:serviceReference profiles_directory_service_extension_enabled="true“ serviceName="directory" custom_user_id_attribute="uid"/> •  To customize your group ID: custom_group_id_attribute=“uid"/> –  Check ID (GUID) value in the map_dbrepos_from_source.properties file –  Note! prof_source_uid must be the distinguished name of the user in WebSphere LDAP distinguishedName=$dn Custom IDs: Specifying them in Connections (LotusConnections-Config.xml Note- the attribute used must exist for a group object!
Modifying wimconfig.xml instead of LotusConnections-Config.xml §  wimconfig.xml governs a single ID attribute for all supported objects such as users (PersonAccount), Groups, and organizations (OrgContainer) in the WebSphere Application Server. §  An administrator chooses to make the custom ID modifications in wimconfig.xml when: –  An administrator has choses a custom ID that does NOT exist in LDAP and/or VMM Schema. –  An administrator determines there is one LDAP attribute that exists for ALL VMM entity types (e.g PersonAccount and Groups, OrgContainers) •  If attribute is NOT available within each object class (e.g. 'employeeID' exists for inetOrgPerson but it is not available for the groupsOfUniqueName objectclass (group objects), then that attribute CANNOT be used to specify the custom ID in wimconfig.xml. NOPE! §  An administrator must modify wimxmlextension.xml when: –  An admin chooses to use an “LDAP extended attribute” for a custom ID Modify LDAP (not there!) •  Modify VMM •  Add the new VMM Schema property to wimxmlextension.xml
Populating Profiles
Tivoli Directory Integrator - The Engine §  TDI acts as the translator to convert data from one source to another –  In this case from whatever the LDAP directory is to db2, sql or oracle §  There is no way for companies to create profiles on premises without TDI §  TDI needs to be installed so the engine and libraries are present §  How much you customise or work with it is then entirely down to your company’s requirements
Moving Data Into Connections Population Wizard Simple: Manual 1 LDAP Source > Profile XML Files From TDISOL 1 LDAP Source > Profile Some data manipulation Assemblyline Advanced: Realtime Multiple Data Sources Full data manipulation
The DB Wizard §  The simplest method to move LDAP data to Connections is using the supplied DB Wizard §  Backup PeopleDB before starting §  DBWizard is great if you have only a single LDAP source and good data –  It also helps you get started with customising TDISol (more later) §  Each step of DBWizard is validated so you can’t progress through to population unless your LDAP server details are correct –  That’s a good thing
TDISol §  The TDISol directory extracts as part of the Connections install –  You should always check for an updated version on Fix Central §  It contains all the custom scripts you need to build your own population engine –  All you need do is complete 4 simple properties files –  And a batch file –  And install TDI –  But that’s it
Important TDISol Files §  Profiles_tdi.properties –  Pay attention to guid property in particular –  Also delete or inactivate users §  map_dbrepos_from_source §  map_dbrepos_to_source –  You can only map an attribute in one direction so verify the same attribute isn’t mapped in both files or the updates will keep overwriting each other §  Profiles_functions.js §  Solution.properties §  Tdienv.bat / tdienv.sh
Assemblylines §  What is a TDI Assemblyline? §  Why would I write my own? §  Why don’t IBM supply standard ones? §  What functions are available to me? §  Working with the Configuration Editor
Multiple Directories §  Each person must only appear in one directory §  Multiple directories cannot be deployed using DBWizard §  Instead use multiple TDISol configurations –  or a custom Assemblyline
Connections Security
Populating Connections From A Different Directory Than LDAP §  It’s possible that you would want to authenticate users from one directory but populate profiles from another §  This is supported and technically it’s not difficult however –  The user data in both directories must match up with the same unique key –  The user should ideally have the same email address in both directories –  It significantly increases the complexity of the data and the chances or poor or mismatched information being returned to the users §  It’s an advanced solution for a very specific use case –  Far better to be able to use your LDAPauthentication server(s) as your data source
Connections Security Users vs Groups §  Application Security §  User Access in Communities, Wikis, Activities, Blogs §  Browsing to grant authority n applications §  Cached security and group memberships in WAS §  Nested group behaviour (more on that later from Terri)
Groups: Configuration, Twists and Turns
Groups Overview: Overview §  Group Expansion: “Given a group name, return all it's members” –  A list of members in a particular group –  Functionality is provided through a series of “type-ahead” or “ Group Browse Dialogs” –  Search for groups using type-ahead •  Type in exact group names, OR partial •  Nested groups- can expand groups at each level of nesting §  Group Membership: “Give me all the groups that a given user or group is a member of” –  Used to compute user, group and community membership across Connections applications (Activities, Communities, Files and Wikis) –  Used by each application to grant access to content, adding or modifying membership etc. –  LDAP directories can be deployed to use nested groups (groups that contain group members)
Groups: An overview (cont’d) §  Determining group membership has the potential to affect the performance of Connections Applications, as well as directory providers (LDAP). –  Computing membership can affect performance –  Nested groups can have an impact on performance §  Connections makes every attempt to act "responsibly" and optimize it's membership checking functionality –  determined by enumerating through all member attributes for a particular group entry –  Attribute differs depending on each LDAP service provider –  If nested groups are deployed in LDAP and enabled in WAS, those groups will be enumerated as well §  Nested groups require an operational attribute: –  Why? (That is why I had the BIG BLUE CLOUD APPEAR!) –  Enables Connections to utilize the efficient manner that LDAP Providers use to enumerate group membership.
Groups: Membership Configuration in Websphere (WAS): §  Operational attributes: –  attributes that have special meaning to the Directory Server –  maintained by the server and reflect information the server manages about an entry/server operation. §  Necessary items to configure in WAS for group membership functionality. –  Member: an attribute that indicates the groups to which an entry belongs •  distinguished Name Syntax, is multi-valued, and has an objectclass associated with it. (objectclass basically defines the collection of attributes that can be used to define an entry) –  Membership (using Operation Attributes) §  LDAP example we’ll go through configuring in Websphere (WAS)
Groups: Membership Configuration in (WAS): §  Connections requires that Group membership be configured in WAS §  From the WAS Admin Console: §  Navigate to Global Security Tab → Federated Repositories → Manage repositories → select your LDAP: §  Select “Group attribute definition” from the Additional Properties section: §  Add the membership attribute §  Nested Groups? Use the operational attribute for nested Why? (Remember that big blue cloud?) connections uses the performance-minded operational attribute for membership checking!
Groups: Membership Configuration in Websphere (WAS): §  Choosing the Name of the group Membership operational attribute: –  Dependent upon the LDAP repository configured in WAS! §  Choose scope of the group membership attribute:
Groups: Member Configuration in WAS §  Connections requires that group member attributes be configured in WAS: –  Necessary for Connection's support of group expansion –  Also a factor in Connection's support of group membership (as previously mentioned) §  From the WAS Admin Console: –  Navigate to Global Security Tab → Federated Repositories → Manage repositories →Select your LDAP -> Select the member attribute from the additional properties section §  Enter the Member attribute/Objectclass pairing required for your particular LDAP service:
LDAP Objectclass/Attribute pairings table:
Nested Groups: (Now the hard part!)- “A few twists and turns” IBM Tivoli Directory Server… §  IBM Tivoli Directory Server (ITDS) requires a specific set of Attribute/Objectclass pairings to be deployed in the LDAP directory for nested groups: §  Membership: –  The LDAP operational attribute for ITDS is “ibm-allGroups” –  ITDS must be configured to contain nested group entries using the auxiliary objectclass “ibm-nestedGroup” §  Member: –  Add the “ibm-memberGroup” member attribute in the “Name of member attribute” dialog –  Add the auxiliary objectclass “ibm-nestedGroup” denoting the objectclass of the nested group entries in the ITDS directory itself. –  Select “Direct” (applies to members themselves)
Nested Groups: ITDS and Member: §  ITDS should also have groups deployed using the standard supported default attribute/ objectclass pairings: –  *uniquemember/groupOfUniqueNames (as documented in the upcoming table) §  The Connections / WAS administrator may not be the same person as the LDAP administrator: i.e- there needs to be coordination!
Nested Groups: “A few twists and turns”- Domino Directory Server… §  Groups in Domino are “Flat Groups” §  What is a Flat Group? –  A group that exists in the root level of a LDAP directory. –  Unlike a hierarchical group, it does not have a tree-like structure- “cn=group1” §  How to Configure WebSphere to find Domino flatgroups? –  wimconfig.xml is your customization tool! –  Edit and replace:<config:baseEntries name="o=ORGX" nameInRepository="o=ORGX"/ >with<config:baseEntries name="" nameInRepository=""/>Replace<config:participatingBaseEntries name="o=ORGX"/>with<config:participatingBaseEntries name=""/> §  The wimconfig.xml file is stored in the following location: Linux:/opt/IBM/WebSphere/AppServer/profiles/<profile_name>/config/cells/<cell_name>/wim/config Windows:<drive>:IBMWebSphereAppServerprofiles<profile_name>configcells<cell_name>wimconfig
Nested Groups: “A few twists and turns”- Active Directory §  The LDAP Operational Attribute for Active Directory is “memberOf” §  However, by default- Active Directory does NOT expand nested groups §  Websphere has compensated for this: –  Configure WAS using “memberOf” –  Set the group membership scope to DIRECT (telling VMM not to depend on LDAP to do the nested expansion for us!) §  Connections also must do it’s part! –  Connections 4.5- get the iFix (LO80435) –  Connections 5.0 CR1 –fixed in that –  Enable JVM to indicate you WANT it to chase nested groups: •  Add following to Generic JVM arguments -Dcom.ibm.connections.recursively.search.membership=true
Nested Groups: CCM Integration §  Connections/CCM Integration –  In Connections 4.5, CCM (Filenet) makes an effort to manually expand nested groups on it’s own •  To disable this functionality it is recommended you set the JVM argument: -Dibm.filenet.security.connectionsProvider.disableRecursiveParentCall=true –  In Connections 5.0 and above, the Connections Installer does this for you!
External Users
How Does It Work - The Brief Version
In general an external user is limited to participating in a restricted community they are invited into This isn’t a bad thing
Internal - Homepage
Visitor Homepage
Internal Community Page
Visitor Community Page
Internal - My Profile
Visitor My Profile
As A Visitor §  You can add tags but not see existing tag lists §  You can view partial business cards but not full profiles §  You can search for content but that only finds things that are shared with you §  You can share files but only with the Communities you are part of, not with people directly
Single Sign On
Negotiation known as NTLM or Kerberos in Active Directory GSSAPI Mechanism
SPNEGO Example For WebSphere 1 2 3 4 5 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS CONNECTIONS BROWSER SENDS SPNEGO TOKEN TO WEBSPHERE ALONG WITH USER NAME WEBSPHERE CONTACTS ACTIVE DIRECTORY TO VALIDATE TOKEN AND RETRIEVE THE USER’S NAME STEPS USER LOGS INTO WINDOWS
Setting Up SPNEGO Set up a SPN for the IHS and Connections application servers in Active Directory Use a dedicated account that you use to start WebSphere as a service Run setspn -a http://<ihs hostname> <accountnamerunningwas> If AD isn’t the LDAP being used then the LDAP entry should be updated with the AD name e.g for Domino update person documents with AD name appended to FullName (and optional others like krbPrincipalName and LTPA User Name)
Why Not SPNEGO It requires Active Directory It requires users to login to Active Directory It requires Microsoft Supported browsers* It requires a Windows client for the users* It requires a Windows platform* It doesn’t work at all if the user is remotely connecting and not logging into Active Directory It has a very specific use case * all these asterisks mean there are ways to extend to other platforms often using 3rd party addons
What Is SAML
Assertion Markup Language SAML is a protocol and process for exchanging authorisation and authentication data for a user between services and servers Security
IdP (Identity Provider) Sp (Service Provider) Sp (Service Provider) Sp (Service Provider)
No Passwords….. To Compromise To Expire To Intercept Once a user has authenticated with the IdP they won’t be asked again
SAML Example 1 2 3 4 5 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED ORIGINAL SITE USES ITS SAML SERVICE PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS STEPS
Definitions §  IdP - Identity Provider (SSO) –  ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012) •  SAML 2.0 only •  can be combined with SPNEGO •  Enhances Integrated Windows Authentication (IWA) –  TFIM (Tivoli Federated Identity Manager) •  SAML 1.1 and 2.0
definitions §  SP - Service Provider –  IBM WebSphere •  By extension some applications installed under WebSphere –  IBM Domino (web federated login) –  IBM Notes (requires ID Vault) (notes federated login)
More Definitions §  IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions §  Assertions have three roles –  Authentication –  Authorisation –  Retrieving Attributes
An IdP can service many service providers A SP can be connected to several IdPs An IdP can use a variety of authentication methods including multi factor
Setting Up SAML §  Choose your IdP if you don’t already have one –  which fits best in your business §  Build the IdP §  Configure the SP §  Sounds easy doesn’t it? –  It’s really not easy by any means but it is worth the investment in time
SAML Support In Connections §  WebSphere supports SAML but that doesn’t mean all applications run under WebSphere support it §  Where SAML is configured for authentication and can’t be used by an external application, WebSphere can generate a LTPA token §  FileNet / CCM does not support SAML §  Metrics/Cognos can’t run in a SAML enabled cell and must be deployed in its own cell with LTPA §  Connections Mail, Desktop and Mobile applications cannot use SAML §  Browser access to the rest of the Connections applications (homepage, profiles, activities, communities etc) is supported
IBM PreApproval Process - SAML Isn’t Supported Without It §  SAML integration with IBM Connections is supported in specific circumstances §  WebSphere supports SAML but that doesn’t mean all applications that run under WebSphere do §  Specific configuration instructions and fixes are only available from IBM Support once pre- approval has been completed §  The pre-approval process is a questionnaire that must be completed and submitted to IBM so support can evaluate if your environment can be supported –  IBM will also advise the best deployment for SAML to meet your needs –  There is no one size fits all solution
Configuring SAML With IBM Connections §  There are two methods for configuring SAML with IBM Connections §  For both the IdP (Identity Provider) tested are ADFS and TFIM –  Those are the IdP’s publicly documented for WebSphere –  That’s not to say other IdP wouldn’t be supported if accepted for pre-approval §  WebSphere acts as a SP (service provider) and configuration is completed in the cell under Global Security –  This means SAML instructions are applied to all applications in the cell §  SAML can be deployed using WebSphere’s default authenticator or using SAML redirection –  Using default authenticator gives more scope for external applications –  IBM will advise the best deployment based on your completed questionnaire
Engage Online §  SocialBiz User Group socialbizug.org –  Join the epicenter of Notes and Collaboration user groups §  Social Business Insights blog ibm.com/blogs/socialbusiness –  Read and engage with our bloggers §  Follow us on Twitter –  @IBMConnect and @IBMSocialBiz §  LinkedIn http://bit.ly/SBComm –  Participate in the IBM Social Business group on LinkedIn §  Facebook https://www.facebook.com/IBMConnected –  Like IBM Social Business on Facebook
Notices and Disclaimers Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. IBM, the IBM logo, ibm.com, BrassRing®, Connections™, Domino®, Global Business Services®, Global Technology Services®, SmartCloud®, Social Business®, Kenexa®, Notes®, PartnerWorld®, Prove It!®, PureSystems®, Sametime®, Verse™, Watson™, WebSphere®, Worklight®, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

Recommandé

External Users Accessing Connections
External Users Accessing Connections External Users Accessing Connections
External Users Accessing Connections Gabriella Davis
 
Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”
Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”
Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”panagenda
 
What We Wish We Had Known: Becoming an IBM Connections Administrator
What We Wish We Had Known: Becoming an IBM Connections AdministratorWhat We Wish We Had Known: Becoming an IBM Connections Administrator
What We Wish We Had Known: Becoming an IBM Connections AdministratorGabriella Davis
 
Traveler management, security and performance
Traveler management, security and performanceTraveler management, security and performance
Traveler management, security and performanceGabriella Davis
 
Adm02. IBM Connections Adminblast
Adm02. IBM Connections AdminblastAdm02. IBM Connections Adminblast
Adm02. IBM Connections Adminblastpanagenda
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile ExperienceGabriella Davis
 
Str02. IBM Application Modernization with panagenda ApplicationInsights
Str02. IBM Application Modernization with panagenda ApplicationInsightsStr02. IBM Application Modernization with panagenda ApplicationInsights
Str02. IBM Application Modernization with panagenda ApplicationInsightspanagenda
 
Connect2016 - 1172 Shipping domino
Connect2016 - 1172 Shipping dominoConnect2016 - 1172 Shipping domino
Connect2016 - 1172 Shipping dominoMatteo Bisi
 

Recommandé

External Users Accessing Connections
External Users Accessing Connections External Users Accessing Connections
External Users Accessing Connections Gabriella Davis
 
Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”
Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”
Soccnx10: IBM Connections Troubleshooting or “Get the Cow off the Ice”panagenda
 
What We Wish We Had Known: Becoming an IBM Connections Administrator
What We Wish We Had Known: Becoming an IBM Connections AdministratorWhat We Wish We Had Known: Becoming an IBM Connections Administrator
What We Wish We Had Known: Becoming an IBM Connections AdministratorGabriella Davis
 
Traveler management, security and performance
Traveler management, security and performanceTraveler management, security and performance
Traveler management, security and performanceGabriella Davis
 
Adm02. IBM Connections Adminblast
Adm02. IBM Connections AdminblastAdm02. IBM Connections Adminblast
Adm02. IBM Connections Adminblastpanagenda
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile ExperienceGabriella Davis
 
Str02. IBM Application Modernization with panagenda ApplicationInsights
Str02. IBM Application Modernization with panagenda ApplicationInsightsStr02. IBM Application Modernization with panagenda ApplicationInsights
Str02. IBM Application Modernization with panagenda ApplicationInsightspanagenda
 
Connect2016 - 1172 Shipping domino
Connect2016 - 1172 Shipping dominoConnect2016 - 1172 Shipping domino
Connect2016 - 1172 Shipping dominoMatteo Bisi
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections AdministratorGabriella Davis
 
Connections customization lite
Connections customization liteConnections customization lite
Connections customization liteSharon James
 
Customize it! Make IBM Connections look your way
Customize it! Make IBM Connections look your way Customize it! Make IBM Connections look your way
Customize it! Make IBM Connections look your way Klaus Bild
 
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the CloudSetting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the CloudGabriella Davis
 
SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!
SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!
SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!Klaus Bild
 
Uklug 2011 client management
Uklug 2011 client managementUklug 2011 client management
Uklug 2011 client managementdominion
 
Quickr
QuickrQuickr
Quickrdominion
 
Working With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesWorking With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesGabriella Davis
 
Practical solutions for connections administrators lite
Practical solutions for connections administrators litePractical solutions for connections administrators lite
Practical solutions for connections administrators liteSharon James
 
Taking IBM Sametime Mobile
Taking IBM Sametime MobileTaking IBM Sametime Mobile
Taking IBM Sametime MobileGabriella Davis
 
Social Connections 12 - IBM Connections Adminblast
Social Connections 12 - IBM Connections AdminblastSocial Connections 12 - IBM Connections Adminblast
Social Connections 12 - IBM Connections AdminblastNico Meisenzahl
 
Hack IBM Connections - Advance Use - Iframes & more...
Hack IBM Connections - Advance Use - Iframes & more...Hack IBM Connections - Advance Use - Iframes & more...
Hack IBM Connections - Advance Use - Iframes & more...Ulises Gascón González
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016David Hablewitz
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradeGabriella Davis
 
ICONUK 2014 Connections Migration Tips and Tricks
ICONUK 2014 Connections Migration Tips and TricksICONUK 2014 Connections Migration Tips and Tricks
ICONUK 2014 Connections Migration Tips and TricksVictor Toal
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configurationGabriella Davis
 
A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnGabriella Davis
 
The Silence of the Installers
The Silence of the InstallersThe Silence of the Installers
The Silence of the InstallersKlaus Bild
 
IAmLUG presentation: Domino Admin Best Practices - Hunting the Gremlins
IAmLUG presentation: Domino Admin Best Practices - Hunting the GremlinsIAmLUG presentation: Domino Admin Best Practices - Hunting the Gremlins
IAmLUG presentation: Domino Admin Best Practices - Hunting the GremlinsDavid Hablewitz
 
Inform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsInform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsJared Roberts
 
BP201 Creating Your Own Connections Confection - Getting The Flavour Right
BP201 Creating Your Own Connections Confection - Getting The Flavour RightBP201 Creating Your Own Connections Confection - Getting The Flavour Right
BP201 Creating Your Own Connections Confection - Getting The Flavour RightGabriella Davis
 
MAS202 - Customizing IBM Connections
MAS202 - Customizing IBM ConnectionsMAS202 - Customizing IBM Connections
MAS202 - Customizing IBM Connectionspaulbastide
 

Contenu connexe

Tendances

Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections AdministratorGabriella Davis
 
Connections customization lite
Connections customization liteConnections customization lite
Connections customization liteSharon James
 
Customize it! Make IBM Connections look your way
Customize it! Make IBM Connections look your way Customize it! Make IBM Connections look your way
Customize it! Make IBM Connections look your way Klaus Bild
 
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the CloudSetting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the CloudGabriella Davis
 
SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!
SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!
SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!Klaus Bild
 
Uklug 2011 client management
Uklug 2011 client managementUklug 2011 client management
Uklug 2011 client managementdominion
 
Working With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesWorking With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesGabriella Davis
 
Practical solutions for connections administrators lite
Practical solutions for connections administrators litePractical solutions for connections administrators lite
Practical solutions for connections administrators liteSharon James
 
Taking IBM Sametime Mobile
Taking IBM Sametime MobileTaking IBM Sametime Mobile
Taking IBM Sametime MobileGabriella Davis
 
Social Connections 12 - IBM Connections Adminblast
Social Connections 12 - IBM Connections AdminblastSocial Connections 12 - IBM Connections Adminblast
Social Connections 12 - IBM Connections AdminblastNico Meisenzahl
 
Hack IBM Connections - Advance Use - Iframes & more...
Hack IBM Connections - Advance Use - Iframes & more...Hack IBM Connections - Advance Use - Iframes & more...
Hack IBM Connections - Advance Use - Iframes & more...Ulises Gascón González
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016David Hablewitz
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradeGabriella Davis
 
ICONUK 2014 Connections Migration Tips and Tricks
ICONUK 2014 Connections Migration Tips and TricksICONUK 2014 Connections Migration Tips and Tricks
ICONUK 2014 Connections Migration Tips and TricksVictor Toal
 
A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnGabriella Davis
 
The Silence of the Installers
The Silence of the InstallersThe Silence of the Installers
The Silence of the InstallersKlaus Bild
 
IAmLUG presentation: Domino Admin Best Practices - Hunting the Gremlins
IAmLUG presentation: Domino Admin Best Practices - Hunting the GremlinsIAmLUG presentation: Domino Admin Best Practices - Hunting the Gremlins
IAmLUG presentation: Domino Admin Best Practices - Hunting the GremlinsDavid Hablewitz
 
Inform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsInform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsJared Roberts
 

Tendances (20)

Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections Administrator
 
Connections customization lite
Connections customization liteConnections customization lite
Connections customization lite
 
Customize it! Make IBM Connections look your way
Customize it! Make IBM Connections look your way Customize it! Make IBM Connections look your way
Customize it! Make IBM Connections look your way
 
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the CloudSetting Up a Hybrid Domino Environment to Ease your Way to the Cloud
Setting Up a Hybrid Domino Environment to Ease your Way to the Cloud
 
SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!
SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!
SHOW301 - Make Your IBM Connections Deployment Your Own: Customize It!
 
Uklug 2011 client management
Uklug 2011 client managementUklug 2011 client management
Uklug 2011 client management
 
Quickr
QuickrQuickr
Quickr
 
Working With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesWorking With Sametime For Mobile Devices
Working With Sametime For Mobile Devices
 
Practical solutions for connections administrators lite
Practical solutions for connections administrators litePractical solutions for connections administrators lite
Practical solutions for connections administrators lite
 
Taking IBM Sametime Mobile
Taking IBM Sametime MobileTaking IBM Sametime Mobile
Taking IBM Sametime Mobile
 
Social Connections 12 - IBM Connections Adminblast
Social Connections 12 - IBM Connections AdminblastSocial Connections 12 - IBM Connections Adminblast
Social Connections 12 - IBM Connections Adminblast
 
Hack IBM Connections - Advance Use - Iframes & more...
Hack IBM Connections - Advance Use - Iframes & more...Hack IBM Connections - Advance Use - Iframes & more...
Hack IBM Connections - Advance Use - Iframes & more...
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections Upgrade
 
ICONUK 2014 Connections Migration Tips and Tricks
ICONUK 2014 Connections Migration Tips and TricksICONUK 2014 Connections Migration Tips and Tricks
ICONUK 2014 Connections Migration Tips and Tricks
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configuration
 
A Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign OnA Technical Guide To Deploying Single Sign On
A Technical Guide To Deploying Single Sign On
 
The Silence of the Installers
The Silence of the InstallersThe Silence of the Installers
The Silence of the Installers
 
IAmLUG presentation: Domino Admin Best Practices - Hunting the Gremlins
IAmLUG presentation: Domino Admin Best Practices - Hunting the GremlinsIAmLUG presentation: Domino Admin Best Practices - Hunting the Gremlins
IAmLUG presentation: Domino Admin Best Practices - Hunting the Gremlins
 
Inform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsInform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for Admins
 

En vedette

BP201 Creating Your Own Connections Confection - Getting The Flavour Right
BP201 Creating Your Own Connections Confection - Getting The Flavour RightBP201 Creating Your Own Connections Confection - Getting The Flavour Right
BP201 Creating Your Own Connections Confection - Getting The Flavour RightGabriella Davis
 
MAS202 - Customizing IBM Connections
MAS202 - Customizing IBM ConnectionsMAS202 - Customizing IBM Connections
MAS202 - Customizing IBM Connectionspaulbastide
 
Planning & Completing An IBM Connections Upgrade
Planning & Completing An IBM Connections UpgradePlanning & Completing An IBM Connections Upgrade
Planning & Completing An IBM Connections UpgradeGabriella Davis
 
BP205: There’s an API for that! Why and how to build on the IBM Connections P...
BP205: There’s an API for that! Why and how to build on the IBM Connections P...BP205: There’s an API for that! Why and how to build on the IBM Connections P...
BP205: There’s an API for that! Why and how to build on the IBM Connections P...Mikkel Flindt Heisterberg
 
IBM ConnectED 2015 - AD302 - Responsive Application Development for XPages
IBM ConnectED 2015 - AD302 - Responsive Application Development for XPagesIBM ConnectED 2015 - AD302 - Responsive Application Development for XPages
IBM ConnectED 2015 - AD302 - Responsive Application Development for XPagesbeglee
 
IBM ConnectED 2015 BP110: Mastering Your Logs, Everything You Should Know abo...
IBM ConnectED 2015 BP110: Mastering Your Logs, Everything You Should Know abo...IBM ConnectED 2015 BP110: Mastering Your Logs, Everything You Should Know abo...
IBM ConnectED 2015 BP110: Mastering Your Logs, Everything You Should Know abo...Benedek Menesi
 
The future of web development write once, run everywhere with angular js an...
The future of web development write once, run everywhere with angular js an...The future of web development write once, run everywhere with angular js an...
The future of web development write once, run everywhere with angular js an...Mark Leusink
 
IBM ConnectED 2015 - BP106 From XPages Hero To OSGi Guru: Taking The Scary Ou...
IBM ConnectED 2015 - BP106 From XPages Hero To OSGi Guru: Taking The Scary Ou...IBM ConnectED 2015 - BP106 From XPages Hero To OSGi Guru: Taking The Scary Ou...
IBM ConnectED 2015 - BP106 From XPages Hero To OSGi Guru: Taking The Scary Ou...Paul Withers
 
1084: Planning and Completing an IBM Connections Upgrade
1084: Planning and Completing an IBM Connections Upgrade 1084: Planning and Completing an IBM Connections Upgrade
1084: Planning and Completing an IBM Connections UpgradeGabriella Davis
 
IBM ConnectED 2015 - MAS103 XPages Performance and Scalability
IBM ConnectED 2015 - MAS103 XPages Performance and ScalabilityIBM ConnectED 2015 - MAS103 XPages Performance and Scalability
IBM ConnectED 2015 - MAS103 XPages Performance and ScalabilityPaul Withers
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
A Guide To Sametime 9.0.1 Audio & Video
A Guide To Sametime 9.0.1 Audio & VideoA Guide To Sametime 9.0.1 Audio & Video
A Guide To Sametime 9.0.1 Audio & VideoGabriella Davis
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceGabriella Davis
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The FrontGabriella Davis
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesGabriella Davis
 
Upgrading to Sametime 9.0.1
Upgrading to Sametime 9.0.1Upgrading to Sametime 9.0.1
Upgrading to Sametime 9.0.1Gabriella Davis
 

En vedette (20)

BP201 Creating Your Own Connections Confection - Getting The Flavour Right
BP201 Creating Your Own Connections Confection - Getting The Flavour RightBP201 Creating Your Own Connections Confection - Getting The Flavour Right
BP201 Creating Your Own Connections Confection - Getting The Flavour Right
 
MAS202 - Customizing IBM Connections
MAS202 - Customizing IBM ConnectionsMAS202 - Customizing IBM Connections
MAS202 - Customizing IBM Connections
 
External users
External usersExternal users
External users
 
Planning & Completing An IBM Connections Upgrade
Planning & Completing An IBM Connections UpgradePlanning & Completing An IBM Connections Upgrade
Planning & Completing An IBM Connections Upgrade
 
BP205: There’s an API for that! Why and how to build on the IBM Connections P...
BP205: There’s an API for that! Why and how to build on the IBM Connections P...BP205: There’s an API for that! Why and how to build on the IBM Connections P...
BP205: There’s an API for that! Why and how to build on the IBM Connections P...
 
IBM ConnectED 2015 - AD302 - Responsive Application Development for XPages
IBM ConnectED 2015 - AD302 - Responsive Application Development for XPagesIBM ConnectED 2015 - AD302 - Responsive Application Development for XPages
IBM ConnectED 2015 - AD302 - Responsive Application Development for XPages
 
IBM ConnectED 2015 BP110: Mastering Your Logs, Everything You Should Know abo...
IBM ConnectED 2015 BP110: Mastering Your Logs, Everything You Should Know abo...IBM ConnectED 2015 BP110: Mastering Your Logs, Everything You Should Know abo...
IBM ConnectED 2015 BP110: Mastering Your Logs, Everything You Should Know abo...
 
The future of web development write once, run everywhere with angular js an...
The future of web development write once, run everywhere with angular js an...The future of web development write once, run everywhere with angular js an...
The future of web development write once, run everywhere with angular js an...
 
Changing technologies
Changing technologiesChanging technologies
Changing technologies
 
Penumbra briefing
Penumbra briefingPenumbra briefing
Penumbra briefing
 
IBM ConnectED 2015 - BP106 From XPages Hero To OSGi Guru: Taking The Scary Ou...
IBM ConnectED 2015 - BP106 From XPages Hero To OSGi Guru: Taking The Scary Ou...IBM ConnectED 2015 - BP106 From XPages Hero To OSGi Guru: Taking The Scary Ou...
IBM ConnectED 2015 - BP106 From XPages Hero To OSGi Guru: Taking The Scary Ou...
 
1084: Planning and Completing an IBM Connections Upgrade
1084: Planning and Completing an IBM Connections Upgrade 1084: Planning and Completing an IBM Connections Upgrade
1084: Planning and Completing an IBM Connections Upgrade
 
IBM ConnectED 2015 - MAS103 XPages Performance and Scalability
IBM ConnectED 2015 - MAS103 XPages Performance and ScalabilityIBM ConnectED 2015 - MAS103 XPages Performance and Scalability
IBM ConnectED 2015 - MAS103 XPages Performance and Scalability
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
A Guide To Sametime 9.0.1 Audio & Video
A Guide To Sametime 9.0.1 Audio & VideoA Guide To Sametime 9.0.1 Audio & Video
A Guide To Sametime 9.0.1 Audio & Video
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The Front
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 Certificates
 
Upgrading to Sametime 9.0.1
Upgrading to Sametime 9.0.1Upgrading to Sametime 9.0.1
Upgrading to Sametime 9.0.1
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino Adminblast
 

Similaire à Connections Directory Integration: A Tour Through Best Practices for Directory and Security Integration With IBM Connections

Dealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETDealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETFernando G. Guerrero
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryEdson Oliveira
 
PACLUG sametime presentation
PACLUG sametime presentationPACLUG sametime presentation
PACLUG sametime presentationamhiggins
 
Mule MMC Integration with LDAP
Mule MMC Integration with LDAPMule MMC Integration with LDAP
Mule MMC Integration with LDAPSanjeet Pandey
 
LDAP Integration
LDAP IntegrationLDAP Integration
LDAP IntegrationDell World
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsLDAPCon
 
Dealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETDealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETFernando G. Guerrero
 
09 business apis
09 business apis09 business apis
09 business apisdarwinodb
 
MongoDB.local Sydney: MongoDB Atlas for Your Enterprise
MongoDB.local Sydney: MongoDB Atlas for Your EnterpriseMongoDB.local Sydney: MongoDB Atlas for Your Enterprise
MongoDB.local Sydney: MongoDB Atlas for Your EnterpriseMongoDB
 
Rock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityRock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityGabriella Davis
 
Integrate with ldap
Integrate with ldapIntegrate with ldap
Integrate with ldapSon Nguyen
 
Active Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersActive Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersPerforce
 
Cause 2013: A Flexible Approach to Creating an Enterprise Directory
Cause 2013: A Flexible Approach to Creating an Enterprise DirectoryCause 2013: A Flexible Approach to Creating an Enterprise Directory
Cause 2013: A Flexible Approach to Creating an Enterprise Directoryrwgorrel
 
Uklug 2014 connections dev faq
Uklug 2014 connections dev faqUklug 2014 connections dev faq
Uklug 2014 connections dev faqMark Myers
 
Externally Testing Modern AD Domains - Arcticcon
Externally Testing Modern AD Domains - ArcticconExternally Testing Modern AD Domains - Arcticcon
Externally Testing Modern AD Domains - ArcticconKarl Fosaaen
 
PACLUG sametime presentation
PACLUG sametime presentationPACLUG sametime presentation
PACLUG sametime presentationamhiggins
 
IBM Connections – Beyond a standard installation – Fasten your seatbelt!
IBM Connections – Beyond a standard installation – Fasten your seatbelt!IBM Connections – Beyond a standard installation – Fasten your seatbelt!
IBM Connections – Beyond a standard installation – Fasten your seatbelt!LetsConnect
 
LDAP: What Is It, Do I Want it, and How Do I Make It Work for Me?
LDAP: What Is It, Do I Want it, and How Do I Make It Work for Me?LDAP: What Is It, Do I Want it, and How Do I Make It Work for Me?
LDAP: What Is It, Do I Want it, and How Do I Make It Work for Me?Rebecca Hyams
 

Similaire à Connections Directory Integration: A Tour Through Best Practices for Directory and Security Integration With IBM Connections (20)

Dealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETDealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NET
 
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap DirectoryConfiguring Domino To Be An Ldap Directory And To Use An Ldap Directory
Configuring Domino To Be An Ldap Directory And To Use An Ldap Directory
 
PACLUG sametime presentation
PACLUG sametime presentationPACLUG sametime presentation
PACLUG sametime presentation
 
Mule MMC Integration with LDAP
Mule MMC Integration with LDAPMule MMC Integration with LDAP
Mule MMC Integration with LDAP
 
LDAP Integration
LDAP IntegrationLDAP Integration
LDAP Integration
 
Do The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clientsDo The Right Thing! How LDAP servers should help LDAP clients
Do The Right Thing! How LDAP servers should help LDAP clients
 
Dealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NETDealing with SQL Security from ADO.NET
Dealing with SQL Security from ADO.NET
 
09 business apis
09 business apis09 business apis
09 business apis
 
MongoDB.local Sydney: MongoDB Atlas for Your Enterprise
MongoDB.local Sydney: MongoDB Atlas for Your EnterpriseMongoDB.local Sydney: MongoDB Atlas for Your Enterprise
MongoDB.local Sydney: MongoDB Atlas for Your Enterprise
 
Rock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityRock Solid Sametime for High Availability
Rock Solid Sametime for High Availability
 
Adminblast 2013
Adminblast 2013Adminblast 2013
Adminblast 2013
 
LDAP
LDAPLDAP
LDAP
 
Integrate with ldap
Integrate with ldapIntegrate with ldap
Integrate with ldap
 
Active Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without TriggersActive Directory & LDAP Authentication Without Triggers
Active Directory & LDAP Authentication Without Triggers
 
Cause 2013: A Flexible Approach to Creating an Enterprise Directory
Cause 2013: A Flexible Approach to Creating an Enterprise DirectoryCause 2013: A Flexible Approach to Creating an Enterprise Directory
Cause 2013: A Flexible Approach to Creating an Enterprise Directory
 
Uklug 2014 connections dev faq
Uklug 2014 connections dev faqUklug 2014 connections dev faq
Uklug 2014 connections dev faq
 
Externally Testing Modern AD Domains - Arcticcon
Externally Testing Modern AD Domains - ArcticconExternally Testing Modern AD Domains - Arcticcon
Externally Testing Modern AD Domains - Arcticcon
 
PACLUG sametime presentation
PACLUG sametime presentationPACLUG sametime presentation
PACLUG sametime presentation
 
IBM Connections – Beyond a standard installation – Fasten your seatbelt!
IBM Connections – Beyond a standard installation – Fasten your seatbelt!IBM Connections – Beyond a standard installation – Fasten your seatbelt!
IBM Connections – Beyond a standard installation – Fasten your seatbelt!
 
LDAP: What Is It, Do I Want it, and How Do I Make It Work for Me?
LDAP: What Is It, Do I Want it, and How Do I Make It Work for Me?LDAP: What Is It, Do I Want it, and How Do I Make It Work for Me?
LDAP: What Is It, Do I Want it, and How Do I Make It Work for Me?
 

Plus de Gabriella Davis

Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsGabriella Davis
 
. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience ProjectGabriella Davis
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and ManagingGabriella Davis
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesGabriella Davis
 
Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10Gabriella Davis
 
An Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for DockerAn Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for DockerGabriella Davis
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsGabriella Davis
 
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...Gabriella Davis
 
An introduction to configuring Domino for Docker
An introduction to configuring Domino for DockerAn introduction to configuring Domino for Docker
An introduction to configuring Domino for DockerGabriella Davis
 
How To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & DiscoveryHow To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & DiscoveryGabriella Davis
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsGabriella Davis
 
A Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsA Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsGabriella Davis
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesGabriella Davis
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To DockerGabriella Davis
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To DockerGabriella Davis
 
Embracing iot in the enterprise
Embracing iot in the enterpriseEmbracing iot in the enterprise
Embracing iot in the enterpriseGabriella Davis
 

Plus de Gabriella Davis (20)

Engage2022 - Domino Admin Tips
Engage2022 - Domino Admin TipsEngage2022 - Domino Admin Tips
Engage2022 - Domino Admin Tips
 
. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project. Design Decisions: Developing for Mobile - The Template Experience Project
. Design Decisions: Developing for Mobile - The Template Experience Project
 
Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing Domino Server Health - Monitoring and Managing
Domino Server Health - Monitoring and Managing
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On Premises
 
60 Admin Tips
60 Admin Tips60 Admin Tips
60 Admin Tips
 
Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10Adminlicious - A Guide To TCO Features In Domino v10
Adminlicious - A Guide To TCO Features In Domino v10
 
An Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for DockerAn Introduction to Configuring Domino for Docker
An Introduction to Configuring Domino for Docker
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
 
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
× The Road To A #Perfect10 - How To Get Ready For Domino, Sametime, VOP and T...
 
An introduction to configuring Domino for Docker
An introduction to configuring Domino for DockerAn introduction to configuring Domino for Docker
An introduction to configuring Domino for Docker
 
How To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & DiscoveryHow To Approach GDPR Preparation & Discovery
How To Approach GDPR Preparation & Discovery
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
 
Brand Yourself
Brand YourselfBrand Yourself
Brand Yourself
 
Home Working
Home WorkingHome Working
Home Working
 
A Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration SolutionsA Guide To Single Sign-On for IBM Collaboration Solutions
A Guide To Single Sign-On for IBM Collaboration Solutions
 
The Imposter Syndrome
The Imposter SyndromeThe Imposter Syndrome
The Imposter Syndrome
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-Premises
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To Docker
 
An Introduction To Docker
An Introduction To DockerAn Introduction To Docker
An Introduction To Docker
 
Embracing iot in the enterprise
Embracing iot in the enterpriseEmbracing iot in the enterprise
Embracing iot in the enterprise
 

Dernier

Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptrcbcrtm
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfDrew Moseley
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 

Dernier (20)

Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.ppt
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Odoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting ServiceOdoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting Service
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Comparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdfComparing Linux OS Image Update Models - EOSS 2024.pdf
Comparing Linux OS Image Update Models - EOSS 2024.pdf
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 

Connections Directory Integration: A Tour Through Best Practices for Directory and Security Integration With IBM Connections

  • 1.
  • 2. Let’s talk about me for a minute §  Admin of all things and especially quite complicated things where the fun is –  Working with security , healthchecks, single sign on, design and deployment of Domino, ST, Connections and things that they talk to §  Stubborn and relentless problem solver §  Lives in London about half of the time §  Anything I say in this presentation is entirely mine & not endorsed by IBM or the woman on stage with me J
  • 3. Why This Session? §  Every user within Connections must have a consistent identity §  That identity originates from a LDAP directory §  It’s then stored in Connections and used by each of the individual Connections applications –  Except they each use the identity differently –  Except some functionality calls back to LDAP –  Except it’s IBM which means many different directory types and versions have to be supported –  Except IBM have little control over how these directories behave §  Ensuring an identity always points to the same user and that user is the right user is critical to ensure Connections works §  This session is to help you understand how to make your directory play nice with Connections and what can stop it doing that
  • 5. Authenticating Using LDAP §  Connections requires us to have a directory to authenticate against –  There needs to be one good authority for validating users §  Several methods of single sign on and single identity are supported including 3rd party tools §  The quality and reliability of your authoritative LDAP drives more than just user logins –  Poor LDAP data means poor profile data, technical problems and user disatisfaction –  Poor LDAP performance means poor Connections performance and user disatisfaction §  LDAP is used primarily during Profile population, authentication and group membership lookups –  More on this later
  • 6. Simple LDAP Configuration In WebSphere §  Under Global Security – Federated Repositories –  What are federated repositories? §  The correct directory type tells WebSphere the correct construct for sending an LDAP query §  Connections uses the directories configured in your deployment manager –  So does Filenet when installed as CCM and directed to use WebSphere –  Filenet installed standalone has its own directory configuration (SSO alert!) §  Multiple directories must use unique authentication account names and unique base dn searches –  WebSphere gets confused otherwise
  • 7. Testing LDAP §  Always backup your deployment manager before making ANY LDAP changes –  Dmgrbinbackupconfig.sh / bat §  Once LDAP is configured in Websphere , test that it works via the ISC for the deployment manager –  The xml file that contains the LDAP configuration details is wimconfig.xml §  Search for users by email address and make sure their login names are what you expect §  Search for groups, especially if using Domino for LDAP and make sure they appear
  • 8. What Happens When LDAP Is Down §  WebSphere has a significant amount of caching for directory access §  It can’t authenticate users with no LDAP though §  Users already logged in will continue to work with a gradual loss of features §  New users won’t be able to login
  • 9. WebSphere Load Balanced LDAP §  If you tell WebSphere to use a load balancer for LDAP the following happens –  The LB directs WebSphere to a LDAP server to use –  WebSphere caches that connection and continues to use it –  If that server goes down but the LB is still up it will take WebSphere 30 minutes or more to request a new server connection from the LB §  If however you give WebSphere a list of LDAP servers to use for failover, it will immediately failover to an alternate if its initial connection fails
  • 10. Let’s talk about the other woman on stage for a minute §  Advisory Software Engineer Connections Directory Services –  Working on Connections Directory (Waltz), LDAP, Security, CCM and integration of Connections and applications it talks to! , –  My previous gig was a working on Domino Directory: LDAP, DA, Directory Catalogs, NameLookup, Single Sign-On and all things Directory §  I work for IBM, so anything I say in this presentation should appropriately represent IBM (and be polite to the extremely intelligent woman on stage with me J)
  • 12. User Data across Connections applications: The Basics! §  User Data consists: –  ID: GUID (we’ll get to that) –  Attributes of that user –  Membership Ø  LDAP Group Membership (we’ll get to that) Ø  Community Membership ID (GUID): 05978bab-2c2c-40c0-9745-1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@...
  • 13. User Data: The Basics! Connections Websphere Node VMM GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... To confirm the default (Profiles is enabled): ü  Open LotusConnections-Config.xml ü  confirm that “profiles_directory_service_extension_enabled="true". LDAP Server Local repository Search Wikis Homepage Profiles Blogs Bookmarks Files Forums Moderation Metrics Mobile News communities Filenet Cognos Etc GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones… GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones email: ajones@... DN: cn=ajones…
  • 14. User Data: Login Names §  User Data prerequisites (Login Names) –  Login names (the user name you log into Connections with) must exist in both Profiles (various columns) AND LDAP §  Configured in the “login properties” dialog in WAS for that particular directory §  When profiles is populated– the “login table” is built with mail and uid by default and adds additional attributes from mapdbrepos_from source.properties ldapsearch -h ldapdirectory.iris.com -b "ou=users,dc=iris,dc=com" -D "uid=Admin ou=users,dc=iris,dc=com" -w adminpass "(cn=Amy Jones2)" dn: cn=Amy Jones2,ou=users,dc=iris,dc=com objectclass=top objectclass=organizationalPerson objectclass=inetOrgPerson objectclass=person uid=Amy Jones2 cn=Amy Jones2 mail=ajones2@janet.iris.com
  • 15. User Data: Login Names §  Configured in the “login properties” dialog in WAS for that particular directory: §  If Connections Content Management (CCM) is installed: –  By default, Filenet (CCM) assumes uid for the "Security Principal" –  If the value of login properties is something other than uid, or if uid is not the first value: •  modify profiles-config.xml, moving the attribute that matches up with the principal to be the first attribute in the <loginAttributes> section (e.g. email):
  • 16. User Data: Login Names §  If CCM is installed (cont’): –  prof_uid or prof_mail must be the same value as what’s in the login properties –  A JVM argument needs to be configured on the Filenet (CCM) server and set to the value in the login properties dialog: (note this is done by default in 5.0 by the connections installer) www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/install/ t_inst_config_libraries_newfn.dita
  • 17. User Data: IDs (GUIDs): The Basics §  IDs (GUIDS): used internal to Connections for persistent representations of the user. –  The ID (GUID) is distinct and different from the user's login name. –  Users identify themselves to the system with their login name. –  The login name is not generally used to persist a reference to the user : •  Name may change •  different users may acquire the same login name over time, •  Users may have multiple login names. –  Access control lists and community membership lists do not use the login name, they use IDs! §  Think about other apps, such as Domino –  Domino uses the Distinguished Name as the ID (and that comes with issues because DN’s can change) §  MORE on IDs in a minute!
  • 18. User Data: Mail Addresses §  Mail Addresses: –  Must exist in both Profiles AND LDAP –  The value should be the same in Profiles as in LDAP: •  However, if the value is different, mail cannot be used as “login name”. ldapsearch -h ldapdirectory.iris.com -b "ou=users,dc=iris,dc=com" -D "uid=Admin ou=users,dc=iris,dc=com" -w adminpass "(cn=Amy Jones2)" dn: cn=Amy Jones2,ou=users,dc=iris,dc=com objectclass=top objectclass=organizationalPerson objectclass=inetOrgPerson objectclass=person uid=Amy Jones2 cn=Amy Jones2 mail=ajones2@janet.iris.com
  • 20. Connections, Directories and IDs: What are IDs? §  The ID is used by Connections for persistent representations of the user. §  By Default: Connections uses as its “ID” the Globally Unique Identifier (GUID) for Users and Groups: –  It is fixed- a GUID for an object does not change * –  If an object is deleted, and recreated in LDAP, that object is recreated with a NEW ID (GUID) –  The terms “GUID” and “ID” can be used interchangeably UNTIL an admin decides they need to choose something “other” than the default! (e.g. uid, employee ID etc). WALTZ: [ID=4fda6cc0-0101-102e-88dd-f78755f7e0ed] §  Connections also generates a GUID for Community Objects (same format as GUID)
  • 21. Connections, Directories and IDs (GUIDS): What are IDs? §  To solidify it in your mind: You can search an LDAP to find a GUID for a user: –  e.g: Searching IBM Tivoli Directory Server- the GUID is referred to as “ibm-entryUUID ldapsearch -h ldapdirectory.iris.com -b "ou=users,dc=iris,dc=com" -D "uid=Admin u=users,dc=iris,dc=com" -w adminpass "(cn=Amy Jones2)“ ibm-entryUUID cn=Amy Jones2,ou=users,dc=iris,dc=com ibm-entryuuid=4fda6cc0-0101-102e-88dd-f78755f7e0ed LDAP Server GUIDS
  • 22. How does Connections utilize IDs? §  Connections Applications will persist that ID in it’s tables §  Connections Applications will search using that ID §  Community Membership will be searched using that ID §  LDAP Group Membership, Group Expansion will be searched using that ID Log in to Connections uid=ajones2 LDAP Profiles ID: (GUID): 05978bab-2c2c-40c0-9745-1f6cb771dff7 DN: cn=ajones2… uid: ajones2 email: ajones2@...
  • 23. §  There are business scenarios when the ID used to identify the object cannot be a GUID. –  Company has offices all over the world. Employees move from one region to another so they are deleted from 1 LDAP and re-added to another. –  Company identifies it’s employees by a guaranteed unique “Employee ID” §  Remember- when a user is deleted and re-added- the GUID of a directory object changes, –  Affects IBM Connections applications that may have knowledge of a particular GUID for those objects. –  When a GUID changes, you must synchronize the LDAP with the Profiles database before that user logs in again. –  If you don’t, the user will have two accounts in IBM Connections. One with the old GUID and one with the new “ID”. §  It is NOT recommended to change IDs for customers who have Connections Content Manager (CCM): The user may lose access to content created with a particular ID Custom IDs: Why?
  • 24. §  The ID must be globally unique. The ID must not ever be reassigned to a different user or group in the directory. –  This makes DN, email, Microsoft Active Directory sAMAccountName and most UID and CN values poor choices since those might be reused after a user leaves an organization. §  Must not exceed 252 characters in length. To achieve faster search results, use a fixed-length attribute for the ID if possible.. §  Must have a one-to-one mapping per directory object. –  Can’t use an attribute with multiple values as a unique ID. Users- one and only one ID! §  The object must exist in both the LDAP schema as well as Websphere Virtual Member Manger (VMM) schema –  If it does not, it must be added to wimxmlextension.xml (may have to be created) AIX®:/usr/IBM/WebSphere/AppServer/profiles/<profile_name>/config/cells/<cell_name>/wim Linux™:/opt/IBM/WebSphere/AppServer/profiles/<profile_name>/config/cells/<cell_name>/wim Windows™: C:IBMWebSphereAppServerprofiles<profile_name>configcells<cell_name>wim Custom IDs: Considerations for the selection of an ID:
  • 25. §  Profiles database contains the value of each user's ID in the PROF_GUID column of the EMPLOYEE table: –  The value used in the PROF_GUID must match some attribute in your LDAP directory. §  Connections must be made aware of which attribute from your directory to use for the ID –  Modify LotusConnections-config.xml: •  e.g your custom ID is “uid”: locate the “serviceName” tag in your xml: <sloc:serviceReference profiles_directory_service_extension_enabled="true“ serviceName="directory" custom_user_id_attribute="uid"/> •  To customize your group ID: custom_group_id_attribute=“uid"/> –  Check ID (GUID) value in the map_dbrepos_from_source.properties file –  Note! prof_source_uid must be the distinguished name of the user in WebSphere LDAP distinguishedName=$dn Custom IDs: Specifying them in Connections (LotusConnections-Config.xml Note- the attribute used must exist for a group object!
  • 26. Modifying wimconfig.xml instead of LotusConnections-Config.xml §  wimconfig.xml governs a single ID attribute for all supported objects such as users (PersonAccount), Groups, and organizations (OrgContainer) in the WebSphere Application Server. §  An administrator chooses to make the custom ID modifications in wimconfig.xml when: –  An administrator has choses a custom ID that does NOT exist in LDAP and/or VMM Schema. –  An administrator determines there is one LDAP attribute that exists for ALL VMM entity types (e.g PersonAccount and Groups, OrgContainers) •  If attribute is NOT available within each object class (e.g. 'employeeID' exists for inetOrgPerson but it is not available for the groupsOfUniqueName objectclass (group objects), then that attribute CANNOT be used to specify the custom ID in wimconfig.xml. NOPE! §  An administrator must modify wimxmlextension.xml when: –  An admin chooses to use an “LDAP extended attribute” for a custom ID Modify LDAP (not there!) •  Modify VMM •  Add the new VMM Schema property to wimxmlextension.xml
  • 28. Tivoli Directory Integrator - The Engine §  TDI acts as the translator to convert data from one source to another –  In this case from whatever the LDAP directory is to db2, sql or oracle §  There is no way for companies to create profiles on premises without TDI §  TDI needs to be installed so the engine and libraries are present §  How much you customise or work with it is then entirely down to your company’s requirements
  • 29. Moving Data Into Connections Population Wizard Simple: Manual 1 LDAP Source > Profile XML Files From TDISOL 1 LDAP Source > Profile Some data manipulation Assemblyline Advanced: Realtime Multiple Data Sources Full data manipulation
  • 30. The DB Wizard §  The simplest method to move LDAP data to Connections is using the supplied DB Wizard §  Backup PeopleDB before starting §  DBWizard is great if you have only a single LDAP source and good data –  It also helps you get started with customising TDISol (more later) §  Each step of DBWizard is validated so you can’t progress through to population unless your LDAP server details are correct –  That’s a good thing
  • 31. TDISol §  The TDISol directory extracts as part of the Connections install –  You should always check for an updated version on Fix Central §  It contains all the custom scripts you need to build your own population engine –  All you need do is complete 4 simple properties files –  And a batch file –  And install TDI –  But that’s it
  • 32. Important TDISol Files §  Profiles_tdi.properties –  Pay attention to guid property in particular –  Also delete or inactivate users §  map_dbrepos_from_source §  map_dbrepos_to_source –  You can only map an attribute in one direction so verify the same attribute isn’t mapped in both files or the updates will keep overwriting each other §  Profiles_functions.js §  Solution.properties §  Tdienv.bat / tdienv.sh
  • 33. Assemblylines §  What is a TDI Assemblyline? §  Why would I write my own? §  Why don’t IBM supply standard ones? §  What functions are available to me? §  Working with the Configuration Editor
  • 34. Multiple Directories §  Each person must only appear in one directory §  Multiple directories cannot be deployed using DBWizard §  Instead use multiple TDISol configurations –  or a custom Assemblyline
  • 36. Populating Connections From A Different Directory Than LDAP §  It’s possible that you would want to authenticate users from one directory but populate profiles from another §  This is supported and technically it’s not difficult however –  The user data in both directories must match up with the same unique key –  The user should ideally have the same email address in both directories –  It significantly increases the complexity of the data and the chances or poor or mismatched information being returned to the users §  It’s an advanced solution for a very specific use case –  Far better to be able to use your LDAPauthentication server(s) as your data source
  • 37. Connections Security Users vs Groups §  Application Security §  User Access in Communities, Wikis, Activities, Blogs §  Browsing to grant authority n applications §  Cached security and group memberships in WAS §  Nested group behaviour (more on that later from Terri)
  • 39. Groups Overview: Overview §  Group Expansion: “Given a group name, return all it's members” –  A list of members in a particular group –  Functionality is provided through a series of “type-ahead” or “ Group Browse Dialogs” –  Search for groups using type-ahead •  Type in exact group names, OR partial •  Nested groups- can expand groups at each level of nesting §  Group Membership: “Give me all the groups that a given user or group is a member of” –  Used to compute user, group and community membership across Connections applications (Activities, Communities, Files and Wikis) –  Used by each application to grant access to content, adding or modifying membership etc. –  LDAP directories can be deployed to use nested groups (groups that contain group members)
  • 40. Groups: An overview (cont’d) §  Determining group membership has the potential to affect the performance of Connections Applications, as well as directory providers (LDAP). –  Computing membership can affect performance –  Nested groups can have an impact on performance §  Connections makes every attempt to act "responsibly" and optimize it's membership checking functionality –  determined by enumerating through all member attributes for a particular group entry –  Attribute differs depending on each LDAP service provider –  If nested groups are deployed in LDAP and enabled in WAS, those groups will be enumerated as well §  Nested groups require an operational attribute: –  Why? (That is why I had the BIG BLUE CLOUD APPEAR!) –  Enables Connections to utilize the efficient manner that LDAP Providers use to enumerate group membership.
  • 41. Groups: Membership Configuration in Websphere (WAS): §  Operational attributes: –  attributes that have special meaning to the Directory Server –  maintained by the server and reflect information the server manages about an entry/server operation. §  Necessary items to configure in WAS for group membership functionality. –  Member: an attribute that indicates the groups to which an entry belongs •  distinguished Name Syntax, is multi-valued, and has an objectclass associated with it. (objectclass basically defines the collection of attributes that can be used to define an entry) –  Membership (using Operation Attributes) §  LDAP example we’ll go through configuring in Websphere (WAS)
  • 42. Groups: Membership Configuration in (WAS): §  Connections requires that Group membership be configured in WAS §  From the WAS Admin Console: §  Navigate to Global Security Tab → Federated Repositories → Manage repositories → select your LDAP: §  Select “Group attribute definition” from the Additional Properties section: §  Add the membership attribute §  Nested Groups? Use the operational attribute for nested Why? (Remember that big blue cloud?) connections uses the performance-minded operational attribute for membership checking!
  • 43. Groups: Membership Configuration in Websphere (WAS): §  Choosing the Name of the group Membership operational attribute: –  Dependent upon the LDAP repository configured in WAS! §  Choose scope of the group membership attribute:
  • 44. Groups: Member Configuration in WAS §  Connections requires that group member attributes be configured in WAS: –  Necessary for Connection's support of group expansion –  Also a factor in Connection's support of group membership (as previously mentioned) §  From the WAS Admin Console: –  Navigate to Global Security Tab → Federated Repositories → Manage repositories →Select your LDAP -> Select the member attribute from the additional properties section §  Enter the Member attribute/Objectclass pairing required for your particular LDAP service:
  • 46. Nested Groups: (Now the hard part!)- “A few twists and turns” IBM Tivoli Directory Server… §  IBM Tivoli Directory Server (ITDS) requires a specific set of Attribute/Objectclass pairings to be deployed in the LDAP directory for nested groups: §  Membership: –  The LDAP operational attribute for ITDS is “ibm-allGroups” –  ITDS must be configured to contain nested group entries using the auxiliary objectclass “ibm-nestedGroup” §  Member: –  Add the “ibm-memberGroup” member attribute in the “Name of member attribute” dialog –  Add the auxiliary objectclass “ibm-nestedGroup” denoting the objectclass of the nested group entries in the ITDS directory itself. –  Select “Direct” (applies to members themselves)
  • 47. Nested Groups: ITDS and Member: §  ITDS should also have groups deployed using the standard supported default attribute/ objectclass pairings: –  *uniquemember/groupOfUniqueNames (as documented in the upcoming table) §  The Connections / WAS administrator may not be the same person as the LDAP administrator: i.e- there needs to be coordination!
  • 48. Nested Groups: “A few twists and turns”- Domino Directory Server… §  Groups in Domino are “Flat Groups” §  What is a Flat Group? –  A group that exists in the root level of a LDAP directory. –  Unlike a hierarchical group, it does not have a tree-like structure- “cn=group1” §  How to Configure WebSphere to find Domino flatgroups? –  wimconfig.xml is your customization tool! –  Edit and replace:<config:baseEntries name="o=ORGX" nameInRepository="o=ORGX"/ >with<config:baseEntries name="" nameInRepository=""/>Replace<config:participatingBaseEntries name="o=ORGX"/>with<config:participatingBaseEntries name=""/> §  The wimconfig.xml file is stored in the following location: Linux:/opt/IBM/WebSphere/AppServer/profiles/<profile_name>/config/cells/<cell_name>/wim/config Windows:<drive>:IBMWebSphereAppServerprofiles<profile_name>configcells<cell_name>wimconfig
  • 49. Nested Groups: “A few twists and turns”- Active Directory §  The LDAP Operational Attribute for Active Directory is “memberOf” §  However, by default- Active Directory does NOT expand nested groups §  Websphere has compensated for this: –  Configure WAS using “memberOf” –  Set the group membership scope to DIRECT (telling VMM not to depend on LDAP to do the nested expansion for us!) §  Connections also must do it’s part! –  Connections 4.5- get the iFix (LO80435) –  Connections 5.0 CR1 –fixed in that –  Enable JVM to indicate you WANT it to chase nested groups: •  Add following to Generic JVM arguments -Dcom.ibm.connections.recursively.search.membership=true
  • 50. Nested Groups: CCM Integration §  Connections/CCM Integration –  In Connections 4.5, CCM (Filenet) makes an effort to manually expand nested groups on it’s own •  To disable this functionality it is recommended you set the JVM argument: -Dibm.filenet.security.connectionsProvider.disableRecursiveParentCall=true –  In Connections 5.0 and above, the Connections Installer does this for you!
  • 52. How Does It Work - The Brief Version
  • 53. In general an external user is limited to participating in a restricted community they are invited into This isn’t a bad thing
  • 58. Internal - My Profile
  • 60. As A Visitor §  You can add tags but not see existing tag lists §  You can view partial business cards but not full profiles §  You can search for content but that only finds things that are shared with you §  You can share files but only with the Communities you are part of, not with people directly
  • 62. Negotiation known as NTLM or Kerberos in Active Directory GSSAPI Mechanism
  • 63. SPNEGO Example For WebSphere 1 2 3 4 5 ACTIVE DIRECTORY GENERATES SPNEGO TOKEN USER TRIES TO ACCESS CONNECTIONS BROWSER SENDS SPNEGO TOKEN TO WEBSPHERE ALONG WITH USER NAME WEBSPHERE CONTACTS ACTIVE DIRECTORY TO VALIDATE TOKEN AND RETRIEVE THE USER’S NAME STEPS USER LOGS INTO WINDOWS
  • 64. Setting Up SPNEGO Set up a SPN for the IHS and Connections application servers in Active Directory Use a dedicated account that you use to start WebSphere as a service Run setspn -a http://<ihs hostname> <accountnamerunningwas> If AD isn’t the LDAP being used then the LDAP entry should be updated with the AD name e.g for Domino update person documents with AD name appended to FullName (and optional others like krbPrincipalName and LTPA User Name)
  • 65. Why Not SPNEGO It requires Active Directory It requires users to login to Active Directory It requires Microsoft Supported browsers* It requires a Windows client for the users* It requires a Windows platform* It doesn’t work at all if the user is remotely connecting and not logging into Active Directory It has a very specific use case * all these asterisks mean there are ways to extend to other platforms often using 3rd party addons
  • 67. Assertion Markup Language SAML is a protocol and process for exchanging authorisation and authentication data for a user between services and servers Security
  • 68. IdP (Identity Provider) Sp (Service Provider) Sp (Service Provider) Sp (Service Provider)
  • 69. No Passwords….. To Compromise To Expire To Intercept Once a user has authenticated with the IdP they won’t be asked again
  • 70. SAML Example 1 2 3 4 5 USER ATTEMPTS TO LOG IN TO A WEBSITE USER IS REDIRECTED TO IDENTITY PROVIDER IDENTITY PROVIDER REQUESTS AUTHENTICATION OR (IF USER IS LOGGED IN) RETURNS CREDENTIALS USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML ASSERTION ATTACHED ORIGINAL SITE USES ITS SAML SERVICE PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS STEPS
  • 71. Definitions §  IdP - Identity Provider (SSO) –  ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012) •  SAML 2.0 only •  can be combined with SPNEGO •  Enhances Integrated Windows Authentication (IWA) –  TFIM (Tivoli Federated Identity Manager) •  SAML 1.1 and 2.0
  • 72. definitions §  SP - Service Provider –  IBM WebSphere •  By extension some applications installed under WebSphere –  IBM Domino (web federated login) –  IBM Notes (requires ID Vault) (notes federated login)
  • 73. More Definitions §  IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions §  Assertions have three roles –  Authentication –  Authorisation –  Retrieving Attributes
  • 74. An IdP can service many service providers A SP can be connected to several IdPs An IdP can use a variety of authentication methods including multi factor
  • 75. Setting Up SAML §  Choose your IdP if you don’t already have one –  which fits best in your business §  Build the IdP §  Configure the SP §  Sounds easy doesn’t it? –  It’s really not easy by any means but it is worth the investment in time
  • 76. SAML Support In Connections §  WebSphere supports SAML but that doesn’t mean all applications run under WebSphere support it §  Where SAML is configured for authentication and can’t be used by an external application, WebSphere can generate a LTPA token §  FileNet / CCM does not support SAML §  Metrics/Cognos can’t run in a SAML enabled cell and must be deployed in its own cell with LTPA §  Connections Mail, Desktop and Mobile applications cannot use SAML §  Browser access to the rest of the Connections applications (homepage, profiles, activities, communities etc) is supported
  • 77. IBM PreApproval Process - SAML Isn’t Supported Without It §  SAML integration with IBM Connections is supported in specific circumstances §  WebSphere supports SAML but that doesn’t mean all applications that run under WebSphere do §  Specific configuration instructions and fixes are only available from IBM Support once pre- approval has been completed §  The pre-approval process is a questionnaire that must be completed and submitted to IBM so support can evaluate if your environment can be supported –  IBM will also advise the best deployment for SAML to meet your needs –  There is no one size fits all solution
  • 78. Configuring SAML With IBM Connections §  There are two methods for configuring SAML with IBM Connections §  For both the IdP (Identity Provider) tested are ADFS and TFIM –  Those are the IdP’s publicly documented for WebSphere –  That’s not to say other IdP wouldn’t be supported if accepted for pre-approval §  WebSphere acts as a SP (service provider) and configuration is completed in the cell under Global Security –  This means SAML instructions are applied to all applications in the cell §  SAML can be deployed using WebSphere’s default authenticator or using SAML redirection –  Using default authenticator gives more scope for external applications –  IBM will advise the best deployment based on your completed questionnaire
  • 79. Engage Online §  SocialBiz User Group socialbizug.org –  Join the epicenter of Notes and Collaboration user groups §  Social Business Insights blog ibm.com/blogs/socialbusiness –  Read and engage with our bloggers §  Follow us on Twitter –  @IBMConnect and @IBMSocialBiz §  LinkedIn http://bit.ly/SBComm –  Participate in the IBM Social Business group on LinkedIn §  Facebook https://www.facebook.com/IBMConnected –  Like IBM Social Business on Facebook
  • 80. Notices and Disclaimers Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. IBM, the IBM logo, ibm.com, BrassRing®, Connections™, Domino®, Global Business Services®, Global Technology Services®, SmartCloud®, Social Business®, Kenexa®, Notes®, PartnerWorld®, Prove It!®, PureSystems®, Sametime®, Verse™, Watson™, WebSphere®, Worklight®, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.