New Single Sign-on Options For IBM Lotus Notes & Domino
New Single Sign-on Options forIBM Lotus Notes & Domino 2012 IBM Corporation
IBM’s statements regarding its plans, directions, and intent are subject to change or withdrawalwithout notice at IBM’s sole discretion.Information regarding potential future products is intended to outline our general product directionand it should not be relied on in making a purchasing decision.The information mentioned regarding potential future products is not a commitment, promise, orlegal obligation to deliver any material, code or functionality. Information about potential futureproducts may not be incorporated into any contract. The development, release, and timing of anyfuture features or functionality described for our products remains at our sole discretion.2 2012 IBM Corporation
Agenda Standards based SSO using SAML SAML for IBM Lotus Domino web server and IBM Lotus iNotes SAML for IBM Lotus Notes client3 2012 IBM Corporation
User accesses many different IBM services withbrowser or Lotus NotesBrowserIBM Sametime IBM Connections Lotus DominoLotusLive Engage Lotus Quickr User doesn't want multiple password prompts.4 2012 IBM Corporation
User might also access third party services.IBM SametimeIBM ConnectionsLotusLive EngageBrowserFacebook Lotus DominoLotus QuickrUser doesn't want multiple password prompts.5 2012 IBM Corporation
SSO Mission:Fewer password prompts, fewer passwords in general We need SSO because: High administrative cost for managing passwords. Users can't remember a lot of passwords. Password prompts are annoying. Many “different” passwords leads to lower security. If we use cryptographic mechanisms instead of passwords, we can improvesecurity and minimize cost. For best interoperability across IBM and third party applications, we look to adoptstandards based SSO.6 2012 IBM Corporation
Security Assertion Markup Language (SAML) Standard to address Internet SSO.OASIS publishes the standards documents. Many implementations available, including open source.SSO across cooperating domains and across cooperating corporations. IBM LotusLive Notes implements SAML. 7 2012 IBM Corporation
SAML identity assertion Security is based on PKI. User's identity is represented in a signed XML assertion. Private key, public key pair:– Server creating the assertion signs it using its private key.– Servers processing assertions validate signature using the trusted signer's publickey. Standards based, Internet certificates and keys are used. Service identifies the user based on the user's assertion. Assertion contains the authenticated user's name (e.g. email address).8 2012 IBM Corporation
SAML Identity provider (IdP) authenticates the user IdP implements “federated identity”.Directory Knows about user names, passwords. Might be able to authenticate the user via SPNEGO/Kerberos, or alternate nonpassword method. Prepares credentials (SAML identity assertion) for the user to target service.– IdP authenticated user x at time y Can be used by services from different vendors. Common IdPs IBM Tivoli Federated Identity Manager (TFIM ) Microsoft ADFS 2.0 integrated with Active Directory many others9 2012 IBM Corporation
Federated Identity using SAML assertions Why is it a good thing for security? Minimized use of password (only handled by IdP, if required). Authenticate once to IdP. The IdP may “remember” the user. Customers can use/control their own on-premises IdP. Less user data redundancy. Goal: password info is unavailable to crackers wanting to launch an offline passwordguessing attackDirectory10 2012 IBM Corporation
Services accepting SAML assertions SAML service provider (SP) receives authentication decision from the IdP. SP authenticates a user by successful verification of the user's SAML assertion.DirectoryService11 2012 IBM Corporation
Remove risk using SSL HTTP protocols in useIf SSL (HTTPS) is not used to encrypt the channels Eavesdropper steals user login information, e.g. password. Eavesdropper steals the identity assertion.– Good for short period of time. Eavesdropper steals any cookies.– Good for configured period of time.DirectoryService12 2012 IBM Corporation
Agenda Standards based SSO using SAML SAML for IBM Lotus Domino web server and IBM Lotus iNotes SAML for IBM Lotus Notes client13 2012 IBM Corporation
(future release)Domino web server as a SAML service provider (SP) Domino SP receives authentication decision from the IdP. Domino authenticates a user by successful verification of the user's SAMLassertion.DirectoryBrowserDomino14 2012 IBM Corporation
Web client: user accessing Domino via browser db.nsfDominoUser browses to a protected Domino URL, but hasn't logged in yet.15 2012 IBM Corporation
Web client: user accessing Domino via browser (2)DirectoryBrowserSAML request and RedirectDominoDomino redirects the browser to the IdP's URL with a SAML request.16 2012 IBM Corporation
Web client: user accessing Domino via browser (3)URL might look something like ARGET .DirectoryBrowserDominoBrowser redirects to SAML IdP.17 2012 IBM Corporation
Web client: user accessing Domino via browser (4)DirectoryBrowserLogin infoDominoUser may be prompted to authenticate to IdP, or the IdP may be configuredto authenticate user with non-password method (e.g. SPNEGO/Kerberos).18 2012 IBM Corporation
Web client: user accessing Domino via browser (5)SAML response,Directoryredirect back to DominoBrowserDominoIdP has authenticated the user and sends the SAML assertion.19 2012 IBM Corporation
Web client: user accessing Domino via browser (6)DirectoryBrowser(Http post containing SAML assertion)DominoSAML assertion received at Domino is verified using the IdP's public key.Domino needs to map the name in the assertion to user's Domino name.20 2012 IBM Corporation
Web client: user accessing Domino via browser (7)DirectoryBrowserRedirect to URL to displaySessioncookieDominoUser is logged in at Domino. User's browser now has credentials to accessprotected Domino URLs.21 2012 IBM Corporation
Web client: user accessing Domino via browser rowserSessioncookieDominoNow the user will see the protected Domino URL.22 2012 IBM Corporation
User accesses other Domino SAML serversIdP remembers the user, and issues SAML assertions transparently to the user.DirectoryBrowserSession cookieonly forDomino 2Domino2Domino1Each Domino server can use SAML assertion and issue the user a singleserver session cookie. SSO achieved by use of common IdP.23 2012 IBM Corporation
Administrator sets up Domino SAML in environmentwith non-SAML IBM tead of a single server session cookie, Domino SAML is configured touse an LTPA session cookie that can be shared with other IBM servers.24 2012 IBM Corporation
Web client: Third party browser applicationIdP remembers the user.Assertions from IdP may be accepted by a variety of trator has registered the on-premises IdP with Facebook , so thatFacebook can verify SAML assertions from the IdP.25 2012 IBM Corporation
iNotes may authenticate the user via SAML assertionDirectoryBrowser HTTP flows (as shown in previousslides) to authenticateID FilesiNotesID vault26 2012 IBM Corporation
iNotes secure mail: Using SAML to avoid prompting forpassword to Notes id fileDirectoryBrowserID FilesiNotesUser'sID FileID vaultThe ID vault server using new Notes RPC channel to receive user'sassertion, and to return user's unlocked id file to iNotes.27 2012 IBM Corporation
Deployment steps for Domino web server SAML Deploy a SAML IdP on-premises. (Optimal) To avoid password prompting by the IdP, configure IdP for SPNEGO/Kerberos userauthentication. Tell the IdP about each participating Domino server. Configure Domino. Domino web server settings for SAML. Declare trust in the IdP to login Domino users. Set up name mapping (map user's email address to a Domino distinguished name). (for iNotes secure mail users) Deploy security policy for id file in ID vault. (for iNotes secure mail users) Declare trust in the IdP to authenticate to ID vault.28 2012 IBM Corporation
Agenda Standards based SSO using SAML SAML for IBM Lotus Domino web server and IBM Lotus iNotes SAML for IBM Lotus Notes client29 2012 IBM Corporation
Notes Shared Login providing SSO at Notes startup Notes Shared Login is a great feature. User does not have a Notes password. User's id file can be managed in the ID vault. Administrator's policy determines which users have Notes Shared Login. Notes Shared Login can't be used in virtual environments (e.g. Citrix). SAML may provide a useful alternative.30 2012 IBM Corporation
Notes on Citrix: Virtual environmentWindows DomainActiveDirectoryController(Kerberos security,ADFS IdP)ID FilesID vaultDomino31 2012 IBM Corporation
(future release)Notes on Citrix: User's home serverchecks policy to determine whether this is a SAML user.Windows DomainControllerActiveDirectory(Kerberos security,ADFS IdP) Administrator has picked one of thesepolicy choices to enforce for user:User is a SAML user.User should be prompted for password.ID FilesID vaultDomino32 2012 IBM Corporation
Notes on Citrix can leverage the Windows environmentfor a SAML user.Windows DomainActiveDirectoryController(Kerberos security,ADFS IdP)ID FilesID vaultDominoFor Citrix Windows environment, it may be convenient to deploy MicrosoftADFS 2.0 for the SAML IdP.33 2012 IBM Corporation
Notes on Citrix: Use SAML to avoid password promptto start NotesWindows DomainActiveDirectoryController(Kerberos security,ADFS IdP) Notes embedded browser handlesauthentication to SAML IdP viaSPNEGO/Kerberos over HTTP.ID FilesID vaultDominoUser has already logged into Windows. User doesn't need to prove who heis to the Microsoft ADFS IdP.34 2012 IBM Corporation
Notes on Citrix: Use SAML to avoid password promptto start Notes (by retrieving unlocked id file)Windows DomainControllerActiveDirectory(Kerberos security,ADFS IdP) Send SAML assertion to ID vault servervia Notes RPC channel.ID vault server returns user's unlockedid file via Notes RPC channel.ID FilesID vaultDominoID vault server evaluates whether the assertion comes from trusted IdP.35 2012 IBM Corporation
Deployment steps for Notes client use of SAML atstartup Deploy a SAML IdP on-premises. (Optimal) To avoid password prompting by the IdP, configure IdP for SPNEGO/Kerberos userauthentication. Tell the IdP about the Domino SAML service provider for the ID vault. Configure server settings. Deploy security policy to assign SAML users, and managing id files in ID vault. Declare trust in the IdP to login Notes users by SAML authentication to ID vault. Set up name mapping (map user's email address to a Domino distinguished name).36 2012 IBM Corporation
User accesses many different IBM services with NotesIBM SametimeIBM ConnectionsLotus DominoLotusLive EngageLotus QuickrUser doesn't want multiple password prompts.37 2012 IBM Corporation
Notes plug-ins After login to Notes, Notesmay attempt authentication toInternet servers. Notes sidebars:SametimeActivities (Connections)Feeds.Browser applications running inNotes––– 38 2012 IBM Corporation
Notes plug-ins After login to Notes, Notesmay attempt authentication toInternet servers. Notes sidebars:SametimeActivities (Connections)Feeds.Browser applications running inNotes––– Authentication mechanism isspecified in Notes account In user's personal Name andAddress book39 2012 IBM Corporation
Notes plug-ins After login to Notes, Notesmay attempt authentication toInternet servers. Notes sidebars:SametimeActivities (Connections)Feeds.Browser applications running inNotes––– Authentication mechanism isspecified in Notes account In user's personal Name andAddress book Notes already has an optionfor SAML to LotusLive Notes40 2012 IBM Corporation
Optimally Notes plug-ins can use SAML in the future Notes embedded browser can make requests to an IdP. No login prompts if IdP using SPNEGO/Kerberos. Issue: not all target servers will be able to accept a SAML assertion. Notes could send a SAML assertion to Domino to authenticate and receive asession token (LTPA) for use by Notes plug-in41 2012 IBM Corporation
8.5.2 Notes managed accounts Administrator manages Account documents in Domino Directory. Domino policy mechanism pushes accounts to Notes client. We may need some tweaks to Account documents for SAML.42 2012 IBM Corporation
Legal disclaimer IBM Corporation 2012. All Rights Reserved.The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, itis provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBMshall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have theeffect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software.References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced inthis presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in anyway. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or otherresults.IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, Sametime, Lotuslive, WebSphere, UC2, PartnerWorld and Lotusphere are trademarks of International Business Machines Corporation in theUnited States, other countries, or both. Unyte is a trademark of WebDialogs, Inc., in the United States, other countries, or both.Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both.Facebook is a registered trademark of Facebook, Inc in the United States, other countries, or both.Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.Other company, product, or service names may be trademarks or service marks of others.All references to Renovations refer to a fictitious company and are used for illustration purposes only.43 2012 IBM Corporation
Questions?44 2012 IBM Corporation
User accesses many different IBM services with browser or Lotus Notes User doesn't want multiple password prompts. Browser IBM Sametime IBM Connections LotusLive Engage Lotus Domino Lotus Quickr
Tin Sign: Allis Chalmers Farm Tractor Sign TD1134 MSRP 12.95 Tin Sign: 1956 John Deere sign TD670 MSRP 12.95 Tin Sign: Allis Chalmers farm tractor sign TD1133 MSRP 12.95 Tin Sign: IH Farm Tractor Sign TD1279 MSRP 12.95 Farm Tractor w/ Trailer (Asstd.) 321/4 MSRP 120.00 RC2 ERTL John D
AWS Single Sign-On User Guide AWS SSO features What is AWS Single Sign-On? AWS Single Sign-On is a cloud-based single sign-on (SSO) service that makes it easy to centrally manage SSO access to all of your AWS accounts and cloud applications. Specifically, it helps you manage SSO
IBM Software Data Sheet By providing integrated single sign-on and access management capabilities, IBM Security Access Manager for Enterprise Single Sign-On addresses these needs and more. Security Access Manager for Enterprise Single Sign-On combines single sign-on, strong two-factor authentication, session management,
street name sign - street name sign on double support post street name sign - street name sign on single support post street name sign - general configuration layout (sheet 3 of 3) street name sign - general configuration layout (sheet 2 of 3) street name sign - general configuration layout (sheet 1 of 3) cycling path cycling track lighting .
sign industry By R eg a n Dickinson 20 February 2013 SIGN & DIGITAL GRAPHICS The new 75-foot tall st. Petersburg sign built by Thomas sign & awning and internally lit with the beB-rite induction sign Lighter pulls only 38 amps to light it, says kevin Hunsicker, national programs director for Thomas sign & awning. SBFEB.indd 20 1/16/13 2 .
Prohibited sign types Permitted sign types Time, place and manner limits that apply to the permitted sign types -Area, height, setbacks, number, lighting, spacing -Prohibitions or special rules for new billboards Sign types that are exempt from permitting (or regulation altogether) Sign permit procedures
EQUIPMENT DESCRIPTION SIGN EXTERIOR 8EZVIEW X MODULAR CASE 20MM AND 23MM PITCH SIGN INSTALLATION MANUAL (PN 1709610101 REV.A) Top, side, and rear views Figure 2. External views of a sign with multiple case's, other sizes are similar. Item Name Description A SIGN SUB-STRUCTURE The 2"x 3" x 0.14" steel angle along the back of the sign (top and bottom) is used to install the sign.
1. Cloud-based Single Sign-On Software As we all know, one of the major reasons to choose Single Sign-On as a solution is to ensure that your users get instant access to all the applications they need, with one single click. This means that the vendor should have native support for multiple applications failing which giving Single Sign-On
