Security Assertion Markup Language (SAML) Notes Federated Login Added by Michael Stewart on April 27, 2021 | Version 1
|
This article will cover the following topics for Security Assertion Markup Language (SAML) Notes Federated Login: Notes Federated Login Overview, Notes Federated Login Deployment Overview, Debug Tips. This content was provided by Na Pei of the IBM Notes Development team
Tags: 9.x, administering, authentication, Administration, Client deployment, Configure, debug, deployment, Domino Administration, Domino Server, Domino9, federated login, ID, ID file, ID file; password, ID Vault, Kerberos, Lotus Domino Passwords, new features, Notes 9.0, Notes ID Vault, parameters, policy settings document, SAML, user security
|
Security Assertion Markup Language (SAML) Notes Federated Login
- IBM Notes Federated Login Overview
- IBM Notes Federated Login Deployment Overview
- Debug Tips
IBM Notes Federated Login Overview
Traditional Notes Login
The user is prompted for the password of the Notes ID file:
Notes Federated Login: SAML Round Trip
When a Notes Federated Login policy is detected by the Notes Client, a dialog box will notify the user that Notes Federated Login is enabled.
Notes Federated Login
Uses SAML authentication to login to Notes
- The SAML IdP takes responsibility to authenticate the Notes user.
- Usually SAML IdP is configured to use Kerberos-based authentication to avoid password prompt for user.
Uses SAML authentication to login to other services within Notes:
- SmartCloud Sametime
- SmartCloud Connections
- Third-Party plugins
Notes Federated Login: Kerberos authentication
User logs into Notes without entering Notes password if the SAML IdP is configured to use Kerberos authentication.
Notes Federated Login: Form-based authentication
User logs into Notes by typing username/password in SAML IdP's login page if SAML IdP is configured to use form-based authentication:
Notes Federated Login: Switch User
- There is no ID file in Notes Client side, so the user cannot use “Switch ID” to switch between different Notes IDs.
- A new menu “Switch User” is introduced to switch between different Notes users.
Non-supported configuration for Notes Federated Login:
The following client configurations are not fully compatible with SAML:
● Smartcard protected ID
● Notes roaming user whose ID file is stored on the server in a roaming personal address book,
● Notes on a USB device
● Notes user IDs with multiple passwords
● Server-based password checking for Notes users
Prerequisites:
● Need both Notes Client 9.0 and Domino Server 9.0
● Users' IDs must be stored in an ID Vault.
● SAML Partnership has been created between Domino server and IdP.
Step 1: Notes client checks policy to determine whether Notes Federated Login is enabled for this user:
Notes client checks if Federated Login policy is enabled for this user:
● User is a Federated Login user.
● User should be prompted for password.
Step 2: User authenticates with IdP with Kerberos ticket or username/password:
Notes embedded browser handles authentication to SAML IdP via SPNEGO/Kerberos or web form over HTTP.
Step 3: IdP sends SAML token to Notes client:
● Notes embedded browser parses SAML token from web page returned by IdP using DOM API.
Step 4: Notes Client sends SAML token to ID vault to get an unlocked ID file.
● Sends SAML assertion to ID vault server via Notes RPC channel.
● ID vault server returns user's unlocked ID file via Notes RPC channel.
● The unlocked ID file contents are stored in memory on the client after being downloaded from the ID vault
Step 5: Notes Client use SAML token to authenticate with other services.
IBM Notes Federated Login Deployment Overview
Step 1. Deploying the ID vault and security policy for Notes federated login
If the Domino ID vault and a security policy do not already exist, the vault administrator creates the vault to support federated login for Notes client users, as well as a security
policy to apply to such users.
Step 2. Setting up the SAML identity provider and federation
- Two kinds of IdP's are supported: Microsoft's ADFS 2.0 and IBMTivoli Federated Identity Manager (TFIM)
- Follow the cookbook to setup TFIM federation and Rely party for ADFS.
- Export the IdP information to a metadata.xml
Step 3. Enabling the Domino ID vault server to support Notes federated login
The Domino administrator specifies SAML configuration settings for Notes federated login in IdP Configuration document(s) in the IdP Catalog (idpcat.nsf) application.
Step 4. Configuring the ID vault for Notes federated login
The Domino ID Vault administrator sets up the Vault to specify the name of the IdP Catalog document for the SAML identity provider (IdP).
Step 5. Using a security settings policy to apply a Notes federated login configuration to client users
After SAML-based Federated Login is configured on your Domino server and identify provider (IdP), you can assign it's use to Notes Client users through the security policy.
Step 6. Using Notes Federated Login in combination with Notes Shared Login to support offline users (Microsoft Windows only)
Notes Shared Login is needed if the Notes Client operates offline. If there is any situation where the Notes Client ID file is missing from the desktop, the Notes Federated Login feature ensures that SAML authentication can be used to retrieve the user's ID file from the ID Vault.
Step 7: (Optional). Using managed account to Federated Login with embedded services.
■ To configure access to external services for Notes Client users in your organization, create managed accounts for each service, link them to a SAML account, and apply the accounts to users by means of a desktop settings policy.
Debug Tips
Notes console logging with debug flags in notes.ini:
- DEBUG_CONSOLE=1
- DEBUG_CLOCK=32
- DEBUG_OUTFILE=c:\temp\debugout.txt
- DEBUGGINGWCTENABLED=4294967295
- CONSOLE_LOG_ENABLED=1
- DEBUG_DYNCONFIG=1
- DEBUG_TRUST_MGMT=1
- DEBUG_IDV_TRACE=1
- DEBUG_ROAMING=4
- DEBUG_BSAFE_IDFILE_LOCKED=8
- STX9=2
Java logging with rcpinstall.properties
- com.ibm.rcp.internal.security.auth.samlsso.level=FINEST
- com.ibm.rcp.internal.security.auth.dialog.level=FINEST
- com.ibm.rcp.core.internal.launcher.level=FINEST
- com.ibm.notes.internal.federated.manager.level=FINEST
- com.ibm.notes.java.api.internal.level=FINEST
- com.ibm.notes.java.init.level=FINEST
- com.ibm.notes.java.init.win32.level=FINEST
- com.ibm.workplace.noteswc.level=FINEST
- com.ibm.workplace.internal.notes.security.auth.level=FINEST
- com.ibm.workplace.internal.notes.security.level=FINEST
Sample log:
- NFL Response XML from native code:
IDPurl=' https://secadfsb.sec.test/adfs/ls/IdpInitiatedSignOn.aspx?
loginToRp= https://secwplccdlvm219.cn.ibm.com'
- IDPUserName='CN=Na Pei/O=ibm' IsKerberosEnabled='false' IsSSLEnforced='true'
- SuppressErrorDisplay='false' CurrentLocation='Online'
CurrentLocationOnline='true'>
https://secadfsb.sec.test'/
|