connections directory integration: a tour through best practices for directory and security...

Let’s talk about me for a minute §  Admin of all things and especially quite

complicated things where the fun is

–  Working with security , healthchecks, single sign on, design and deployment of Domino, ST, Connections and things that they talk to

§  Stubborn and relentless problem solver

§  Lives in London about half of the time

§  Anything I say in this presentation is entirely mine & not endorsed by IBM or the woman on stage with me J

Why This Session?

§  Every user within Connections must have a consistent identity §  That identity originates from a LDAP directory §  It’s then stored in Connections and used by each of the individual Connections

applications –  Except they each use the identity differently –  Except some functionality calls back to LDAP –  Except it’s IBM which means many different directory types and versions have to be supported –  Except IBM have little control over how these directories behave

§  Ensuring an identity always points to the same user and that user is the right user is critical to ensure Connections works

§  This session is to help you understand how to make your directory play nice with Connections and what can stop it doing that

Connections and LDAP

Authenticating Using LDAP

§  Connections requires us to have a directory to authenticate against –  There needs to be one good authority for validating users

§  Several methods of single sign on and single identity are supported including 3rd party tools

§  The quality and reliability of your authoritative LDAP drives more than just user logins –  Poor LDAP data means poor profile data, technical problems and user disatisfaction –  Poor LDAP performance means poor Connections performance and user disatisfaction

§  LDAP is used primarily during Profile population, authentication and group membership lookups

–  More on this later

Simple LDAP Configuration In WebSphere

§  Under Global Security – Federated Repositories –  What are federated repositories?

§  The correct directory type tells WebSphere the correct construct for sending an LDAP query

§  Connections uses the directories configured in your deployment manager –  So does Filenet when installed as CCM and directed to use WebSphere –  Filenet installed standalone has its own directory configuration (SSO alert!)

§  Multiple directories must use unique authentication account names and unique base dn searches

–  WebSphere gets confused otherwise

Testing LDAP

§  Always backup your deployment manager before making ANY LDAP changes –  Dmgr\bin\backupconfig.sh / bat

§  Once LDAP is configured in Websphere , test that it works via the ISC for the deployment manager

–  The xml file that contains the LDAP configuration details is wimconfig.xml

§  Search for users by email address and make sure their login names are what you expect §  Search for groups, especially if using Domino for LDAP and make sure they appear

What Happens When LDAP Is Down

§  WebSphere has a significant amount of caching for directory access §  It can’t authenticate users with no LDAP though §  Users already logged in will continue to work with a gradual loss of features §  New users won’t be able to login

WebSphere Load Balanced LDAP

§  If you tell WebSphere to use a load balancer for LDAP the following happens –  The LB directs WebSphere to a LDAP server to use –  WebSphere caches that connection and continues to use it –  If that server goes down but the LB is still up it will take WebSphere 30 minutes or more to

request a new server connection from the LB

§  If however you give WebSphere a list of LDAP servers to use for failover, it will immediately failover to an alternate if its initial connection fails

Let’s talk about the other woman on stage for a minute

§  Advisory Software Engineer Connections Directory Services

–  Working on Connections Directory (Waltz), LDAP, Security, CCM and integration of Connections and applications it talks to! ,

–  My previous gig was a working on Domino Directory: LDAP, DA, Directory Catalogs, NameLookup, Single Sign-On and all things Directory

§  I work for IBM, so anything I say in this presentation should appropriately represent IBM (and be polite to the extremely intelligent woman on stage with me J)

Connections and User Data

User Data across Connections applications: The Basics!

§  User Data consists: –  ID: GUID (we’ll get to that) –  Attributes of that user –  Membership Ø  LDAP Group Membership

(we’ll get to that) Ø  Community Membership

ID (GUID): 05978bab-2c2c-40c0-9745-1f6cb771dff7

DN: cn=ajones…

uid: ajones

email: ajones@...

User Data: The Basics!

Connections Websphere Node

VMM

GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7

DN: cn=ajones…

uid: ajones

email: ajones@...

To confirm the default (Profiles is enabled): ü  Open LotusConnections-Config.xml ü  confirm that

“profiles_directory_service_extension_enabled="true".

LDAP Server

Local repository

Search Wikis

Homepage

Profiles

Blogs

Bookmarks

Files

Forums Moderation

Metrics

Mobile

News

communities

Filenet

Cognos

Etc

GUID: 05978bab-2c2c-40c0-9745- 1f6cb771dff7 DN: cn=ajones… uid: ajones

email: ajones@... DN: cn=ajones…

























User Data: Login Names §  User Data prerequisites (Login Names)

–  Login names (the user name you log into Connections with) must exist in both Profiles (various columns) AND LDAP

§  Configured in the “login properties” dialog in WAS for that particular directory

§  When profiles is populated– the “login table” is built with mail and uid by default and adds additional attributes from mapdbrepos_from source.properties

ldapsearch -h ldapdirectory.iris.com -b "ou=users,dc=iris,dc=com" -D "uid=Admin ou=users,dc=iris,dc=com" -w adminpass "(cn=Amy Jones2)"

dn: cn=Amy Jones2,ou=users,dc=iris,dc=comobjectclass=topobjectclass=organizationalPersonobjectclass=inetOrgPersonobjectclass=personuid=Amy Jones2cn=Amy [email protected]

User Data: Login Names §  Configured in the “login properties” dialog in WAS for that particular directory:

§  If Connections Content Management (CCM) is installed: –  By default, Filenet (CCM) assumes uid for the "Security Principal" –  If the value of login properties is something other than uid, or if uid is not the first value: • modify profiles-config.xml, moving the attribute that matches up with the principal to be the first

attribute in the <loginAttributes> section (e.g. email):

User Data: Login Names

§  If CCM is installed (cont’): –  prof_uid or prof_mail must be the same value as what’s in the login properties –  A JVM argument needs to be configured on the Filenet (CCM) server and set to the value in the

login properties dialog: (note this is done by default in 5.0 by the connections installer)

www-01.ibm.com/support/knowledgecenter/SSYGQH_5.0.0/admin/install/t_inst_config_libraries_newfn.dita

User Data: IDs (GUIDs): The Basics

§  IDs (GUIDS): used internal to Connections for persistent representations of the user. –  The ID (GUID) is distinct and different from the user's login name. –  Users identify themselves to the system with their login name. –  The login name is not generally used to persist a reference to the user :

•  Name may change •  different users may acquire the same login name over time, •  Users may have multiple login names.

–  Access control lists and community membership lists do not use the login name, they use IDs!

§  Think about other apps, such as Domino –  Domino uses the Distinguished Name as the ID (and that comes with issues

because DN’s can change)

§  MORE on IDs in a minute!

User Data: Mail Addresses

§  Mail Addresses: –  Must exist in both Profiles AND LDAP

–  The value should be the same in Profiles as in LDAP: •  However, if the value is different, mail cannot be used as “login name”.

ldapsearch -h ldapdirectory.iris.com -b "ou=users,dc=iris,dc=com" -D "uid=Admin ou=users,dc=iris,dc=com" -w adminpass "(cn=Amy Jones2)"

dn: cn=Amy Jones2,ou=users,dc=iris,dc=comobjectclass=topobjectclass=organizationalPersonobjectclass=inetOrgPersonobjectclass=personuid=Amy Jones2cn=Amy [email protected]

Connections, Directories and IDs:

Connections, Directories and IDs: What are IDs?

§  The ID is used by Connections for persistent representations of the user.

§  By Default: Connections uses as its “ID” the Globally Unique Identifier (GUID) for Users and Groups:

–  It is fixed- a GUID for an object does not change * –  If an object is deleted, and recreated in LDAP, that object is recreated with a NEW ID (GUID) –  The terms “GUID” and “ID” can be used interchangeably UNTIL an admin decides they

need to choose something “other” than the default! (e.g. uid, employee ID etc). WALTZ: [ID=4fda6cc0-0101-102e-88dd-f78755f7e0ed]

§  Connections also generates a GUID for Community Objects (same format as GUID)

Connections, Directories and IDs (GUIDS): What are IDs? §  To solidify it in your mind: You can search an LDAP to find a GUID for a user:

–  e.g: Searching IBM Tivoli Directory Server- the GUID is referred to as “ibm-entryUUID ldapsearch -h ldapdirectory.iris.com -b "ou=users,dc=iris,dc=com" -D "uid=Admin u=users,dc=iris,dc=com" -w adminpass "(cn=Amy Jones2)“ ibm-entryUUID cn=Amy Jones2,ou=users,dc=iris,dc=com ibm-entryuuid=4fda6cc0-0101-102e-88dd-f78755f7e0ed LDAP Server GUIDS

How does Connections utilize IDs?

§  Connections Applications will persist that ID in it’s tables

§  Connections Applications will search using that ID §  Community Membership will be searched using that ID §  LDAP Group Membership, Group Expansion will be

searched using that ID

Log in to Connectionsuid=ajones2

LDAP

Profiles

ID: (GUID): 05978bab-2c2c-40c0-9745-1f6cb771dff7

DN: cn=ajones2…

uid: ajones2

email: ajones2@...

§  There are business scenarios when the ID used to identify the object cannot be a GUID. –  Company has offices all over the world. Employees move from one region to another so they are

deleted from 1 LDAP and re-added to another. –  Company identifies it’s employees by a guaranteed unique “Employee ID”

§  Remember- when a user is deleted and re-added- the GUID of a directory object changes, –  Affects IBM Connections applications that may have knowledge of a particular GUID for those objects. –  When a GUID changes, you must synchronize the LDAP with the Profiles database before that user

logs in again. –  If you don’t, the user will have two accounts in IBM Connections. One with the old GUID and one with

the new “ID”.

§  It is NOT recommended to change IDs for customers who have Connections Content Manager (CCM): The user may lose access to content created with a particular ID

Custom IDs: Why?

§  The ID must be globally unique. The ID must not ever be reassigned to a different user or group in the directory.

–  This makes DN, email, Microsoft Active Directory sAMAccountName and most UID and CN values poor choices since those might be reused after a user leaves an organization.

§  Must not exceed 252 characters in length. To achieve faster search results, use a fixed-length attribute for the ID if possible..

§  Must have a one-to-one mapping per directory object. –  Can’t use an attribute with multiple values as a unique ID. Users- one and only one ID!

§  The object must exist in both the LDAP schema as well as Websphere Virtual Member Manger (VMM) schema

–  If it does not, it must be added to wimxmlextension.xml (may have to be created) AIX®:/usr/IBM/WebSphere/AppServer/profiles/<profile_name>/config/cells/<cell_name>/wim Linux™:/opt/IBM/WebSphere/AppServer/profiles/<profile_name>/config/cells/<cell_name>/wim Windows™: C:\IBM\WebSphere\AppServer\profiles\<profile_name>\config\cells\<cell_name>\wim

Custom IDs: Considerations for the selection of an ID:

§  Profiles database contains the value of each user's ID in the PROF_GUID column of the EMPLOYEE table:

–  The value used in the PROF_GUID must match some attribute in your LDAP directory.

§  Connections must be made aware of which attribute from your directory to use for the ID –  Modify LotusConnections-config.xml: •  e.g your custom ID is “uid”: locate the “serviceName” tag in your xml: <sloc:serviceReference profiles_directory_service_extension_enabled="true“ serviceName="directory" custom_user_id_attribute="uid"/> •  To customize your group ID: custom_group_id_attribute=“uid"/>

–  Check ID (GUID) value in the map_dbrepos_from_source.properties file –  Note! prof_source_uid must be the distinguished name of the user in WebSphere LDAP

distinguishedName=$dn

Custom IDs: Specifying them in Connections (LotusConnections-Config.xml

Note- the attribute used must exist for a group object!

Modifying wimconfig.xml instead of LotusConnections-Config.xml §  wimconfig.xml governs a single ID attribute for all supported objects such as users

(PersonAccount), Groups, and organizations (OrgContainer) in the WebSphere Application Server.

§  An administrator chooses to make the custom ID modifications in wimconfig.xml when: –  An administrator has choses a custom ID that does NOT exist in LDAP and/or VMM Schema. –  An administrator determines there is one LDAP attribute that exists for ALL VMM entity types

(e.g PersonAccount and Groups, OrgContainers) •  If attribute is NOT available within each object class (e.g. 'employeeID' exists for inetOrgPerson but

it is not available for the groupsOfUniqueName objectclass (group objects), then that attribute CANNOT be used to specify the custom ID in wimconfig.xml. NOPE!

§  An administrator must modify wimxmlextension.xml when: –  An admin chooses to use an “LDAP extended attribute” for a custom ID Modify LDAP (not there!) • Modify VMM •  Add the new VMM Schema property to wimxmlextension.xml

Populating Profiles

Tivoli Directory Integrator - The Engine

§  TDI acts as the translator to convert data from one source to another –  In this case from whatever the LDAP directory is to db2, sql or oracle

§  There is no way for companies to create profiles on premises without TDI §  TDI needs to be installed so the engine and libraries are present §  How much you customise or work with it is then entirely down to your company’s

requirements

Moving Data Into Connections

Population WizardSimple: Manual

1 LDAP Source > Profile

XML Files From TDISOL

1 LDAP Source > ProfileSome data

manipulation

AssemblylineAdvanced: Realtime

Multiple Data SourcesFull data manipulation

The DB Wizard

§  The simplest method to move LDAP data to Connections is using the supplied DB Wizard §  Backup PeopleDB before starting §  DBWizard is great if you have only a single LDAP source and good data

–  It also helps you get started with customising TDISol (more later)

§  Each step of DBWizard is validated so you can’t progress through to population unless your LDAP server details are correct

–  That’s a good thing

TDISol

§  The TDISol directory extracts as part of the Connections install –  You should always check for an updated version on Fix Central

§  It contains all the custom scripts you need to build your own population engine –  All you need do is complete 4 simple properties files –  And a batch file –  And install TDI –  But that’s it

Important TDISol Files

§  Profiles_tdi.properties –  Pay attention to guid property in particular –  Also delete or inactivate users

§  map_dbrepos_from_source §  map_dbrepos_to_source

–  You can only map an attribute in one direction so verify the same attribute isn’t mapped in both files or the updates will keep overwriting each other

§  Profiles_functions.js §  Solution.properties §  Tdienv.bat / tdienv.sh

Assemblylines

§  What is a TDI Assemblyline? §  Why would I write my own? §  Why don’t IBM supply standard ones? §  What functions are available to me? §  Working with the Configuration Editor

Multiple Directories

§  Each person must only appear in one directory §  Multiple directories cannot be deployed using DBWizard §  Instead use multiple TDISol configurations

–  or a custom Assemblyline

Connections Security

Populating Connections From A Different Directory Than LDAP

§  It’s possible that you would want to authenticate users from one directory but populate profiles from another

§  This is supported and technically it’s not difficult however –  The user data in both directories must match up with the same unique key –  The user should ideally have the same email address in both directories –  It significantly increases the complexity of the data and the chances or poor or mismatched

information being returned to the users

§  It’s an advanced solution for a very specific use case –  Far better to be able to use your LDAPauthentication server(s) as your data source

Connections Security Users vs Groups

§  Application Security §  User Access in Communities, Wikis, Activities, Blogs §  Browsing to grant authority n applications §  Cached security and group memberships in WAS §  Nested group behaviour (more on that later from Terri)

Groups: Configuration, Twists and Turns

Groups Overview: Overview

§  Group Expansion: “Given a group name, return all it's members” –  A list of members in a particular group –  Functionality is provided through a series of “type-ahead” or “ Group Browse Dialogs” –  Search for groups using type-ahead •  Type in exact group names, OR partial •  Nested groups- can expand groups at each level of nesting

§  Group Membership: “Give me all the groups that a given user or group is a member of” –  Used to compute user, group and community membership across Connections applications (Activities,

Communities, Files and Wikis) –  Used by each application to grant access to content, adding or modifying membership etc. –  LDAP directories can be deployed to use nested groups (groups that contain group members)

Groups: An overview (cont’d)

§  Determining group membership has the potential to affect the performance of Connections Applications, as well as directory providers (LDAP).

–  Computing membership can affect performance –  Nested groups can have an impact on performance

§  Connections makes every attempt to act "responsibly" and optimize it's membership checking functionality

–  determined by enumerating through all member attributes for a particular group entry –  Attribute differs depending on each LDAP service provider –  If nested groups are deployed in LDAP and enabled in WAS, those groups will be enumerated as well

§  Nested groups require an operational attribute: –  Why? (That is why I had the BIG BLUE CLOUD APPEAR!) –  Enables Connections to utilize the efficient manner that LDAP Providers use to enumerate group

membership.

Groups: Membership Configuration in Websphere (WAS): §  Operational attributes:

–  attributes that have special meaning to the Directory Server –  maintained by the server and reflect information the server manages about an entry/server operation.

§  Necessary items to configure in WAS for group membership functionality. –  Member: an attribute that indicates the groups to which an entry belongs •  distinguished Name Syntax, is multi-valued, and has an objectclass

associated with it. (objectclass basically defines the collection of attributes that can be used to define an entry)

–  Membership (using Operation Attributes) §  LDAP example we’ll go through configuring

in Websphere (WAS)

Groups: Membership Configuration in (WAS): §  Connections requires that Group membership be configured in WAS §  From the WAS Admin Console: §  Navigate to Global Security Tab → Federated Repositories → Manage repositories → select

your LDAP:

§  Select “Group attribute definition” from the Additional Properties section: §  Add the membership attribute §  Nested Groups? Use the operational attribute for nested

Why? (Remember that big blue cloud?) connections uses the performance-minded operational attribute for membership checking!

Groups: Membership Configuration in Websphere (WAS):

§  Choosing the Name of the group Membership operational attribute: –  Dependent upon the LDAP repository configured in WAS!

§  Choose scope of the group membership attribute:

Groups: Member Configuration in WAS

§  Connections requires that group member attributes be configured in WAS: –  Necessary for Connection's support of group expansion –  Also a factor in Connection's support of group membership (as previously mentioned)

§  From the WAS Admin Console: –  Navigate to Global Security Tab → Federated Repositories → Manage repositories →Select

your LDAP -> Select the member attribute from the additional properties section

§  Enter the Member attribute/Objectclass pairing required for your particular LDAP service:

LDAP Objectclass/Attribute pairings table:

Nested Groups: (Now the hard part!)- “A few twists and turns” IBM Tivoli Directory Server… §  IBM Tivoli Directory Server (ITDS) requires a specific set of Attribute/Objectclass pairings

to be deployed in the LDAP directory for nested groups: §  Membership:

–  The LDAP operational attribute for ITDS is “ibm-allGroups” –  ITDS must be configured to contain nested group entries

using the auxiliary objectclass “ibm-nestedGroup”

§  Member: –  Add the “ibm-memberGroup” member attribute

in the “Name of member attribute” dialog –  Add the auxiliary objectclass “ibm-nestedGroup”

denoting the objectclass of the nested group entries in the ITDS directory itself.

–  Select “Direct” (applies to members themselves)

Nested Groups: ITDS and Member: §  ITDS should also have groups deployed using the standard supported default attribute/

objectclass pairings: –  *uniquemember/groupOfUniqueNames (as documented in the upcoming table)

§  The Connections / WAS administrator may not be the same person as the LDAP administrator: i.e- there needs to be coordination!

Nested Groups: “A few twists and turns”- Domino Directory Server… §  Groups in Domino are “Flat Groups” §  What is a Flat Group?

–  A group that exists in the root level of a LDAP directory. –  Unlike a hierarchical group, it does not have a tree-like structure- “cn=group1”

§  How to Configure WebSphere to find Domino flatgroups? –  wimconfig.xml is your customization tool! –  Edit and replace:<config:baseEntries name="o=ORGX" nameInRepository="o=ORGX"/

>with<config:baseEntries name="" nameInRepository=""/>Replace<config:participatingBaseEntries name="o=ORGX"/>with<config:participatingBaseEntries name=""/>

§  The wimconfig.xml file is stored in the following location: Linux:/opt/IBM/WebSphere/AppServer/profiles/<profile_name>/config/cells/<cell_name>/wim/config Windows:<drive>:\IBM\WebSphere\AppServer\profiles\<profile_name>\config\cells\<cell_name>\wim\config

Nested Groups: “A few twists and turns”- Active Directory §  The LDAP Operational Attribute for Active Directory is “memberOf” §  However, by default- Active Directory does NOT expand nested groups §  Websphere has compensated for this:

–  Configure WAS using “memberOf” –  Set the group membership scope to

DIRECT (telling VMM not to depend on LDAP to do the nested expansion for us!)

§  Connections also must do it’s part! –  Connections 4.5- get the iFix (LO80435) –  Connections 5.0 CR1 –fixed in that –  Enable JVM to indicate you WANT it to chase nested groups: •  Add following to Generic JVM arguments

-Dcom.ibm.connections.recursively.search.membership=true

Nested Groups: CCM Integration

§  Connections/CCM Integration –  In Connections 4.5, CCM (Filenet) makes an effort to manually expand nested groups on it’s own •  To disable this functionality it is recommended you set the JVM argument:

-Dibm.filenet.security.connectionsProvider.disableRecursiveParentCall=true

–  In Connections 5.0 and above, the Connections Installer does this for you!

External Users

How Does It Work - The Brief Version

In general an external user is limited to participating in a restricted community they are invited into

This isn’t a bad thing

Internal - Homepage

Visitor Homepage

Internal Community Page

Visitor Community Page

Internal - My Profile

Visitor My Profile

As A Visitor

§  You can add tags but not see existing tag lists §  You can view partial business cards but not full profiles §  You can search for content but that only finds things that are shared with you §  You can share files but only with the Communities you are part of, not with people directly

Single Sign On

Negotiation

known as NTLM or Kerberos in Active Directory

GSSAPI

Mechanism

SPNEGO Example For WebSphere

1 2 3 4 5 ACTIVE

DIRECTORY GENERATES

SPNEGO TOKEN

USER TRIES TO ACCESS

CONNECTIONS

BROWSER SENDS

SPNEGO TOKEN TO

WEBSPHERE ALONG WITH USER NAME

WEBSPHERE CONTACTS

ACTIVE DIRECTORY TO

VALIDATE TOKEN AND

RETRIEVE THE USER’S NAME

STEPS

USER LOGS INTO

WINDOWS

Setting Up SPNEGO

Set up a SPN for the IHS and Connections application servers in Active Directory Use a dedicated account that you use to start WebSphere as a service Run setspn -a http://<ihs hostname> <accountnamerunningwas>

If AD isn’t the LDAP being used then the LDAP entry should be updated with the AD name e.g for Domino update person documents with AD name appended to FullName (and optional others like krbPrincipalName and LTPA User Name)

Why Not SPNEGO

It requires Active Directory It requires users to login to Active Directory It requires Microsoft Supported browsers* It requires a Windows client for the users* It requires a Windows platform*

It doesn’t work at all if the user is remotely connecting and not logging into Active Directory It has a very specific use case * all these asterisks mean there are ways to extend to other platforms often using 3rd party addons

What Is SAML

Assertion Markup Language

SAML is a protocol and process for exchanging authorisation and authentication data for a user between

services and servers

Security

IdP (Identity Provider)

Sp (Service Provider)



No Passwords….. To Compromise To Expire To Intercept

Once a user has authenticated with the IdP they won’t be asked

again

SAML Example

1 2 3 4 5 USER

ATTEMPTS TO LOG IN TO A

WEBSITE

USER IS REDIRECTED TO

IDENTITY PROVIDER

IDENTITY PROVIDER REQUESTS

AUTHENTICATION OR (IF USER IS LOGGED IN)

RETURNS CREDENTIALS

USER IS REDIRECTED BACK TO ORIGINAL SITE WITH SAML

ASSERTION ATTACHED

ORIGINAL SITE USES ITS SAML SERVICE

PROVIDER TO CONFIRM SAML ASSERTION AND GRANT ACCESS

STEPS

Definitions

§  IdP - Identity Provider (SSO) –  ADFS (Active Directory Federation Services in Windows 2008 and Windows 2012)

•  SAML 2.0 only •  can be combined with SPNEGO •  Enhances Integrated Windows Authentication (IWA)

–  TFIM (Tivoli Federated Identity Manager) •  SAML 1.1 and 2.0

definitions

§  SP - Service Provider –  IBM WebSphere

•  By extension some applications installed under WebSphere –  IBM Domino (web federated login) –  IBM Notes (requires ID Vault) (notes federated login)

More Definitions

§  IdP (Identity Providers) use HTTP or SOAP to communicate to SP (Service Providers) via XML based assertions

§  Assertions have three roles –  Authentication –  Authorisation –  Retrieving Attributes

An IdP can service many service providers

A SP can be connected to several IdPs

An IdP can use a variety of authentication methods including multi factor

Setting Up SAML

§  Choose your IdP if you don’t already have one –  which fits best in your business

§  Build the IdP §  Configure the SP

§  Sounds easy doesn’t it? –  It’s really not easy by any means but it is worth the investment in time

SAML Support In Connections

§  WebSphere supports SAML but that doesn’t mean all applications run under WebSphere support it

§  Where SAML is configured for authentication and can’t be used by an external application, WebSphere can generate a LTPA token

§  FileNet / CCM does not support SAML §  Metrics/Cognos can’t run in a SAML enabled cell and must be deployed in its own cell with

LTPA §  Connections Mail, Desktop and Mobile applications cannot use SAML §  Browser access to the rest of the Connections applications (homepage, profiles, activities,

communities etc) is supported

IBM PreApproval Process - SAML Isn’t Supported Without It

§  SAML integration with IBM Connections is supported in specific circumstances §  WebSphere supports SAML but that doesn’t mean all applications that run under

WebSphere do §  Specific configuration instructions and fixes are only available from IBM Support once pre-

approval has been completed §  The pre-approval process is a questionnaire that must be completed and submitted to IBM

so support can evaluate if your environment can be supported –  IBM will also advise the best deployment for SAML to meet your needs –  There is no one size fits all solution

Configuring SAML With IBM Connections

§  There are two methods for configuring SAML with IBM Connections §  For both the IdP (Identity Provider) tested are ADFS and TFIM

–  Those are the IdP’s publicly documented for WebSphere –  That’s not to say other IdP wouldn’t be supported if accepted for pre-approval

§  WebSphere acts as a SP (service provider) and configuration is completed in the cell under Global Security

–  This means SAML instructions are applied to all applications in the cell

§  SAML can be deployed using WebSphere’s default authenticator or using SAML redirection

–  Using default authenticator gives more scope for external applications –  IBM will advise the best deployment based on your completed questionnaire

Engage Online

§  SocialBiz User Group socialbizug.org –  Join the epicenter of Notes and Collaboration user groups

§  Social Business Insights blog ibm.com/blogs/socialbusiness –  Read and engage with our bloggers

§  Follow us on Twitter –  @IBMConnect and @IBMSocialBiz

§  LinkedIn http://bit.ly/SBComm –  Participate in the IBM Social Business group on LinkedIn

§  Facebook https://www.facebook.com/IBMConnected –  Like IBM Social Business on Facebook

Notices and Disclaimers Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.

Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.

Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.

References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.

Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.

It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.

IBM, the IBM logo, ibm.com, BrassRing®, Connections™, Domino®, Global Business Services®, Global Technology Services®, SmartCloud®, Social Business®, Kenexa®, Notes®, PartnerWorld®, Prove It!®, PureSystems®, Sametime®, Verse™, Watson™, WebSphere®, Worklight®, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.

connections directory integration: a tour through best practices for directory and security...

Software

ldap connections

ldap directory

ldap server

ldap changes

ldap authenticating

ldap query connections

user disatisfaction

ldap configuration details