SHOW100 : AD + SAML + Kerberos + IBM Notes and Domino = SSO! Rob Axelrod, Technotics Andy Pedisich, Technotics © 2014 IBM Corporation Meet Your Presenters! About Technotics, Inc. Technotics was founded in 1998 as a consultancy to focus on collaboration in the enterprise. Since that time we have provided strategic advice, project management and technical support to organizations world wide, focusing on high levels of customer engagement and long term relationships. Rob Axelrod Our services include environmental audits, premium support, executive briefings on cloud based collaboration and migrations between messaging and collaboration systems. Contact Andy at andyp@technotics.com or Rob at rob@technotics.com. Andy Pedisich 2 Legal Stuff IBM Trademarks – Domino® – Lotus Notes® – Notes® Microsoft, Windows, Windows NT, ADFS, Active Directory, IIS and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. Chrome is a trademark of Google Inc. 3 Agenda Overview of presentation and key concepts Pre-Requisites Show & Tell Time! Testing and Troubleshooting Wrap Up 4 What kind of presentation is this? Since this is a Show & Tell we are going to focus on “how” questions as opposed to “why” questions. Though we will be here for another couple of days and would be glad to talk about “why” and conceptual issues if you catch up with us after the presentation or email us after the conference. If we had an eight hour speaking slot we could go into all of the underlying conceptual issues and configuration options but that isn’t what Show & Tell is all about. There is another session on the topic that will be more conceptual “BP104;Simplifying The S's: Single Sign-On, SPNEGO and SAML” We are going to focus on the Domino\Notes side of the house rather than the ADFS side though we will cover the parts of ADFS configuration that are specific to getting Domino and Notes working with it. 5 Overview Since you are here, we are going to assume that you are familiar with most of the basic concepts but it is worth it to level set everyone so we are going to take just a couple of minutes to go over them. 6 Warning! - This is hard! Of anything that we’ve ever done with Domino and Notes Administration this is the most complex. To configure and maintain the setup you should probably have the following knowledge available to you either in yourself, a colleague or consultant or all combined. – Strong and comprehensive knowledge of: • Domino server admin • Notes client configuration and security • Active Directory configuration at your company – General knowledge of: • ADFS • SAML concepts • SSL configuration on Domino & in Windows/IIS • Enterprise browser configuration • Even a bit of PowerShell is helpful for configuration of ADFS and AD If ADFS is already implemented and in use in your organization then you will have a much easier time of it. 7 Key Concepts SAML SAML – Security Assertion Markup Language – A widely implemented standard for exchanging authentication and authorization information between systems. – Identity Providers (IdP) are the entities that will validate the user’s identity and provide the tokens that are used to identify them. For our purposes today AD FS is our identity provider but others are Tivoli Federated Identity Manager, Ping, Oracle and SecureAuth. – Service Providers are the application servers or systems that consume the authentication information. In this case Domino and Notes. 8 Key Concepts Kerberos/SPNEGO/IWA Kerberos/SPNEGO/IWA (Integrated Windows Authentication) – These are the protocols that allow you to authenticate with the AD Domain and then allow applications to negotiate seamless authentication. Without these SAML would require some other form of user validation such as a username/password, biometric or multifactor authentication. – IWA specifically is the term that is used to refer to automatic login to applications predicated on your login to AD 9 Key Concepts Domino ID Vault ID Vault is a prerequisite for using SAML and Notes. It was introduced in 8.5 and stores users ID’s in a database on the server to provide the following capabilities: – Password reset through a server transaction – Transparent replacement of id files on workstations – Server driven delivery of unlocked ID to trusted applications for authentication, encryption and signing – For details on setup and configuration check out my old presentation on the topic here: • https://drive.google.com/file/d/0B_kd3zUkll9OaEdmNXA3S0hlYXM/edit?usp=sharing – OR the documentation here: • http://www10.lotus.com/ldd/dominowiki.nsf/xpDocViewer.xsp?lookupName=Administering+IBM +Domino+9.0.1+Social+Edition#action=openDocument&res_title=Planning_an_ID_v ault_deploymentd901&content=pdcontent&sa=true 10 Demonstration We find that when we talk to organizations about implementing SAML they aren’t 100% clear on what it gives you in the end state we thought it would be a good idea to quickly show you what you get when you implement it. – Logging into Domino web apps without a password. – Logging into Notes without a password. 11 Demo Environment This is just about the most complex demo to set up that we ever do. For most demos we can get away with a couple of VM’s running locally or even just a server and client running on the local machine. NOT THIS TIME! We have set up the demo environment in Microsoft Azure which was easy to spin up machines and fairly reasonable. Here are the components of the environment: – Primary Domain Controller - Windows 2008 R2 – ADFS Server – Windows 2013 – Domino Server 9.0.1 64 bit – Windows 2008 R2 – Domino Administrator Client 9.0.1 (Admin rights to everything) – Notes client workstation 9.0.1 (Standard user privs) On the next slide we provide links to help you do this yourself at home on Azure but you can just as easily do it on Amazon or on IBM’s offerings. 12 Demo Environment If you want to set up an environment like this yourself you will need to build an Active Directory forest in Azure and then join machines and users to it. Since this took us a while to figure out we will give you a short cut by providing all the links here that will walk you through it. – Installing AD and joining machines • Install Active Directory forest in a Windows Azure network • Guidelines for Deploying Windows Server Active Directory on Windows Azure Virtual Machines • Add a virtual machine to a virtual network - Windows Azure • Create a virtual network - Windows Azure service management – Installing ADFS (Though it is good to have an expert help out with this) • Next steps for completing your AD FS installation • Manually Configure a Service Account for a Federation Server Farm • Configuring Advanced Options for AD FS 2.0 13 Prerequisites for Implementing SAML with ADFS & Domino 14 Prerequisites Overview On the next couple of slides we are going to go over what you need to have in place to make SAML/ADFS work. All of these items are not specific to using SAML and are general Domino and AD configurations that you should probably have in place regardless of whether you are using SAML and they are all well documented. 15 Domino Prerequisites Security Policies need to be implemented – You need policies to make just about any new feature of Domino work and security policies are probably the most important for a variety of reasons. – Later we will get into the specifics of what you need in the security policy to implement SAML but get the basics set up before you even try to do SAML. 16 Domino Prerequisites ID Vault (For Notes client use and some use cases in iNotes) – ID Vault was just about the best feature in 8.5 so if you haven’t implemented it do it NOW – You need to do this well in advance of implementing SAML because you need it to collect all of the ID’s – The policy configuration won’t even let you set up SAML until your ID Vault is configured. 17 Domino Prerequisites At least Domino and Notes 9 preferably 9.0.1 – If you are going to try to do this with 9.0 and you need to call support for any reason expect them to “suggest” that you upgrade to 9.0.1. – Do you really want to implement a feature on its “dot zero” release? 18 Domino Prerequisites SSL Certificates need to be implemented on your Domino servers – While you can certify these with an internal CA we always recommend that you use a commercial CA. This is particularly true with the SAML/ADFS configuration. The issue is not that the commercial CA is more secure it is simply that it means you don’t need to worry about browsers or Notes trusting the certificates. – It is just a basic good practice to have SSL running anywhere you have HTTP running. If you don’t then it is super easy for people within your organization to capture passwords and all kinds of other goodies. 19 AD Prerequisites There needs to be a matching key attribute between Active Directory and Domino – We strongly recommend that you have the users SMTP (InternetMail) address in their AD mail attribute. This is the easiest model since it is a common and unique attribute to use in SAML assertions. – Alternately you could have the AD DN in a Notes attribute or the Notes canonical name in an attribute in Active Directory but neither of these methods are as useful and easy as just having the mail attribute populated with the SMTP address. 20 Other Prerequisites Time synchronization – Since SAML assertions depend on timestamps it is important that your servers have correct or at the very least the same times on them. If this is a problem in your organization for any reason it is important to get that resolved before proceeding – 9.0.1 Introduced two ini parameters that will let you have some flexibility in this regard. • SAML_NotOnOrAfterSkewInMinutes = value - http://www10.lotus.com/ldd/dominowiki.nsf/dx/SAML_NotOnOrAfterSkewInMinutes • SAML_NotBeforeSkewInMinutes = value - http://www-10.lotus.com/ldd/dominowiki.nsf/dx/SAML_NotBeforeSkewInMinutes – These allow for up to 10 minutes of skew in either direction between the Domino server and the ADFS server but that is cheating…sync your clocks 21 Preparing the ADFS Server For Working with Domino Make friends with your Active Directory administrators – This is an important step because you are going to need to work with them for many of the next steps. Bring this presentation with you as you walk through the setup with them. We are assuming here that you already have ADFS implemented in your organization but if you don’t then here are the documents that will get you started with a basic implementation: – Domino Wiki Article/Cookbook – This is going to be extremely helpful: http://www10.lotus.com/ldd/ndsebetaforum.nsf/topicThread.xsp?action=openDocument&documentI d=47C65232A4AD876B85257AD300498BA7 – You will want to supplement that with these Microsoft Technotes • http://technet.microsoft.com/library/c66c7f4b-6b8f-4e44-8331-63fa85f858c2 • http://technet.microsoft.com/en-us/library/dd807078.aspx 22 Preparing the ADFS Server For Working with Domino Disable Extended Protection In order to make IWA work with Chrome, Firefox and most importantly Notes you need to disable a feature of Windows that does not work with any of those. The feature is “extended protection” – In Windows 2008 and earlier versions of ADFS you are going to shut this off through the UI in IIS. You can get to this dialog by selecting on the left panel Sites-Default Web SiteADFS-LS – Once that is selected then select “Windows Authentication” in the middle panel – Then select “Advanced Settings” in the right panel. – Set “Extended Protection” to Off 23 Preparing the ADFS Server For Working with Domino Disable Extended Protection If you are running Windows 2012R2 or newer you may need to use PowerShell because ADFS doesn’t use the IIS interface. – There are two settings that you need to configure and we have the PowerShell commands below. • Disable extended token authentication: - Set-ADFSProperties –ExtendedProtectionTokenCheck None • This one determines what browser agents can use IWA. Note that Firefox/Mozilla are not on the list by default and since that is what Notes uses you are out of luck unless you update it. Add any other user agents that you want to use IWA. Find the exact names in your domlog.nsf or weblogs. - Set-AdfsProperties -WIASupportedUserAgents ("MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "Firefox/25.0", "Mozilla/4.0", "Mozilla/5.0") 24 Show & Tell! 25 What to we need to do to set up SAML/ADFS Create and configure the IDP Catalog (idpcat.nsf) Create a relying party trust on ADFS Configure Domino server HTTP settings Set up Domino user security policies Configure the ID Vault for SAML Configure Browsers 26 What to we need to do to set up SAML/ADFS Create and configure the IDP Catalog (idpcat.nsf) Create a relying party trust on ADFS Configure Directory Assistance Configure Domino server HTTP settings Set up Domino user security policies Configure the ID Vault for SAML Configure Browsers 27 Setting up the IdP Catalog in Domino idpcat.nsf is the database in Notes that will store the SAML configuration. Before we set up AD FS it is helpful to get this configured. Check an see if it is already present on your server. If it is not then we will create it 28 Creating the idpcat.nsf Create a new database with the filename of idpcat.nsf (use lower case to make it portable across OS’s) Give it a title that makes sense Use the IdP Catalog (idpcat.ntf) template. – It is an “Advanced Template” on the server 29 Creating the idpcat.nsf A replica of this database needs to be on the same server that has the ID Vault. It should have a very secure ACL – Only Admins & servers that host the file should have access to it. 30 Start to set up the configuration in the idpcat.nsf Select Add IdP Config 31 Populate the IdP config with Enough Info to Generate idp.xml We are going to populate the document with enough information so that we can export it to an xml file that we can use to import into AD FS. – Host names should be the host name for the server. This is important because it will be matched to Internet Site documents – IdP Name is an identifier for administrative use and can be anything you want – Protocol Version: If you are using ADFS it needs to be SAML 2.0 – Federation Product is ADFS (If not you are in the wrong session) – Service provider ID is usually the URL of the server. This links to an entry in the ADFS config that we will set up later. 32 Populate the IdP config with Enough Info to Generate idp.xml The additional attributes on this screen should be left blank because they will be filled in automatically when you import the federation metadata from the ADFS server (Federationmetadata.xml) 33 Retrieve the FederationMetadata.xml file The file is available at https://YOURADFSSERVER.YOURDOMAIN.com/FederationMetadata/200706/FederationMetadata.xml – Make sure to use a browser that is configured to download xml files as a file rather than just opening them. Chrome is set to do this by default whereas IE tends to try to open it. 34 Import the federationmetadata.xml file into the IdP Catalog From the IdP configuration document select Import XML file and navigate to wherever you downloaded the federation metadata.xml file to. Select the file and click Open 35 Note that the fields get filled in on the first tab Note that the “Artifact resolution service URL” is blank. That is OK. 36 Set the Notes Client Settings Tab Assuming that you will want to use SAML on the Notes client you will configure this tab. – Enable Windows Single Sign-On: This is what allows you to have no password prompt when using ADFS and Kerberos. If you are using ADFS on domain joined machines then “Yes” is the answer here. – Sites that are trusted: This field takes additional host names that might be serving as Identity Providers (Maybe different host names on different networks) – Enforce SSL: As a rule this will enhance security. Just make sure all your SSL certs are implemented correctly. 37 Certificate Management Tab Fill in a company name. This is only used as an identifier for when you import this into ADFS. It can be whatever you want. If your AD team has rules then make sure it conforms to them. Click the “Create Certificate” button If you haven’t saved the document you will be warned that you have to do this. Save the document and then click the button again. 38 Certificate Management Tab Once you generate the key two new fields become visible. Domino URL: This is the URL of the Domino server. This will need to match the URL in the Relay Trust configuration you are going to create in ADFS. The good news is that since you are going to export/import this document it will match. Input HTTPS://YourDominoServer.YourDomain.com The single logout URL is https://YourADFSServer.YourDomain.com/adfs/ls/?wa= wsignout1.0/slo 39 Export Your IDP.XML File from the idpcat.nsf Document Now you are ready to generate the IDP.XML file that you will import into ADFS to help create your relying party trust. Click “Export XML” and after a couple of seconds you will find that on the first tab of the form there will be an idp.xml attachment. You can and should save this attachment to your hard drive just as you would any attachment. Save and close the idpcat.nsf document. 40 What to we need to do to set up SAML/ADFS Create and configure the IDP Catalog (idpcat.nsf) Create a relying party trust on ADFS Configure Directory Assistance Configure Domino server HTTP settings Set up Domino user security policies Configure the ID Vault for SAML Configure Browsers 41 Creating a Relying Party Trust in ADFS Now we are ready to create the relying party trust in ADFS The relying party trust is the object in ADFS that tells it how to work with a service provider like Domino. Make sure that you have the idp.xml file you created in the last step ready. Note that the screen shots on the next pages are for ADFS 2.0 running on Windows 2012, if you are running on Windows 2008 R2 some of the screens might be slightly different but there shouldn’t be anything of major consequence. 42 Launch the AD FS Management Console 43 Navigate to Relaying Party Trusts Under AD FS/Trust Relationships 44 Create the Trust From the right panel in the actions menu select “Add Relaying Party Trust” 45 Walk through the wizard Select “Start” 46 Select to import data about the relying party from a file You are going to use the idp.xml file that you created in the last step. 47 Ignore the warning… According to this technote: http://www-01.ibm.com/support/docview.wss?uid=swg21634631 you can ignore this warning message and we haven’t seen problems as a result of ignoring it. 48 Enter a Display Name This is just a reference value that will be displayed in the management console. Your AD admins can pick something that makes sense to them 49 Don’t configure multi-factor authentication (Unless you want to and really know what you are doing) Just click next here. Since you will hopefully be working with your AD team at this point they will be able to guide you if your organization uses multi factor authentication and if you need to configure this. 50 Permit all users to use this trust Leave the default selection and click next. 51 Look over your settings… Once you click next on this screen you can’t go back through the wizard though you can change things through the properties dialog. Once you are satisfied or if you never make mistakes just click next. 52 Get ready to edit the claim rules and close the wizard Leave the box checked to “Open the Edit Claim…” since we need to do this anyway. When you close the dialog it will automatically take us to the next step in getting the relying party trust set up. 53 Add a Claim Rule The claim rule is where you will define the information that is presented in the SAML assertion that is passed to the Domino server. This is where we will define how the user name is presented. Our goal here is to have ADFS pass the email address to Domino so that it can match it with the person’s person document and then render the Domino distinguished name for authorization. You would do this differently if you had Domino distinguished names stored in AD. Click Add Rule on the first tab. 54 Choose Rule Type Select “Send LDAP Attributes as Claims” and click Next 55 Configure the Claim Rule Claim rule name should be set to something that is descriptive like: EmailAddressToNameID Attribute Store: Active Directory LDAPAttribute: E-MailAddresses Outgoing Claim Type: Name ID Click Finish Then click OK 56 Now your relying party trust is set up At this point your Domino server and ADFS servers trust each other. Are you done yet? Not by a long shot. We still need to: – Configure server HTTP settings – Set up user security policies – Configure the ID Vault for SAML – Make sure our browsers and Notes clients trust all the SSL certs that are in use 57 What to we need to do to set up SAML/ADFS Create and configure the IDP Catalog (idpcat.nsf) Create a relying party trust on ADFS Configure Directory Assistance Configure Domino server HTTP settings Set up Domino user security policies Configure the ID Vault for SAML Configure Browsers 58 Directory Assistance You will want to link AD & Notes names using directory assistance. The steps: – Create a Directory Assistance database on your servers if you don’t have one already. – Reference the directory assistance db on your server docs – Create an LDAP directory assistance document that points to LDAP 59 Create the DA database (If you don’t have one already) File-Application-New Pick your server (you can create replicas when you are done) Use the advanced template – Directory Assistance from the server 60 Reference the DA database in the server document On the first tab of the server document fill in the “directory assistance database name” with the file name that you just created. 61 Create a DA document in the new database to point to AD The domain type is “LDAP” The domain name is a reference field and just needs to be unique. Company name is also just for reference Search order doesn’t really matter as long as you don’t have other entries You will probably not need to use this for LDAP clients so you can disable that Check Group Authorization so that the additional fields become visible Select “Yes” for Use exclusively for group authorization or credential authentication so that this directory will not be used for mail addressing. 62 Create a DA document in the new database to point to AD On the LDAP Tab – Hostname can be your domain name because a domain joined machine in AD will go to the domain controller for that name. – LDAP vendor is Active Directory – Your account needs to be an Active Directory account’s DN. Get this from AD Users and Computers (It doesn’t need any special rights) – Make sure the password on this account doesn’t expire – You can leave all the other defaults. 63 What to we need to do to set up SAML/ADFS Create and configure the IDP Catalog (idpcat.nsf) Create a relying party trust on ADFS Configure Directory Assistance Configure Domino server HTTP settings Set up Domino user security policies Configure the ID Vault for SAML Configure Browsers 64 Create an LTPA SSO Document if Desired More than likely you have one already and you can use the existing one. This will allow you to authenticate once and then move from Domino server to server without transacting with the ADFS server again. Make sure to disable/uncheck “Windows single signon integration” – This was how you could use Kerberos in release 8.5 and will be ignored if you try to use 9.0 SAML configuration 65 Create Internet Site Document Assuming you are using internet site documents (if not you will configure these items in the server document but you should really be using internet site documents) Navigate to the “Web-Internet Sites” view Click “Add Internet Site-Web” if you are making a new one Edit your existing document if you already have one you want to use 66 Configure Web Site Document Basics Tab Make sure that the host names are correct because that is used to match the site document to the IdPCat document. If you are using SSL (which of course you are) reference the IP address in the host name field. 67 Configure Web Site Document Domino Web Engine Tab Set session authentication to “SAML” You can use a web SSO configuration so that an LTPA token is generated so that people can move between servers without reauthenticating. This is what you created in the previous step. If you have set the host names correctly clicking the IdP Catalog button will open the appropriate IdPCat document. 68 Configure Web Site Document Security Tab One of the prerequisites for this process is to set up SSL. The security tab on the web site document should reference your SSL certificate. 69 Creating SSL Cross Certs You will need create a cross certificate for the SSL cert on the ADFS server. This is a fairly complex procedure. 1. Navigate to the ADFS server on this URL (Use IE so we can use the same screenshots if you use another browser then you are on your own) https://YourADFSServerName.YourDomain.com/adfs/ls/idpinitiatedsignon.htm 70 Creating SSL Cross Certs 2. Click on the padlock next to the URL 3. Click on “View Certificates” 71 Creating SSL Cross Certs 4. Select the details tab 5. Click Copy to File… 72 Creating SSL Cross Certs 6. Click Next to start the wizard 7. You can leave the default of DER format 8. Store the file somewhere you will remember 9. Select Finish 73 Creating SSL Cross Certs 9. Now you will need to import that certificate into the Domino directory. Open the People tab of the Administrator client and navigate to the certificates view. 74 Creating SSL Cross Certs 8. Select Actions-Import Internet Certificates 9. Select the file you saved from IE 75 Creating SSL Cross Certs 10. Check the contents of the screen and click “Accept All” 76 Creating SSL Cross Certs Not done yet! 11. Find the imported certificate in the view. This may be harder than you would think because of how much stuff is in the view. Just use ctrl-F and look for the server name. 77 Creating SSL Cross Certs 12. Open the document – you can’t do this from the view! 13. Select Actions-Create Cross Certificate 78 Creating SSL Cross Certs 12. Select the listed certificate and click OK 79 Creating SSL Cross Certs 13. Select the a Domino server for server and pick your root certifier as the as the certifier. - You can either use the CA process or the actual certifier file. 80 Creating SSL Cross Certs 14. Click Cross-Certify 15. Validate that the x-cert document got created. Keep in mind that if you selected to use the CA process to create the x-cert it may take a little while to be created. You can look in admin4.nsf to check the process. 81 What to we need to do to set up SAML/ADFS Create and configure the IDP Catalog (idpcat.nsf) Create a relying party trust on ADFS Configure Directory Assistance Configure Domino server HTTP settings Set up Domino user security policies Configure the ID Vault for SAML Configure Browsers 82 Create and Configure Security Policy Settings Security policy settings are mandatory for making SAML work. We assume that you already have policies implemented. If you don’t please don’t tell us because it will make us cry. Seriously if you don’t have any policies implemented make sure that is the first thing you do when you get home. 83 Configure the Federation Login Tab Note that if you don’t see the Federated Login tab it is because you don’t have the ID Vault configured in this settings document. Remember that ID Vault is a prerequisite. Set “Enable Federated login with SAML IdP” to yes. You can use a machine specific formula to identify what machines will use SAML. If your domain joined machines follow a naming convention you can structure a formula to only use SAML on those machines. 84 Configure the Federation Login Tab You can prompt people with standard dialogs or if you want to do something that is localized you can select custom dialogs. 85 Configure the push of certificates to the client You need to get the cross certificate that you created to the client. The easiest way to do this is to use the security policy. Go to the “Keys and Certificates” tab. At the bottom of the screen click on “Update Links” Pick “Selected Supported” 86 Configure the push of certificates to the client Select the Internet Certificates you created in the previous step and select Internet Cross Certificates and check off the certificate that you created in the previous step. 87 Check to make sure the certificates got copied to the client Open the local Names.nsf and navigate to advanced-certificates view. 88 What to we need to do to set up SAML/ADFS Create and configure the IDP Catalog (idpcat.nsf) Create a relying party trust on ADFS Configure Directory Assistance Configure Domino server HTTP settings Set up Domino user security policies Configure the ID Vault for SAML Configure Browsers 89 Configure your ID Vault for SAML Open your ID Vault Database 90 Configure your ID Vault for SAML Navigate to the “Configuration” view Open your configuration – Populate the appropriate fields with the hostname that is specified in the idpcat.nsf for the service provider (Domino server) 91 What to we need to do to set up SAML/ADFS Create and configure the IDP Catalog (idpcat.nsf) Create a relying party trust on ADFS Configure Directory Assistance Configure Domino server HTTP settings Set up Domino user security policies Configure the ID Vault for SAML Configure Browsers 92 Browser Configuration In order to make IWA work for your Domino web apps you are going to need to do some browser configuration. The requirements are different for IE, Firefox and Chrome. This is a case where it is actually easiest to do in IE (Go figure since we are integrating with AD/ADFS/Windows) We are going to go through what you need to do to make this work for ONE user. Most enterprises have tools to manage their desktops such as Group Policies, SCCM, etc. You should use these tools to push changes out to your browsers universally. – Since we are talking about IWA we are talking about domain joined machines which by definition are controlled by your AD administrator. If you want to use SAML for non domain joined machines your users will need to enter authentication information in addition to their login to the computer. 93 Certificates If you are using commercially generated certificates (Verisign, Thawte, GoDaddy, etc) then your browser will already trust the root certificates. If you are using internally certified ssl certs then you will want to make sure that all your browsers trust them. We highly recommend that you use commercial certs because of how much easier it is to manage them but if you do use an internal certificate authority. There are so many browsers versions and CA’s that we really can’t go through the process for each one here but… – IE & Chrome use the OS certificate store so if you can get the root cert installed for IE then you should be OK for Chrome – Firefox keeps its own certificate store so you will need to handle that separately – Then there are Opera and Safari and whatever else is out there. 94 Getting the Browser to Use IWA Internet Explorer (Chrome should use these settings) – The goal is to make sure that your Domino servers are in the “Intranet Zone” and to tell the browser to use IWA for that zone. – Select the gear and click “Internet Options” 95 Getting the Browser to Use IWA Internet Explorer – Select the Security Tab – Select Local Intranet at the top 96 Getting the Browser to Use IWA Internet Explorer – Click “Sites” – You can select to Automatically Detect Intranet Network – Additionally you can define sites in the Advanced settings 97 Getting the Browser to Use IWA Mozilla Firefox – This is a bit of a pain. – Launch Firefox – Go to the url about:config – You will get the scary warning that you might void your warranty. Be brave and click the button saying that you will be careful. 98 Getting the Browser to Use IWA Mozilla Firefox – In the search bar type network.a – The setting you want to change is network.automatic.auth.uris – Find it and double-click on it 99 Getting the Browser to Use IWA Mozilla Firefox – In the search bar type network.a – The setting you want to change is network.automatic.auth.uris – Find it and double-click on it – Enter either the host name of your ADFS server or the domain for the ADFS server – Click OK 100 Getting the Browser to Use IWA Mozilla Firefox – One more setting to take care of. You want to add your ADFS server to the list of trusted sites. – Type network.n in the search bar. – The setting you want to change is network.negotiate-auth.trusted-uris – Again you should populate this with either the ADFS server’s host name or your domain name. Multiple entries should be separated with a comma 101 While we are talking about Firefox… It is worth noting that the Notes client uses the same engine as Firefox so if you are having trouble getting Notes to work with IWA it might be easier to first troubleshoot with Firefox. If you can get Firefox to login without prompting for password then the problem is most likely something in Notes like local copies of certificates or incorrect policies. On the other hand if you can’t get Firefox to work with IWA then your problem is more likely in your ADFS or Domino server configuration. 102 Testing & Troubleshooting 103 Testing the Notes Client Once you have set up the IdPCat, Relying Trust and Domino Security Policies you should be able to test the Notes Client Launch the client and log in as usual Assuming you left the defaults set in the security policy, shortly after login you will get a pop up that will say “Downloading ID file from the Vault to enable Notes Federated Login” If everything is working right you will then get a prompt a few seconds later that will say “This ID is enabled for Notes federated login. 104 Testing the Notes Client Once you have seen both of those prompts you should be able to restart the Notes client and not get prompted for your password. 105 Troubleshooting the Notes client If you don’t get the prompts about downloading the ID then the problem is in your policy. If you get the first prompt but don’t get the second prompt and Notes hangs – The problem could be in the configuration of the ADFS server, Relying Trust, IdPCat Database or that you don’t have the SSL cross certificates on your workstation. • First confirm that IWA is working using a browser, preferably IE. If doesn’t work there then you know the problem is either in your Domino server config or ADFS • If IWA works in IE then test it in Firefox. If it doesn’t work in Firefox then the problem most likely has to do with Extended Authentication Tokens on the ADFS server. Look back at the PowerShell commands earlier in this presentation and make sure you have it right. • If both IE and Firefox work but Notes doesn’t then it is time to look at the following in order: - Policies, IDVault, Certificates/CrossCertificates for SSL certs in the local directory. 106 Troubleshooting the Notes client Once you have exhausted the basic configuration it is time to turn on some debugging. On the client turn on: – Notes.ini • DEBUG_CONSOLE=1 • DEBUG_CLOCK=32 • DEBUG_OUTFILE=debugout.txt • DEBUGGINGWCTENABLED=4294967295 • CONSOLE_LOG_ENABLED=1 • DEBUG_DYNCONFIG=1 • DEBUG_TRUST_MGMT=1 • DEBUG_IDV_TRACE=1 • DEBUG_ROAMING=4 • DEBUG_BSAFE_IDFILE_LOCKED=8 • STX9=2 107 Troubleshooting the Notes client These ini parameters will put the debugout.txt file in the IBM_TECHNICAL_SUPPORT directory in the data directory. It will also bring up debug windows that you can read in real time. 108 Troubleshooting the Notes client Once you have exhausted the basic configuration it is time to turn on some debugging. On the client turn on: – Notesdata\workspace\.config\rcpinstall.properties • com.ibm.rcp.internal.security.auth.samlsso.level=FINEST • com.ibm.rcp.internal.security.auth.dialog.level=FINEST • com.ibm.rcp.core.internal.launcher.level=FINEST • com.ibm.notes.internal.federated.manager.level=FINEST • com.ibm.notes.java.api.internal.level=FINEST • com.ibm.notes.java.init.level=FINEST • com.ibm.notes.java.init.win32.level=FINEST • com.ibm.workplace.noteswc.level=FINEST • com.ibm.workplace.internal.notes.security.auth.level=FINEST • com.ibm.workplace.internal.notes.security.level=FINEST 109 Troubleshooting the Notes Client The results of the Java logging will go into the NotesData\workspace\logs directory. Even if you don’t know exactly what you are looking for you might get a good idea from here and if you open a ticket, support will certainly ask you for the contents. 110 Troubleshooting Browser & Server Issues On the server you can set the Notes.ini parameter debug_saml=31 – Watch for errors and other information as the HTTP task starts on your server. – This will give fairly verbose logging for SAML events on the server. You will see what is going on each time a user logs into the server. 111 Troubleshooting Browser and Server Issues For the browser I suggest installing a plugin on your Firefox client called SSOTracer – https://addons.mozilla.org/En-us/firefox/addon/sso-tracer/?src=cb-dl-created – This will show the back and forth transactions during the authentication process. On Internet Explorer you can use tools like Fiddler but be careful because when they proxy the SSL it may interfere with IWA. 112 Access Connect Online to complete your session surveys using any: – Web or mobile browser – Connect Online kiosk onsite 113 Acknowledgements and Disclaimers Availability. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. The workshops, sessions and materials have been prepared by IBM or the session speakers and reflect their own views. They are provided for informational purposes only, and are neither intended to, nor shall have the effect of being, legal or other guidance or advice to any participant. While efforts were made to verify the completeness and accuracy of the information contained in this presentation, it is provided AS-IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this presentation or any other materials. Nothing contained in this presentation is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. All customer examples described are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics may vary by customer. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. © Copyright IBM Corporation 2014. All rights reserved. U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo, ibm.com, and Domino®, Lotus Notes® , Notes® , are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or ™), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml Microsoft, Windows, Windows NT, ADFS, Active Directory, IIS and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. © 2012 Google Inc. All rights reserved. Chrome is a trademark of Google Inc. Other company, product, or service names may be trademarks or service marks of others. 114