Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

MWLUGSAML

advertisement 
AD + SAML + Kerberos + IBM Notes and
Domino = SSO!
Rob Axelrod & Andy Pedisich
Technotics, Inc.
What kind of presentation is this?
Since this is a “how to” we are going to focus on “how” questions as opposed to
“why” questions. Though we will be here for another couple of days and would
be glad to talk about “why” and conceptual issues if you catch up with us after
the presentation or email us after the conference.
If we had an eight hour speaking slot we could go into all of the underlying
conceptual issues and configuration options but even though we would love
that, I’m not sure how popular an all Andy & Rob day would be.
We are going to focus on the Domino\Notes side of the house rather than the
ADFS side though we will cover the parts of ADFS configuration that are
specific to getting Domino and Notes working with it.
2
Overview
Since you are watching this, we are going to assume that you are
familiar with most of the basic concepts but it is worth it to level
set everyone so we are going to take just a couple of minutes to
go over them.
3
Warning! - This is hard!
Of anything that we’ve ever done with Domino and Notes Administration this is the most
complex. To configure and maintain the setup you should probably have the following
knowledge available to you either in yourself, a colleague or consultant or all combined.
– Strong and comprehensive knowledge of:
• Domino server admin
• Notes client configuration and security
• Active Directory configuration at your company
– General knowledge of:
• ADFS
• SAML concepts
• SSL configuration on Domino & in Windows/IIS
• Enterprise browser configuration
• Even a bit of PowerShell is helpful for configuration of ADFS and AD
If ADFS is already implemented and in use in your organization then you will have a much
4
easier time of it.
Demonstration
We find that when we talk to organizations about implementing
SAML they aren’t 100% clear on what it gives you in the end state
we thought it would be a good idea to quickly show you what you
get when you implement it.
– Logging into Domino web apps without a password.
– Logging into Notes without a password.
5
Prerequisites for Implementing
SAML with ADFS & Domino
6
Prerequisites Overview
On the next couple of slides we are going to go over what you need
to have in place to make SAML/ADFS work. All of these items are
not specific to using SAML and are general Domino and AD
configurations that you should probably have in place regardless
of whether you are using SAML and they are all well documented.
7
Domino Prerequisites
Security Policies need to be implemented
– You need policies to make just about any new feature
of Domino work and security policies are probably
the most important for a variety of reasons.
– Later we will get into the specifics of what you need
in the security policy to implement SAML but get the
basics set up before you even try to do SAML.
8
Domino Prerequisites
ID Vault (For Notes client use and some use cases in
iNotes)
– ID Vault was just about the best feature in 8.5 so if
you haven’t implemented it do it NOW
– You need to do this well in advance of implementing
SAML because you need it to collect all of the ID’s
– The policy configuration won’t even let you set up
SAML until your ID Vault is configured.
9
Domino Prerequisites
At least Domino and Notes 9 preferably 9.0.1+
– If you are going to try to do this with 9.0 and you
need to call support for any reason expect them to
“suggest” that you upgrade to the latest version
10
Domino Prerequisites
SSL Certificates need to be implemented on your Domino
servers
– While you can certify these with an internal CA we always
recommend that you use a commercial CA. This is particularly
true with the SAML/ADFS configuration. The issue is not that
the commercial CA is more secure it is simply that it means
you don’t need to worry about browsers or Notes trusting the
certificates.
– It is just a basic good practice to have SSL running anywhere
you have HTTP running. If you don’t then it is super easy for
people within your organization to capture passwords and all
kinds of other goodies.
11
AD Prerequisites
There needs to be a matching key attribute between
Active Directory and Domino
– We strongly recommend that you have the users SMTP
(InternetMail) address in their AD mail attribute. This is the
easiest model since it is a common and unique attribute to use
in SAML assertions.
– Alternately you could have the AD DN in a Notes attribute or
the Notes canonical name in an attribute in Active Directory
but neither of these methods are as useful and easy as just
having the mail attribute populated with the SMTP address.
12
Other Prerequisites
Time synchronization
– Since SAML assertions depend on timestamps it is important that your servers have
correct or at the very least the same times on them. If this is a problem in your
organization for any reason it is important to get that resolved before proceeding
– 9.0.1 Introduced two ini parameters that will let you have some flexibility in this
regard.
• SAML_NotOnOrAfterSkewInMinutes = value
– http://www10.lotus.com/ldd/dominowiki.nsf/dx/SAML_NotOnOrAfterSkewInMinutes
• SAML_NotBeforeSkewInMinutes = value
– http://www10.lotus.com/ldd/dominowiki.nsf/dx/SAML_NotBeforeSkewInMinutes
– These allow for up to 10 minutes of skew in either direction between the Domino
server and the ADFS server but that is cheating…sync your clocks
13
Preparing the ADFS Server For Working with Domino
Make friends with your Active Directory administrators
– This is an important step because you are going to need to work with them
for many of the next steps. Bring this presentation with you as you walk
through the setup with them.
We are assuming here that you already have ADFS implemented in your
organization but if you don’t then here are the documents that will get you
started with a basic implementation:
– Domino Wiki Article/Cookbook – This is going to be extremely helpful:
http://www10.lotus.com/ldd/ndsebetaforum.nsf/topicThread.xsp?action=openDocum
ent&documentId=47C65232A4AD876B85257AD300498BA7
– You will want to supplement that with these Microsoft Technotes
• http://technet.microsoft.com/library/c66c7f4b-6b8f-4e44-833163fa85f858c2
14
• http://technet.microsoft.com/en-us/library/dd807078.aspx
Preparing the ADFS Server For Working with Domino
Disable Extended Protection
In order to make IWA work with Chrome, Firefox and most
importantly Notes you need to disable a feature of Windows that
does not work with any of those. The feature is “extended
protection”
– In Windows 2008 and earlier versions of ADFS you are going to shut this off
through the UI in IIS. You can get to this dialog by selecting on the left
panel Sites-Default Web Site-ADFS-LS
– Once that is selected then select “Windows Authentication” in the middle
panel
– Then select “Advanced Settings” in the right panel.
– Set “Extended Protection” to Off
15
Preparing the ADFS Server For Working with Domino
If you are running Windows 2012R2 or newer you may need to use PowerShell
because ADFS doesn’t use the IIS interface.
– There are two settings that you need to configure and we have the
PowerShell commands below.
• Disable extended token authentication:
– Set-ADFSProperties –ExtendedProtectionTokenCheck None
• This one determines what browser agents can use IWA. Note that
Firefox/Mozilla are not on the list by default and since that is what
Notes uses you are out of luck unless you update it. Add any other user
agents that you want to use IWA. Find the exact names in your
domlog.nsf or weblogs.
– Set-AdfsProperties -WIASupportedUserAgents ("MSIE 6.0", "MSIE
7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC",
"Windows Rights Management Client", "Firefox/25.0",
16
"Mozilla/4.0", "Mozilla/5.0")
How to Set Up SAML with Domino & ADFS
17
What to we need to do to set up SAML/ADFS
Create and configure the IDP Catalog (idpcat.nsf)
Create a relying party trust on ADFS
Configure Domino server HTTP settings
Set up Domino user security policies
Configure the ID Vault for SAML
Configure Browsers
18
What to we need to do to set up SAML/ADFS
Create and configure the IDP Catalog (idpcat.nsf)
Create a relying party trust on ADFS
Configure Directory Assistance
Configure Domino server HTTP settings
Set up Domino user security policies
Configure the ID Vault for SAML
Configure Browsers
19
Setting up the IdP Catalog in Domino
idpcat.nsf is the database in Notes that will store the SAML
configuration. Before we set up AD FS it is helpful to get this
configured.
Check an see if it is already present on your server.
If it is not then we will create it
20
Creating the idpcat.nsf
Create a new database with the filename of idpcat.nsf (use lower
case to make it portable across OS’s)
Give it a title that makes sense
Use the IdP Catalog (idpcat.ntf) template.
– It is an “Advanced Template” on the server
21
Creating the idpcat.nsf
A replica of this database needs to be
on the same server that has the ID
Vault.
It should have a very secure ACL
– Only Admins & servers that
host the file should have
access to it.
22
Start to set up the configuration in the idpcat.nsf
Select Add IdP Config
23
Populate the IdP config with Enough Info to Generate idp.xml
We are going to populate the document with
enough information so that we can export it to
an xml file that we can use to import into AD
FS.
– Host names should be the host name for
the server. This is important because it will
be matched to Internet Site documents
– IdP Name is an identifier for administrative
use and can be anything you want
– Protocol Version: If you are using ADFS it
needs to be SAML 2.0
– Federation Product is ADFS (If not you are
in the wrong session)
– Service provider ID is usually the URL of
the server. This links to an entry in the
24
ADFS config that we
will set up later.
Populate the IdP config with Enough Info to
Generate idp.xml
The additional attributes on this
screen should be left blank because
they will be filled in automatically
when you import the federation
metadata from the ADFS server
(Federationmetadata.xml)
25
Retrieve the FederationMetadata.xml file
The file is available at
https://YOURADFSSERVER.YOURDOMAIN.com/FederationMetada
ta/2007-06/FederationMetadata.xml
– Make sure to use a browser that is configured to
download xml files as a file rather than just opening
them. Chrome is set to do this by default whereas IE
tends to try to open it.
26
Import the federationmetadata.xml file into the IdP
Catalog
From the IdP configuration document select Import XML file and
navigate to wherever you downloaded the federation
metadata.xml file to. Select the file and click Open
27
Note that the fields get filled in on the first
tab
Note that the “Artifact resolution
service URL” is blank. That is OK.
28
Set the Notes Client Settings Tab
Assuming that you will want to use SAML on
the Notes client you will configure this tab.
– Enable Windows Single Sign-On: This is what allows you to
have no password prompt when using ADFS and Kerberos.
If you are using ADFS on domain joined machines then
“Yes” is the answer here.
– Sites that are trusted: This field takes additional host
names that might be serving as Identity Providers (Maybe
different host names on different networks)
– Enforce SSL: As a rule this will enhance security. Just make
sure all your SSL certs are implemented correctly.
29
Certificate Management Tab
Fill in a company name. This is only
used as an identifier for when you
import this into ADFS. It can be
whatever you want. If your AD
team has rules then make sure it
conforms to them.
Click the “Create Certificate” button
If you haven’t saved the document
you will be warned that you have to
do this.
Save the document and then click the
button again.
30
Certificate Management Tab
Once you generate the key two new fields become
visible.
Domino URL: This is the URL of the Domino server.
This will need to match the URL in the Relay
Trust configuration you are going to create in
ADFS. The good news is that since you are going
to export/import this document it will match.
Input HTTPS://YourDominoServer.YourDomain.com
The single logout URL is
https://YourADFSServer.YourDomain.com/adfs/l
s/?wa=wsignout1.0/slo
31
Export Your IDP.XML File from the idpcat.nsf Document
Now you are ready to generate the IDP.XML
file that you will import into ADFS to help
create your relying party trust.
Click “Export XML” and after a couple of
seconds you will find that on the first tab of
the form there will be an idp.xml
attachment.
You can and should save this attachment to
your hard drive just as you would any
attachment.
Save and close the idpcat.nsf document.
32
What to we need to do to set up SAML/ADFS
Create and configure the IDP Catalog (idpcat.nsf)
Create a relying party trust on ADFS
Configure Directory Assistance
Configure Domino server HTTP settings
Set up Domino user security policies
Configure the ID Vault for SAML
Configure Browsers
33
Creating a Relying Party Trust in ADFS
Now we are ready to create the relying party trust in ADFS
The relying party trust is the object in ADFS that tells it how to work
with a service provider like Domino.
Make sure that you have the idp.xml file you created in the last step
ready.
Note that the screen shots on the next pages are for ADFS 2.0
running on Windows 2012, if you are running on Windows 2008
R2 some of the screens might be slightly different but there
shouldn’t be anything of major consequence.
34
Launch the AD FS Management Console
35
Navigate to Relaying Party Trusts
Under AD FS/Trust Relationships
36
Create the Trust
From the right panel in the actions menu select “Add Relaying Party
Trust”
37
Walk through the wizard
Select “Start”
38
Select to import data about the relying party
from a file
You are going to use the idp.xml
file that you created in the last
step.
39
Ignore the warning…
According to this technote: http://www01.ibm.com/support/docview.wss?uid=swg21634631 you can
ignore this warning message and we haven’t seen problems as a
result of ignoring it.
40
Enter a Display Name
This is just a reference value that will be displayed in the
management console. Your AD admins can pick something that
makes sense to them
41
Don’t configure multi-factor authentication
(Unless you want to and really know what
you are doing)
Just click next here. Since you will
hopefully be working with your
AD team at this point they will
be able to guide you if your
organization uses multi factor
authentication and if you need
to configure this.
42
Permit all users to use this trust
Leave the default selection and click next.
43
Look over your settings…
Once you click next on this
screen you can’t go back
through the wizard though
you can change things
through the properties
dialog.
Once you are satisfied or if you
never make mistakes just
click next.
44
Get ready to edit the claim rules and close
the wizard
Leave the box checked to “Open the
Edit Claim…” since we need to do
this anyway. When you close the
dialog it will automatically take us
to the next step in getting the
relying party trust set up.
45
Add a Claim Rule
The claim rule is where you will define the
information that is presented in the SAML
assertion that is passed to the Domino server.
This is where we will define how the user name is
presented.
Our goal here is to have ADFS pass the email address
to Domino so that it can match it with the
person’s person document and then render the
Domino distinguished name for authorization.
You would do this differently if you had Domino
distinguished names stored in AD.
Click Add Rule on the first tab.
46
Choose Rule Type
Select “Send LDAP Attributes
as Claims” and click Next
47
Configure the Claim Rule
Claim rule name should be set
to something that is
descriptive like:
EmailAddressToNameID
Attribute Store: Active
Directory
LDAPAttribute: EMailAddresses
Outgoing Claim Type: Name ID
Click Finish
Then click OK
48
Now your relying party trust is set up
At this point your Domino server and ADFS servers trust each other.
Are you done yet? Not by a long shot. We still need to:
– Configure server HTTP settings
– Set up user security policies
– Configure the ID Vault for SAML
– Make sure our browsers and Notes clients trust all
the SSL certs that are in use
49
What to we need to do to set up SAML/ADFS
Create and configure the IDP Catalog (idpcat.nsf)
Create a relying party trust on ADFS
Configure Directory Assistance
Configure Domino server HTTP settings
Set up Domino user security policies
Configure the ID Vault for SAML
Configure Browsers
50
Directory Assistance
You will want to link AD & Notes names using directory assistance.
The steps:
– Create a Directory Assistance database on your
servers if you don’t have one already.
– Reference the directory assistance db on your server
docs
– Create an LDAP directory assistance document that
points to LDAP
51
Create the DA database (If you don’t have
one already)
File-Application-New
Pick your server (you can create replicas when
you are done)
Use the advanced template – Directory
Assistance from the server
52
Reference the DA database in the server
document
On the first tab of the server document fill in the “directory
assistance database name” with the file name that you just
created.
53
Create a DA document in the new database to point to AD
The domain type is “LDAP”
The domain name is a reference field and just
needs to be unique.
Company name is also just for reference
Search order doesn’t really matter as long as
you don’t have other entries
You will probably not need to use this for LDAP
clients so you can disable that
Check Group Authorization so that the
additional fields become visible
Select “Yes” for Use exclusively for group
authorization or credential authentication
so that this directory will not be used for
mail addressing. 54
Create a DA document in the new database to point to AD
On the LDAP Tab
– Hostname can be your domain name
because a domain joined machine in AD
will go to the domain controller for that
name.
– LDAP vendor is Active Directory
– Your account needs to be an Active
Directory account’s DN. Get this from AD
Users and Computers (It doesn’t need any
special rights)
– Make sure the password on this account
doesn’t expire
– You can leave all the other defaults.
55
What to we need to do to set up SAML/ADFS
Create and configure the IDP Catalog (idpcat.nsf)
Create a relying party trust on ADFS
Configure Directory Assistance
Configure Domino server HTTP settings
Set up Domino user security policies
Configure the ID Vault for SAML
Configure Browsers
56
Create an LTPA SSO Document if Desired
More than likely you have one already
and you can use the existing one.
This will allow you to authenticate once
and then move from Domino server
to server without transacting with
the ADFS server again.
Make sure to disable/uncheck
“Windows single sign-on integration”
– This was how you could use
Kerberos in release 8.5 and
will be ignored if you try to
use 9.0 SAML configuration
57
Create Internet Site Document
Assuming you are using internet site documents (if not you will
configure these items in the server document but you should
really be using internet site documents)
Navigate to the “Web-Internet Sites” view
Click “Add Internet Site-Web” if you are making a new one
Edit your existing document if you already have one you want to use
58
Configure Web Site Document
Basics Tab
Make sure that the host names
are correct because that is
used to match the site
document to the IdPCat
document.
If you are using SSL (which of
course you are) reference
the IP address in the host
name field.
59
Configure Web Site Document
Domino Web Engine Tab
Set session authentication to “SAML”
You can use a web SSO configuration so that an LTPA token is
generated so that people can move between servers
without reauthenticating. This is what you created in the
previous step.
If you have set the host names correctly clicking the IdP
Catalog button will open the appropriate IdPCat document.
60
Configure Web Site Document
Security Tab
One of the prerequisites for this
process is to set up SSL. The
security tab on the web site
document should reference your
SSL certificate.
61
Creating SSL Cross Certs
You will need create a cross certificate for the SSL cert on
the ADFS server. This is a fairly complex procedure.
1. Navigate to the ADFS server on this URL (Use IE so we can use the same
screenshots if you use another browser then you are on your own)
https://YourADFSServerName.YourDomain.com/adfs/ls/idpinitiatedsignon.
htm
62
Creating SSL Cross Certs
2. Click on the padlock next to the URL
3. Click on “View Certificates”
63
Creating SSL Cross Certs
4. Select the details tab
5. Click Copy to File…
64
Creating SSL Cross Certs
6. Click Next to start the wizard
7. You can leave the default of DER format
8. Store the file somewhere you will
remember
9. Select Finish
65
Creating SSL Cross Certs
9. Now you will need to import that
certificate into the Domino directory. Open
the People tab of the Administrator client
and navigate to the certificates view.
66
Creating SSL Cross Certs
8. Select Actions-Import Internet Certificates
9. Select the file you saved from IE
67
Creating SSL Cross Certs
10. Check the contents of the screen and
click “Accept All”
68
Creating SSL Cross Certs
Not done yet!
11. Find the imported certificate in the view. This may be harder than
you would think because of how much stuff is in the view. Just use
ctrl-F and look for the server name.
69
Creating SSL Cross Certs
12. Open the document – you can’t do this from the view!
13. Select Actions-Create Cross Certificate
70
Creating SSL Cross Certs
12. Select the listed certificate and click OK
71
Creating SSL Cross Certs
13. Select the a Domino server
for server and pick your root
certifier as the as the certifier.
- You can either use the CA
process or the actual certifier
file.
72
Creating SSL Cross Certs
14. Click Cross-Certify
15. Validate that the x-cert
document got created. Keep in
mind that if you selected to use
the CA process to create the xcert it may take a little while to
be created. You can look in
admin4.nsf to check the
process.
73
What to we need to do to set up SAML/ADFS
Create and configure the IDP Catalog (idpcat.nsf)
Create a relying party trust on ADFS
Configure Directory Assistance
Configure Domino server HTTP settings
Set up Domino user security policies
Configure the ID Vault for SAML
Configure Browsers
74
Create and Configure Security Policy Settings
Security policy settings are mandatory for making SAML work. We
assume that you already have policies implemented. If you don’t
please don’t tell us because it will make us cry. Seriously if you
don’t have any policies implemented make sure that is the first
thing you do when you get home.
75
Configure the Federation Login Tab
Note that if you don’t see the Federated Login
tab it is because you don’t have the ID Vault
configured in this settings document.
Remember that ID Vault is a prerequisite.
Set “Enable Federated login with SAML IdP” to
yes.
You can use a machine specific formula to
identify what machines will use SAML. If
your domain joined machines follow a
naming convention you can structure a
formula to only use SAML on those
machines.
76
Configure the Federation Login Tab
You can prompt people with standard
dialogs or if you want to do
something that is localized you can
select custom dialogs.
77
Configure the push of certificates to the client
You need to get the cross certificate that
you created to the client.
The easiest way to do this is to use the
security policy. Go to the “Keys and
Certificates” tab.
At the bottom of the screen click on
“Update Links”
Pick “Selected Supported”
78
Configure the push of certificates to the client
Select the Internet Certificates
you created in the previous
step and select Internet
Cross Certificates and check
off the certificate that you
created in the previous step.
79
Check to make sure the certificates got
copied to the client
Open the local Names.nsf and navigate to advanced-certificates
view.
80
What to we need to do to set up SAML/ADFS
Create and configure the IDP Catalog (idpcat.nsf)
Create a relying party trust on ADFS
Configure Directory Assistance
Configure Domino server HTTP settings
Set up Domino user security policies
Configure the ID Vault for SAML
Configure Browsers
81
Configure your ID Vault for SAML
Open your ID Vault Database
82
Configure your ID Vault for SAML
Navigate to the “Configuration”
view
Open your configuration
– Populate the
appropriate fields
with the hostname
that is specified in the
idpcat.nsf for the
service provider
(Domino server)
83
What to we need to do to set up SAML/ADFS
Create and configure the IDP Catalog (idpcat.nsf)
Create a relying party trust on ADFS
Configure Directory Assistance
Configure Domino server HTTP settings
Set up Domino user security policies
Configure the ID Vault for SAML
Configure Browsers
84
Browser Configuration
In order to make IWA work for your Domino web apps you are going to need to do
some browser configuration. The requirements are different for IE, Firefox and
Chrome. This is a case where it is actually easiest to do in IE (Go figure since we
are integrating with AD/ADFS/Windows)
We are going to go through what you need to do to make this work for ONE user.
Most enterprises have tools to manage their desktops such as Group Policies,
SCCM, etc. You should use these tools to push changes out to your browsers
universally.
– Since we are talking about IWA we are talking about domain joined
machines which by definition are controlled by your AD administrator. If
you want to use SAML for non domain joined machines your users will
need to enter authentication information in addition to their login to the
computer.
85
Certificates
If you are using commercially generated certificates (Verisign, Thawte, GoDaddy,
etc) then your browser will already trust the root certificates. If you are using
internally certified ssl certs then you will want to make sure that all your
browsers trust them.
We highly recommend that you use commercial certs because of how much easier
it is to manage them but if you do use an internal certificate authority.
There are so many browsers versions and CA’s that we really can’t go through the
process for each one here but…
– IE & Chrome use the OS certificate store so if you can get the root cert
installed for IE then you should be OK for Chrome
– Firefox keeps its own certificate store so you will need to handle that
separately
– Then there are Opera and Safari and whatever else is out there.
86
Getting the Browser to Use IWA
Internet Explorer (Chrome should use these settings)
– The goal is to make sure that your Domino servers
are in the “Intranet Zone” and to tell the browser to
use IWA for that zone.
– Select the gear and click “Internet Options”
87
Getting the Browser to Use IWA
Internet Explorer
– Select the Security Tab
– Select Local Intranet at the top
88
Getting the Browser to Use IWA
Internet Explorer
– Click “Sites”
– You can select to Automatically Detect Intranet
Network
– Additionally you can define sites in the Advanced
settings
89
Getting the Browser to Use IWA
Mozilla Firefox
– This is a bit of a pain.
– Launch Firefox
– Go to the url about:config
– You will get the scary warning that you might void
your warranty. Be brave and click the button saying
that you will be careful.
90
Getting the Browser to Use IWA
Mozilla Firefox
– In the search bar type network.a
– The setting you want to change is
network.automatic.auth.uris
– Find it and double-click on it
91
Getting the Browser to Use IWA
Mozilla Firefox
– In the search bar type network.a
– The setting you want to change is
network.automatic.auth.uris
– Find it and double-click on it
– Enter either the host name of your ADFS server or
the domain for the ADFS server
– Click OK
92
Getting the Browser to Use IWA
Mozilla Firefox
– One more setting to take care of. You want to add your ADFS server to the
list of trusted sites.
– Type network.n in the search bar.
– The setting you want to change is network.negotiate-auth.trusted-uris
– Again you should populate this with either the ADFS server’s host name or
your domain name. Multiple entries should be separated with a comma
93
While we are talking about Firefox…
It is worth noting that the Notes client uses the same engine as
Firefox so if you are having trouble getting Notes to work with
IWA it might be easier to first troubleshoot with Firefox. If you can
get Firefox to login without prompting for password then the
problem is most likely something in Notes like local copies of
certificates or incorrect policies.
On the other hand if you can’t get Firefox to work with IWA then
your problem is more likely in your ADFS or Domino server
configuration.
94
Testing & Troubleshooting
95
Testing the Notes Client
Once you have set up the IdPCat, Relying Trust and Domino Security
Policies you should be able to test the Notes Client
Launch the client and log in as usual
Assuming you left the defaults set in the security policy, shortly after
login you will get a pop up that will say “Downloading ID file from
the Vault to enable Notes Federated Login”
If everything is working right you will then get a prompt a few
seconds later that will say “This ID is enabled for Notes federated
login.
96
Testing the Notes Client
Once you have seen both of those prompts you should be able to
restart the Notes client and not get prompted for your password.
97
Troubleshooting the Notes client
If you don’t get the prompts about downloading the ID then the problem is in your policy.
If you get the first prompt but don’t get the second prompt and Notes hangs
– The problem could be in the configuration of the ADFS server, Relying Trust, IdPCat
Database or that you don’t have the SSL cross certificates on your workstation.
• First confirm that IWA is working using a browser, preferably IE. If doesn’t work
there then you know the problem is either in your Domino server config or
ADFS
• If IWA works in IE then test it in Firefox. If it doesn’t work in Firefox then the
problem most likely has to do with Extended Authentication Tokens on the
ADFS server. Look back at the PowerShell commands earlier in this
presentation and make sure you have it right.
• If both IE and Firefox work but Notes doesn’t then it is time to look at the
following in order:
– Policies, IDVault, Certificates/CrossCertificates for SSL certs in the local
directory.
98
Troubleshooting the Notes client
Once you have exhausted the basic configuration it is time to turn on
some debugging. On the client turn on:
– Notes.ini
•
•
•
•
•
•
•
•
•
•
•
DEBUG_CONSOLE=1
DEBUG_CLOCK=32
DEBUG_OUTFILE=debugout.txt
DEBUGGINGWCTENABLED=4294967295
CONSOLE_LOG_ENABLED=1
DEBUG_DYNCONFIG=1
DEBUG_TRUST_MGMT=1
DEBUG_IDV_TRACE=1
DEBUG_ROAMING=4
DEBUG_BSAFE_IDFILE_LOCKED=8
99
STX9=2
Troubleshooting the Notes client
These ini parameters will put the debugout.txt file in the
IBM_TECHNICAL_SUPPORT directory in the data directory.
It will also bring up debug windows that you can read in real time.
100
Troubleshooting the Notes client
Once you have exhausted the basic configuration it is time to turn on
some debugging. On the client turn on:
– Notesdata\workspace\.config\rcpinstall.properties
•
•
•
•
•
•
•
•
•
•
com.ibm.rcp.internal.security.auth.samlsso.level=FINEST
com.ibm.rcp.internal.security.auth.dialog.level=FINEST
com.ibm.rcp.core.internal.launcher.level=FINEST
com.ibm.notes.internal.federated.manager.level=FINEST
com.ibm.notes.java.api.internal.level=FINEST
com.ibm.notes.java.init.level=FINEST
com.ibm.notes.java.init.win32.level=FINEST
com.ibm.workplace.noteswc.level=FINEST
com.ibm.workplace.internal.notes.security.auth.level=FINEST
101
com.ibm.workplace.internal.notes.security.level=FINEST
Troubleshooting the Notes Client
The results of the Java logging will go into the
NotesData\workspace\logs directory.
Even if you don’t know exactly what you are looking for you might
get a good idea from here and if you open a ticket, support will
certainly ask you for the contents.
102
Troubleshooting Browser & Server Issues
On the server you can set the Notes.ini parameter debug_saml=31
– Watch for errors and other information as the HTTP
task starts on your server.
– This will give fairly verbose logging for SAML events
on the server. You will see what is going on each time
a user logs into the server.
103
Troubleshooting Browser and Server Issues
For the browser I suggest installing a plugin on your Firefox client
called SSOTracer
– https://addons.mozilla.org/En-us/firefox/addon/ssotracer/?src=cb-dl-created
– This will show the back and forth transactions during
the authentication process.
On Internet Explorer you can use tools like Fiddler but be careful
because when they proxy the SSL it may interfere with IWA.
104
Related documents
Windows10 - Arc4u for .Net developpers.
Windows10 - Arc4u for .Net developpers.
domino's pizza world resource center
domino's pizza world resource center
SHOW100
SHOW100
11.6.1.2 Packet Tracer - Skills Integration Challenge Instructions
11.6.1.2 Packet Tracer - Skills Integration Challenge Instructions
Download
advertisement