bp201 creating your own connections confection - getting the flavour right
TRANSCRIPT
BP201: Creating Your Own Connections Confection - Getting The Flavour Right
Gabriella Davis Technical Director - The Turtle Partnership [email protected]
Let’s talk about me for a minute
▪ Admin of all things and especially quite complicated things where the fun is
– Working with security , healthchecks, single sign on, design and deployment of Domino, ST, Connections and things that they talk to
▪ Stubborn and relentless problem solver ▪ Lives in London about half of the time ▪ [email protected] ▪ twitter: gabturtle
Notices and DisclaimersCopyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM. Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided. Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business. Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation. It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right. IBM, the IBM logo, ibm.com, BrassRing®, Connections™, Domino®, Global Business Services®, Global Technology Services®, SmartCloud®, Social Business®, Kenexa®, Notes®, PartnerWorld®, Prove It!®, PureSystems®, Sametime®, Verse™, Watson™, WebSphere®, Worklight®, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
Designing Your User Experience
CREATING AND SHARING CONTENT TAGGING, LIKES & @MENTIONS
CLIENT ACCESS: BROWSER DESKTOP APPLICATION MOBILE
LEARNING ABOUT PEOPLE, WHO THEY ARE, WHAT THEY DO
DOCUMENT MANAGEMENT
AUDIENCE & NETWORK EXTERNAL USER BEHAVIOUR
Architecture Decisions
USERS VS CONCURRENT USERS PUBLIC ACCESS AND
SECURITY
FILE AND DATA STORAGE
SEPARATING COMPONENTS
BUILD NOW / ADD LATER?
Design For GrowthClusters can be duplicated Not everything needs to be clustered but everything should have the potential for clustering without needing a rebuild Avoid backing yourself into a corner with single points of failure Data is accessed from the database server and from a shared data location
It’s All About Content - Companies Run On Content
Tags
Video
KPI
Proc
esse
sW
EB 2
.0
ProposalsProjects
PHOTOS
Video
Wikis
Places
Blogs
Tasks
✤ Companies generate and need to use and retain a lot of data, much of it unstructured
✤ To do this they use Enterprise Content Management
✤ this is not the same as a Content Management System
Sharing A Collective Memory
✤ Information needs context
✤ Why was it generated?
✤ What was it used for?
✤ Who worked on it?
✤ Is it still true?
Avoiding Reinvention
WHY NOT JUST SHARE IT?
IS IT WHAT YOU NEED?DOES CONTENT
ALREADY EXIST?
RE-USEREVIEW SEARCH
Searching
Files & Folder Metadata Document Types
Tagging
✤ People / Unstructured
✤ Process / Structured
Finding Things
Files Application
▪ Standard Connections application (default install) ▪ Each user has their own “Library” where they can upload and share files
▪ Each file can be shared
1. Websphere Application Server
2. Deployment Manager Server
3. Filenet Installers
1. Websphere Application Server
2. Filenet J2EE Applications
1. Database Server 2. FNCGD & FNOS
Databases
Connections Data Share
(NFS)
Filenet Server
DB Server
Storage
CCM Libraries SSO
Standalone Filenet External Libraries
EditLive Install
▪ Custom installer downloadable from IBM ▪ Simple application install ▪ Enabled for everyone or for users by role ▪ J2EE application maps to a WebSphere
server ▪ you can use an existing server
FileViewerServer 2
Conversion ServerMandatory
Windows OS
IBM ConnectionsServer 1
File Viewer Extension Plugin
File Viewer ServerWindows or Linux
Connections Data Share(moved to NFS share)
Viewer Data Share
Server 2
Server 3
IBM Docs ServerMandatoryLinux OS
Conversion ServerMandatory
Windows OS
IBM ConnectionsServer 1
IBM Docs Extension Plug-In File Viewer Extension Plugin
Server 4
IBM Docs ProxyOptionalLinux OS
File Viewer ServerWindows or Linux
Connections Data Share(moved to NFS share)
Viewer Data ShareIBMM Docs Data
NFS Share
Cognos
Cognos BI Cognos Transformer
Cognos & Metrics DB
Cognos & Metrics J2EE Apps
Connections Reporting
Cognos BI Cognos Transformer
Websphere Application Server
Metrics J2EE Application Cognos J2EE
Application
Database Server Cognos DB Metrics DB
The metrics application
logs to the Metrics DB. This DB can (and is) used
by other 3rd party analytical tools
Forms Experience Builder Polls & Surveys
Installs on WebSphere Server(s)
Requires DB2
Installs on every server in the chosen cluster
How Does Connections Mail Work?
Deployment Manager
IBM Connections Mail Installed
Connections Application
Server
Connections Application
Server
HTTP Interface to Mail
(iNotes in the case of Domino)
Domino Server1
Domino Server2
Domino Server3
Or Exchange
Configuring Sametime With Connections
▪ Two choices ▪ Each user runs the Sametime standalone client ▪ Enable the Connections server to connect to the Sametime Proxy Server
using a web interface ▪ There are no Sametime applications installed under Connections
Sametime Meetings In Connections
All communication is through the Sametime Proxy Server - a web interface to Sametime Services
What Can An External Person Do?
▪ Be a full member of a Community that allows external users ▪ Share Files with others as well as Download files shared with you ▪ See Activity Streams that they are invited into ▪ Edit Their Profile ▪ View business cards of anyone who has shared content with them
What Can’t An External Person Do?
▪ See Any Public Content ▪ Create a community ▪ Follow people ▪ See or search the company directory ▪ Use type-ahead to find people ▪ See recommended content or people ▪ Access the Profiles menu ▪ Access other user profiles ▪ See @Mentions for them
SPNEGO EXAMPLE FOR WEBSPHERE
1 2 3 4 5ACTIVE
DIRECTORY GENERATES
SPNEGO TOKEN
USER TRIES TO ACCESS
CONNECTIONS
BROWSER SENDS
SPNEGO TOKEN TO
WEBSPHERE ALONG WITH USER NAME
WEBSPHERE CONTACTS
ACTIVE DIRECTORY TO
VALIDATE TOKEN AND
RETRIEVE THE USER’S NAME
STEPS
USER LOGS INTO
WINDOWS
SETTING UP SPNEGOSet up a SPN for the IHS and Connections application servers in Active
Directory Use a dedicated account that you use to start WebSphere as a service Run setspn -a http://<ihs hostname> <accountnamerunningwas>
If AD isn’t the LDAP being used then the LDAP entry should be updated with the AD name
e.g for Domino update person documents with AD name appended to FullName (and optional others like krbPrincipalName and LTPA User Name)
WHY NOT SPNEGOIt requires Active Directory It requires users to login to Active Directory It requires Microsoft Supported browsers* It requires a Windows client for the users* It requires a Windows platform*
It doesn’t work at all if the user is remotely connecting and not logging into Active Directory It has a very specific use case* all these asterisks mean there are ways to extend to other platforms often using 3rd party addons
AssertionMarkupLanguage
SAML is a protocol and process for exchanging authorisation and authentication data for a user between
services and servers
Security
No Passwords…..
To Compromise
To Expire
Once a user has authenticated with the IdP they won’t be asked
again
SAML Example

1 2 3 4 5USER
ATTEMPTS TO LOG IN TO A
WEBSITE
USER IS REDIRECTED TO
IDENTITY PROVIDER
IDENTITY PROVIDER REQUESTS
AUTHENTICATION OR (IF USER IS LOGGED IN)
RETURNS CREDENTIALS
USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML
ASSERTION ATTACHED
ORIGINAL SITE USES ITS SAML SERVICE
PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS
STEPS
Definitions
▪ IdP - Identity Provider (SSO) – ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012)
• SAML 2.0 only • can be combined with SPNEGO • Enhances Integrated Windows Authentication (IWA)
– TFIM (Tivoli Federated Identity Manager) • SAML 1.1 and 2.0
definitions
▪ SP - Service Provider – IBM WebSphere
• By extension some applications installed under WebSphere – IBM Domino (web federated login) – IBM Notes (requires ID Vault) (notes federated login)
More Definitions
▪ IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions
▪ Assertions have three roles – Authentication – Authorisation – Retrieving Attributes
An IdP can service many service providers
A SP can be connected to several IdPs
An IdP can use a variety of authentication methods including multi factor
Setting Up SAML
▪ Choose your IdP if you don’t already have one – which fits best in your business
▪ Build the IdP ▪ Configure the SP
▪ Sounds easy doesn’t it? – It’s really not easy by any means but it is worth the investment in time
SAML Support In Connections
▪ WebSphere supports SAML but that doesn’t mean all applications run under WebSphere support it
▪ Where SAML is configured for authentication and can’t be used by an external application, WebSphere can generate a LTPA token
▪ FileNet / CCM does not support SAML ▪ Metrics/Cognos can’t run in a SAML enabled cell and must be deployed in its own cell with
LTPA ▪ Connections Mail, Desktop and Mobile applications cannot use SAML ▪ Browser access to the rest of the Connections applications (homepage, profiles, activities,
communities etc) is supported
IBM PreApproval Process - SAML Isn’t Supported Without It
▪ SAML integration with IBM Connections is supported in specific circumstances ▪ WebSphere supports SAML but that doesn’t mean all applications that run under
WebSphere do ▪ Specific configuration instructions and fixes are only available from IBM Support once pre-
approval has been completed ▪ The pre-approval process is a questionnaire that must be completed and submitted to IBM
so support can evaluate if your environment can be supported – IBM will also advise the best deployment for SAML to meet your needs – There is no one size fits all solution
Configuring SAML With IBM Connections
▪ There are two methods for configuring SAML with IBM Connections ▪ For both the IdP (Identity Provider) tested are ADFS and TFIM
– Those are the IdP’s publicly documented for WebSphere – That’s not to say other IdP wouldn’t be supported if accepted for pre-approval
▪ WebSphere acts as a SP (service provider) and configuration is completed in the cell under Global Security
– This means SAML instructions are applied to all applications in the cell
▪ SAML can be deployed using WebSphere’s default authenticator or using SAML redirection
– Using default authenticator gives more scope for external applications – IBM will advise the best deployment based on your completed questionnaire
Where To From Here?
▪ Who are your users ▪ Where are your users ▪ What do they want to do ▪ Clouds vs On Premises ▪ Simplify Architecture But Build for Growth ▪ Have a Plan
Questions?
▪ Gab Davis - Technical Director ▪ The Turtle Partnership ▪ [email protected] ▪ GabriellaDavis on Skype ▪ gabturtle on twitter
Engage Online
▪ SocialBiz User Group socialbizug.org – Join the epicenter of Notes and Collaboration user groups
▪ Social Business Insights blog ibm.com/blogs/socialbusiness – Read and engage with our bloggers
▪ Follow us on Twitter – @IBMConnect and @IBMSocialBiz
▪ LinkedIn http://bit.ly/SBComm – Participate in the IBM Social Business group on LinkedIn
▪ Facebook https://www.facebook.com/IBMConnected – Like IBM Social Business on Facebook