IBM Single Sign-On

Introduction to Single Sign-OnWorldwide Business Partner Technical Enablement 2016Van Staub – North America Embedded Solution Agreement Technical Sales

1

Agenda• General Idea• SSO techniques

• LTPA• SAML• OAuth• SPNEGO• External Authentication Managers

Definitions• Single Sign-On (SSO): not having to login again (or for a while)• Authentication: the user’s identity, who they are• Authorization: what the user has access to

General Idea• a set of servers will share something secret – the key• after successful user login, a cookie is placed on the user’s

browser – the token• the cookie is encrypted with the key• the cookie identifies the user

• participating servers will look for the cookie/token/something to authenticate the user

Browser Cookies • cookies are valid for a domain or

host

• http://machine-name/resource• http://192.168.1.2/resource• http://

portal.ibmcollabcloud.com/…• expires “At end of session”• where are my cookies?

LTPA• Lightweight Third Party Authentication

• IBM’s default SSO mechanism• a Base64 encoded token that includes the

following information:• a realm value• user identity – the distinguished name from

the directory• expiration time

ZoXfr6CuP1wYHSzjcxSGylirmzQrshpWMFInqcvNPHGPyCa4frfg63tdlR96gPGkL2B1vf1gi9WaJoCL9/UrYR+nxUuhUGFUDZ4QgPLQjCMMdIRfCIg6y6dW6Nu4I/oSLLMU5VUsXkBbAc1t//5u1XXsNY54Ttp/4xSjW32RnhWovmRLPdL8BXZVHl11wDJ8u9v7K2XxU7wPDIIxe14AbhXaeK88ZD+q2d0QVGiUIerT5EriBozIUF2cM3/v5v4Aatj80OruDUdgBwK/XJ5BKMiKscKq+/oxb6ij4hA58udIvmFim0xkRGnlbUTmCPcjQhoVnqHctMFdLF/e0uPyiklQpkm/5uY1TFL5Lihv5SY=

WebSphere SSO Settings• Open WAS Console

and go to Security -> Global Security -> Single Sign-on (SSO)

• specify most inclusive domain name needed

• defaults seen are most often sufficient

Configuring WebSphere SSO

1. Export LTPA key from source WebSphere server

2. For each additional server, import token

the password is only used when you export/import

• Open WAS Console and go to Security -> Global Security -> LTPA

Configuring Domino SSO 1. create web SSO

configuration document

2. import LTPA key file that was export from WebSphere

3. configure/verify the realm

LtpaToken or LtpaToken2

newer servers are more likely

defaultWIMFileBasedRealm

Pitfalls• expiration time is relative to the server that created the

LTPAToken2• session timeouts are not the same as LTPAToken2 expiration• different directories …

Dual Directory

• dual directory describes when the same user has different distinguished names

• solution is to map the names

WebSphere Portal DominoDN: uid=duser1,cn=users,dc=ibm,dc=comcn: Domino User1uid: duser1mail: duser1@acme.com

DN: CN=Dom User1,O=ibmcn: Dom User1uid: duser1mail: duser1@acme.com

WebSphere Portal DominoDN: uid=duser1,cn=users,dc=ibm,dc=comcn: Domino User1uid: duser1mail: duser1@acme.comnotesdn: CN=Dom User1,O=ibm

UserName: Dom User1/ibmUserName: uid=duser1/cn=users/dc=ibm/dc=comcn: Dom User1uid: duser1mail: duser1@acme.com

Dual Directory (Option 1)1. add LDAP distinguished

name to person document

2. swap the comma delimiter for a slash

Dual Directory (Option 1)1. ensure the web SSO

document has “Map names in LTPA tokens”

2. add the other distinguished name to the LTPA user name field

Dual Directory (Option 2)1. create directory assistance document

2. add the external directory’s attribute that contains the Domino distinguished name

Dual Directory (Option 2)1. ensure the $DN value is used

to add the LDAP distinguished name into the LTPAToken

LTPA ResourcesUnderstanding single sign-on (SSO) between IBM WebSphere Portal and IBM Lotus Domino

http://www.ibm.com/developerworks/websphere/zones/portal/proddoc/dw-w-sso-portal-domino/

vanstaub.me http://vanstaub.me/category/cognos

SAML• SAML stands for Security Assertion Markup Language

• resolves domain boundary using cookies

• requires additional software: Tivoli Federated Identity Manager, Active Directory Federation Service, etc.

• uses XML based assertion tokens used in between an Identity Provider (IdP) and a Service Provider (SP).

• SAML 2.0 is the latest version – not compatible with 1.1 and 1.0

SAML• See yesterday’s NWTL topic Active Directory Single Sign-

On

• Install and configure Active Directory Federation Service 2.0 with WebSphere Portal

Connections Cloud SAML

Connections Cloud SAML 1.1

Encrypted XML

Connections Cloud SAML

1.1 IdP

My SAML SP entityID

My identity

http://vanstaub.me/1277

Connections Cloud SAML• SAML

registration form

• requires PMR to provide either manual information (SAML 1.1) or the SAML 2.0 metadata

WebSphere SAML• WebSphere is SAML SP ready – not IdP• supports SAML 2.0 IdP initiated SSO

our old friend, the LTPAToken

Connections On-Prem SAML• “IBM supports SAML 2.0 implementations within IBM

Connections on a case-by-case basis depending on your unique environment and deployment.”

SAML ResourcesUnderstanding the WebSphere Application Server SAML Trust Association Interceptor

http://www.ibm.com/developerworks/websphere/techjournal/1307_lansche/1307_lansche.html

Step by step guide to implement SAML 2.0 for Portal 8.5

https://developer.ibm.com/digexp/docs/docs/customization-administration/step-step-guide-implement-saml-2-0-portal-8-5/

Front Side SAML SSO with microsoft product (ADFS -> WAS SAML TAI)

https://www.ibm.com/developerworks/community/blogs/8f2bc166-3bdc-4a9d-bad4-3620dbb3e46c/entry/Front_Side_SAML_SSO_with_microsoft_product_ADFS_WAS_SAML_TAI?lang=en

Enabling Federated Identity or Integration Server for use with IBM Connections Cloud

http://www-01.ibm.com/support/docview.wss?uid=swg21626501

AD + SAML + Kerberos + IBM Notes and Domino = SSO!

http://www.andypedisich.com/blogs/andysblog.nsf/dx/robs-saml-presentation-from-mwlug-has-been-posted.htm

vanstaub.me http://vanstaub.me/?s=saml

OAuth• Is OAuth SSO? Maybe -

authorization.

1. external app asks for Connections data

2. you log in to Connections

3. Connections sends the external app a token

4. external app uses the token to access your data

OAuth

Connections Cloud

3rd Party Application

User’s Browser

OAuth ResourcesConnection Allowing third-party applications access to data via the OAuth2 protocol

https://www.ibm.com/support/knowledgecenter/SSYGQH_5.5.0/admin/admin/c_admin_common_oauth.dita

Connections Cloud Using OAuth for API Authorization

https://www-10.lotus.com/ldd/appdevwiki.nsf/xpAPIViewer.xsp?lookupName=API+Reference#action=openDocument&res_title=Open_Authorization_sbt&content=apicontent

Developing an IBM SmartCloud for Social Business application

https://www.ibm.com/developerworks/lotus/documentation/developingsmartcloudapp/

Building an IBM OAuth Consumer in PHP

http://vanstaub.me/679

SPNEGO• Simple and Protected GSS-API Negotiation Mechanism

• login in to Windows, SSO to IBM Software – pretty simple

SPNEGO ResourcesStep-by-Step guide to Configure Single sign-on for HTTP requests using SPNEGO web authentication

https://www-10.lotus.com/ldd/portalwiki.nsf/dx/Step-by-Step_guide_to_Configure_Single_sign-on_for_HTTP_requests_using_SPNEGO_web_authentication

BP104 Simplifying The S’s: Single Sign-On, SPNEGO and SAML (2014)

http://www.idonotes.com/IdoNotes/IdoConnect2013.nsf/dx/bp104-simplifying-the-ss-single-sign-on-spnego-and-saml-2014.htm

External Security Managers• a server that manages access to

”protected” resources• IBM Security Access Manager, CA

Siteminder for example

Directory and Policy Server

ESMApplication

Things to Consider• the LTPA token is still very relevant

• after SAML is done, LTPA is still used• after SPNEGO is done, LTPA is still used

• OAuth applies more to developers than users• External Security Managers do more than just

authenticate

Thank You

32