SlideShare a Scribd company logo

Notes, domino and the single sign on soup

Darren Duke
Darren Duke

MWLUG 2017 presentation on Notes/Domino single sign on. SAML. SPNEGO,

Technology
1 of 25
Download to read offline
MWLUG 2017 Moving Collaboration Forward Notes, Domino and the Single Sign-on Soup Chef Darren Duke
MWLUG 2017 Moving Collaboration Forward Our Amazing Sponsors
MWLUG 2017 Moving Collaboration Forward About me • Relapsed podcaster http://wtftech.fm/ – Back on the horse with Stuart and Jesse – If you’re not listening, you’re really missing out – No, really, you are – NO, really you are – NO, REALLY YOU ARE!!!! • Hire me by talking to Lisa – She’ll be around here somewhere
MWLUG 2017 Moving Collaboration Forward SSO you say? • Many different things to many different people • Could be (listed in order of complexity): – Offload – Synchronization – Integration • Could be more than one of the above
MWLUG 2017 Moving Collaboration Forward Domino is different • It has two passwords – Because….well…..Domino – Makes it twice as difficult • One size doesn’t fit all – You may combine the following concepts
MWLUG 2017 Moving Collaboration Forward Why do it? • Single password • No password • Get away from ID and password management – You never *really* get away from the ID • It’s what all the cool kids are doing
MWLUG 2017 Moving Collaboration Forward Why do it? • What are you trying to solve? – Answer this and you know which of the following solutions are for you
MWLUG 2017 Moving Collaboration Forward Notes Shared Login (NSL) • Remove Notes password from ID • Well, mostly – Except for the first logon to a new computer account – Policy based – Requires Notes Single Logon Service to be removed from clients – Can be used with Notes Federated Logon (NFL)
MWLUG 2017 Moving Collaboration Forward You will need a (working) ID Vault • If you don’t have one – WHY NOT??? • If you do, is it working? • Several of the following solutions require it
MWLUG 2017 Moving Collaboration Forward Types of SSO…. • Offload – Pass it off • Synchronization – Move the data around • Integration – Link it altogether
MWLUG 2017 Moving Collaboration Forward Offload • Authenticate the password from elsewhere – Usually Active Directory – Uses Directory Assistance and LDAP referrals – Only usable (like this) for the HTTP password • So iNotes, web apps, Traveler, etc • Will also be needed if you do SAML and SPNEGO
MWLUG 2017 Moving Collaboration Forward Offload • Pros – Actually uses the AD password, not HTTP password exists anymore* • Cons – Only web protocols – You need to get the Domino LDAP DN into AD field – Traveler can lock the account out on a regular basis • Think AD password change policy
MWLUG 2017 Moving Collaboration Forward Synchronization • Copy password from “A” to “B” – “A” is usually AD, “B” is usually Domino • Capture AD password change, send to Domino – Can update ID Vault and/or HTTP password • TDI is free entitlement for most of you – And it can do this
MWLUG 2017 Moving Collaboration Forward Synchronization • Pros – Fixes AD lockout issue with “offload” – Notes ID and/or HTTP password thanks to ID Vault • Cons – Usually requires AD schema modification – HTTP password changes need to replicate – Doesn’t really get rid of Notes ID password • Just makes it known to the user
MWLUG 2017 Moving Collaboration Forward Integration • Use a different system (usually AD) to verify user ID and password • Two options – SPNEGO • Reasonably simple • Limited use • HTTP only – SAML/NFL • As far from reasonably simple as you can get • Notes client and/or HTTP
MWLUG 2017 Moving Collaboration Forward SPNEGO • Allows domain connected users using browser apps to login transparently using IWA • Web/Internet site based – All or nothing – Although with good firewall people…… • Two internet documents, one SPNEGO, one not – Source IP, agent sniffing, etc
MWLUG 2017 Moving Collaboration Forward SPNEGO • Pros – Simple(ish) • Cons – HTTP only – Windows desktops only (no Mac)* – Domino authentication server must be Windows – Kind of half-assed implementation • Will not fail back to user name and password – Domino User DN is still needed in AD
MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Uses SAML to connect to ADFS or TAM – Could use others but completely unsupported • Most are (and all of mine have been) ADFS • Can be used to get rid of Notes ID password • Very flexible – WFL for iNotes, web apps – NFL for Notes clients – Use either or both
MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Pros – Standard, cross platform • Client OS – All of them • Domino server OS – All of them – Use AD user name and password – Flexible WFL options • Inside the corporate network, transparent logon • Outside, use forms based logon – Go completely Notes ID password-less
MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Cons • Is pretty complex • Documentation is woeful • Notes requires files be present in the user profile to work – Stub notes.ini with full CN user name – Deploy.nsf for certificates • Requires a custom ADFS SSL cert – Means need to use non-commercial certificate – Create ADFS server specifically for NFL as users may get SSL certificate trust issues unless it is computer trusted roots – Again, a bit half arsed
MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Cons (cont) • Slow logging into Notes client – All this security shenanigans take time • But this can be fixed by also using NSL. – First login uses NFL – Subsequent logins switch to NSL • Domino User DN is still needed in AD • No ADFS 4.0 support – So no Windows 2016 server support – ADFS 3.0 support took 4 years
MWLUG 2017 Moving Collaboration Forward What about Traveler? • Verse client now supports Certificate Authentication – Note, *NOT* SSO, but at least password-less • No native iOS support that I know of – So iOS native still uses HTTP password • Some MDM’s have their own mail clients to address this
MWLUG 2017 Moving Collaboration Forward Common Thread…. • “Domino DN still needed in AD” – (or email address, just some unique ID equal in both systems) – Domino DN = “CN=Darren Duke,OU=blah,O=bob” • It’s the LDAP version of your Domino name – Use TDI to populate AD field with Domino DN • Prereq, needs *existing* common ID between AD and Domino – Email address? – Domino short name = sAMAccountName? • Some orgs use AltSecurityIdentities, some email address • Others use custom field – If custom make sure to AD index that field!!!
MWLUG 2017 Moving Collaboration Forward Notes client setup suggestions • Prepopulate Notes client setup values automatically – https://blog.darrenduke.net/Darren/DDBZ.nsf/dx/ use-a-custom-notes.ini-file-and-prepopulate-user- settings-on-notes-first-startup.htm – Use the above either standalone, with NSL or with NFL – Andy’s and Rob’s SAML LS/Connect Show and Tell • www.andypedisich.com/blogs/andysblog.nsf/dx/SHOW 100.ppt/%24file/SHOW100.ppt
MWLUG 2017 Moving Collaboration Forward Q and A • So if time permitted ask away….. • Also: – https://blog.darrenduke.net – @darrenduke on Twitter

Recommended

Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Darren Duke
 
LS11 Show101
LS11 Show101LS11 Show101
LS11 Show101Darren Duke
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshell
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshellDominopoint 2012 - IBM Lotus Traveler High Availability in a nutshell
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshellRené Winkelmeyer
 
Fun With SHA2 Certificates
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 CertificatesGabriella Davis
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configurationGabriella Davis
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Serverpanagenda
 

Recommended

Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Darren Duke
 
LS11 Show101
LS11 Show101LS11 Show101
LS11 Show101Darren Duke
 
Best Practice TLS for IBM Domino
Best Practice TLS for IBM DominoBest Practice TLS for IBM Domino
Best Practice TLS for IBM DominoJared Roberts
 
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshell
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshellDominopoint 2012 - IBM Lotus Traveler High Availability in a nutshell
Dominopoint 2012 - IBM Lotus Traveler High Availability in a nutshellRené Winkelmeyer
 
Fun With SHA2 Certificates
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 CertificatesGabriella Davis
 
Spnego configuration
Spnego configurationSpnego configuration
Spnego configurationGabriella Davis
 
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-ServerBewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Server
Bewährte Praktiken für HCL Notes/Domino-Sicherheit. Teil 2: Der Domino-Serverpanagenda
 
Inform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsInform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsJared Roberts
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016David Hablewitz
 
Rock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityRock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityGabriella Davis
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
HTTP/2 Changes Everything
HTTP/2 Changes EverythingHTTP/2 Changes Everything
HTTP/2 Changes EverythingLori MacVittie
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesGabriella Davis
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceGabriella Davis
 
Web Sockets in Java EE 7
Web Sockets in Java EE 7Web Sockets in Java EE 7
Web Sockets in Java EE 7Siva Arunachalam
 
Working With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesWorking With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesGabriella Davis
 
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerEngage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerBill Malchisky Jr.
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile ExperienceGabriella Davis
 
Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Siva Arunachalam
 
Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015Quentin Adam
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino AdminblastGabriella Davis
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections AdministratorGabriella Davis
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesGabriella Davis
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesGabriella Davis
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The FrontGabriella Davis
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradeGabriella Davis
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and morepanagenda
 
MWLUG 2017 SA110
MWLUG 2017 SA110MWLUG 2017 SA110
MWLUG 2017 SA110Douglas Robinson
 
You don't want to do it like that
You don't want to do it like thatYou don't want to do it like that
You don't want to do it like thatSharon James
 

More Related Content

What's hot

Inform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsInform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsJared Roberts
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016David Hablewitz
 
Rock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityRock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityGabriella Davis
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
HTTP/2 Changes Everything
HTTP/2 Changes EverythingHTTP/2 Changes Everything
HTTP/2 Changes EverythingLori MacVittie
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesGabriella Davis
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceGabriella Davis
 
Working With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesWorking With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesGabriella Davis
 
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerEngage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerBill Malchisky Jr.
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile ExperienceGabriella Davis
 
Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Siva Arunachalam
 
Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015Quentin Adam
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections AdministratorGabriella Davis
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesGabriella Davis
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesGabriella Davis
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The FrontGabriella Davis
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradeGabriella Davis
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and morepanagenda
 

What's hot (20)

Inform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for AdminsInform2015 - What's New in Domino 9 & 9.0.1 for Admins
Inform2015 - What's New in Domino 9 & 9.0.1 for Admins
 
SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016SmartCloud Administration Best Practices MWLUG 2016
SmartCloud Administration Best Practices MWLUG 2016
 
Rock Solid Sametime for High Availability
Rock Solid Sametime for High AvailabilityRock Solid Sametime for High Availability
Rock Solid Sametime for High Availability
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
 
HTTP/2 Changes Everything
HTTP/2 Changes EverythingHTTP/2 Changes Everything
HTTP/2 Changes Everything
 
What's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-PremisesWhat's New in Notes, Sametime and Verse On-Premises
What's New in Notes, Sametime and Verse On-Premises
 
IBM Traveler Management, Security and Performance
IBM Traveler Management, Security and PerformanceIBM Traveler Management, Security and Performance
IBM Traveler Management, Security and Performance
 
Web Sockets in Java EE 7
Web Sockets in Java EE 7Web Sockets in Java EE 7
Web Sockets in Java EE 7
 
Working With Sametime For Mobile Devices
Working With Sametime For Mobile DevicesWorking With Sametime For Mobile Devices
Working With Sametime For Mobile Devices
 
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good ServerEngage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
Engage 2016 - Adm01 - Back from the Dead: When Bad Code Kills a Good Server
 
The Sametime Mobile Experience
The Sametime Mobile ExperienceThe Sametime Mobile Experience
The Sametime Mobile Experience
 
Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013Web sockets in java EE 7 - JavaOne 2013
Web sockets in java EE 7 - JavaOne 2013
 
Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015Http2: why the web is upgrading? - bdx.io 2015
Http2: why the web is upgrading? - bdx.io 2015
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino Adminblast
 
Becoming A Connections Administrator
Becoming A Connections AdministratorBecoming A Connections Administrator
Becoming A Connections Administrator
 
The SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 CertificatesThe SSL Problem and How to Deploy SHA2 Certificates
The SSL Problem and How to Deploy SHA2 Certificates
 
Face Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On PremisesFace Off Domino vs Exchange On Premises
Face Off Domino vs Exchange On Premises
 
Domino in the Back, Party In The Front
Domino in the Back, Party In The FrontDomino in the Back, Party In The Front
Domino in the Back, Party In The Front
 
Planning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections UpgradePlanning and Completing an IBM Connections Upgrade
Planning and Completing an IBM Connections Upgrade
 
Automate IBM Connections Installations and more
Automate IBM Connections Installations and moreAutomate IBM Connections Installations and more
Automate IBM Connections Installations and more
 

Similar to Notes, domino and the single sign on soup

You don't want to do it like that
You don't want to do it like thatYou don't want to do it like that
You don't want to do it like thatSharon James
 
SharePoint - The hybrid story and beyond
SharePoint - The hybrid story and beyondSharePoint - The hybrid story and beyond
SharePoint - The hybrid story and beyondMikael Svenson
 
SharePoint Saturday San Antonio: Workflow 2013
SharePoint Saturday San Antonio: Workflow 2013SharePoint Saturday San Antonio: Workflow 2013
SharePoint Saturday San Antonio: Workflow 2013Sam Larko
 
Keeping in Touch -- Collaborative Technologies
Keeping in Touch -- Collaborative TechnologiesKeeping in Touch -- Collaborative Technologies
Keeping in Touch -- Collaborative TechnologiesIABC Houston
 
Use Case: integrating a complex e-commerce site - Frenchtoday.com
Use Case: integrating a complex e-commerce site - Frenchtoday.comUse Case: integrating a complex e-commerce site - Frenchtoday.com
Use Case: integrating a complex e-commerce site - Frenchtoday.comOlivier Karfis
 
AdminCamp 2017 - IBM Connections Adminblast
AdminCamp 2017 - IBM Connections AdminblastAdminCamp 2017 - IBM Connections Adminblast
AdminCamp 2017 - IBM Connections AdminblastNico Meisenzahl
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365Dylan Redfield
 
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxGreat new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxDarren Duke
 
Tales from the Platform Trade
Tales from the Platform TradeTales from the Platform Trade
Tales from the Platform TradeWilliam Grosso
 
WordPress Hosting Basics
WordPress Hosting BasicsWordPress Hosting Basics
WordPress Hosting BasicsChris Burgess
 
How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365Kelly Jones
 
Great new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxGreat new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxDarren Duke
 
Pearls and Must-Have Tools for the Modern Web / .NET Developer
Pearls and Must-Have Tools for the Modern Web / .NET DeveloperPearls and Must-Have Tools for the Modern Web / .NET Developer
Pearls and Must-Have Tools for the Modern Web / .NET DeveloperOfer Zelig
 
Webinar: IBM Connections Adminblast
Webinar: IBM Connections AdminblastWebinar: IBM Connections Adminblast
Webinar: IBM Connections Adminblastpanagenda
 
Connections Upgrades and Migrations the Easy Way
Connections Upgrades and Migrations the Easy WayConnections Upgrades and Migrations the Easy Way
Connections Upgrades and Migrations the Easy WayLetsConnect
 
Connections Migrations the easy way Soccnx10
Connections Migrations the easy way Soccnx10Connections Migrations the easy way Soccnx10
Connections Migrations the easy way Soccnx10Sharon James
 
Webinar: IBM Connections Adminblast
Webinar: IBM Connections AdminblastWebinar: IBM Connections Adminblast
Webinar: IBM Connections AdminblastNico Meisenzahl
 
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...David Hablewitz
 
How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365Kelly Jones
 

Similar to Notes, domino and the single sign on soup (20)

MWLUG 2017 SA110
MWLUG 2017 SA110MWLUG 2017 SA110
MWLUG 2017 SA110
 
You don't want to do it like that
You don't want to do it like thatYou don't want to do it like that
You don't want to do it like that
 
SharePoint - The hybrid story and beyond
SharePoint - The hybrid story and beyondSharePoint - The hybrid story and beyond
SharePoint - The hybrid story and beyond
 
SharePoint Saturday San Antonio: Workflow 2013
SharePoint Saturday San Antonio: Workflow 2013SharePoint Saturday San Antonio: Workflow 2013
SharePoint Saturday San Antonio: Workflow 2013
 
Keeping in Touch -- Collaborative Technologies
Keeping in Touch -- Collaborative TechnologiesKeeping in Touch -- Collaborative Technologies
Keeping in Touch -- Collaborative Technologies
 
Use Case: integrating a complex e-commerce site - Frenchtoday.com
Use Case: integrating a complex e-commerce site - Frenchtoday.comUse Case: integrating a complex e-commerce site - Frenchtoday.com
Use Case: integrating a complex e-commerce site - Frenchtoday.com
 
AdminCamp 2017 - IBM Connections Adminblast
AdminCamp 2017 - IBM Connections AdminblastAdminCamp 2017 - IBM Connections Adminblast
AdminCamp 2017 - IBM Connections Adminblast
 
INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365INF107 - Integrating HCL Domino and Microsoft 365
INF107 - Integrating HCL Domino and Microsoft 365
 
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptxGreat new Domino features since 9.0.1FP8 - 2023 Ed.pptx
Great new Domino features since 9.0.1FP8 - 2023 Ed.pptx
 
Tales from the Platform Trade
Tales from the Platform TradeTales from the Platform Trade
Tales from the Platform Trade
 
WordPress Hosting Basics
WordPress Hosting BasicsWordPress Hosting Basics
WordPress Hosting Basics
 
How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365
 
Great new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptxGreat new Domino features since 9.0.1FP8.pptx
Great new Domino features since 9.0.1FP8.pptx
 
Pearls and Must-Have Tools for the Modern Web / .NET Developer
Pearls and Must-Have Tools for the Modern Web / .NET DeveloperPearls and Must-Have Tools for the Modern Web / .NET Developer
Pearls and Must-Have Tools for the Modern Web / .NET Developer
 
Webinar: IBM Connections Adminblast
Webinar: IBM Connections AdminblastWebinar: IBM Connections Adminblast
Webinar: IBM Connections Adminblast
 
Connections Upgrades and Migrations the Easy Way
Connections Upgrades and Migrations the Easy WayConnections Upgrades and Migrations the Easy Way
Connections Upgrades and Migrations the Easy Way
 
Connections Migrations the easy way Soccnx10
Connections Migrations the easy way Soccnx10Connections Migrations the easy way Soccnx10
Connections Migrations the easy way Soccnx10
 
Webinar: IBM Connections Adminblast
Webinar: IBM Connections AdminblastWebinar: IBM Connections Adminblast
Webinar: IBM Connections Adminblast
 
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...
MWLUG 2017: Best Practices before, during, and after moving to IBM SmartCloud...
 
How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365How Atrium Health Implemented and Governs Office 365
How Atrium Health Implemented and Governs Office 365
 

Recently uploaded

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 

Notes, domino and the single sign on soup

  • 1. MWLUG 2017 Moving Collaboration Forward Notes, Domino and the Single Sign-on Soup Chef Darren Duke
  • 2. MWLUG 2017 Moving Collaboration Forward Our Amazing Sponsors
  • 3. MWLUG 2017 Moving Collaboration Forward About me • Relapsed podcaster http://wtftech.fm/ – Back on the horse with Stuart and Jesse – If you’re not listening, you’re really missing out – No, really, you are – NO, really you are – NO, REALLY YOU ARE!!!! • Hire me by talking to Lisa – She’ll be around here somewhere
  • 4. MWLUG 2017 Moving Collaboration Forward SSO you say? • Many different things to many different people • Could be (listed in order of complexity): – Offload – Synchronization – Integration • Could be more than one of the above
  • 5. MWLUG 2017 Moving Collaboration Forward Domino is different • It has two passwords – Because….well…..Domino – Makes it twice as difficult • One size doesn’t fit all – You may combine the following concepts
  • 6. MWLUG 2017 Moving Collaboration Forward Why do it? • Single password • No password • Get away from ID and password management – You never *really* get away from the ID • It’s what all the cool kids are doing
  • 7. MWLUG 2017 Moving Collaboration Forward Why do it? • What are you trying to solve? – Answer this and you know which of the following solutions are for you
  • 8. MWLUG 2017 Moving Collaboration Forward Notes Shared Login (NSL) • Remove Notes password from ID • Well, mostly – Except for the first logon to a new computer account – Policy based – Requires Notes Single Logon Service to be removed from clients – Can be used with Notes Federated Logon (NFL)
  • 9. MWLUG 2017 Moving Collaboration Forward You will need a (working) ID Vault • If you don’t have one – WHY NOT??? • If you do, is it working? • Several of the following solutions require it
  • 10. MWLUG 2017 Moving Collaboration Forward Types of SSO…. • Offload – Pass it off • Synchronization – Move the data around • Integration – Link it altogether
  • 11. MWLUG 2017 Moving Collaboration Forward Offload • Authenticate the password from elsewhere – Usually Active Directory – Uses Directory Assistance and LDAP referrals – Only usable (like this) for the HTTP password • So iNotes, web apps, Traveler, etc • Will also be needed if you do SAML and SPNEGO
  • 12. MWLUG 2017 Moving Collaboration Forward Offload • Pros – Actually uses the AD password, not HTTP password exists anymore* • Cons – Only web protocols – You need to get the Domino LDAP DN into AD field – Traveler can lock the account out on a regular basis • Think AD password change policy
  • 13. MWLUG 2017 Moving Collaboration Forward Synchronization • Copy password from “A” to “B” – “A” is usually AD, “B” is usually Domino • Capture AD password change, send to Domino – Can update ID Vault and/or HTTP password • TDI is free entitlement for most of you – And it can do this
  • 14. MWLUG 2017 Moving Collaboration Forward Synchronization • Pros – Fixes AD lockout issue with “offload” – Notes ID and/or HTTP password thanks to ID Vault • Cons – Usually requires AD schema modification – HTTP password changes need to replicate – Doesn’t really get rid of Notes ID password • Just makes it known to the user
  • 15. MWLUG 2017 Moving Collaboration Forward Integration • Use a different system (usually AD) to verify user ID and password • Two options – SPNEGO • Reasonably simple • Limited use • HTTP only – SAML/NFL • As far from reasonably simple as you can get • Notes client and/or HTTP
  • 16. MWLUG 2017 Moving Collaboration Forward SPNEGO • Allows domain connected users using browser apps to login transparently using IWA • Web/Internet site based – All or nothing – Although with good firewall people…… • Two internet documents, one SPNEGO, one not – Source IP, agent sniffing, etc
  • 17. MWLUG 2017 Moving Collaboration Forward SPNEGO • Pros – Simple(ish) • Cons – HTTP only – Windows desktops only (no Mac)* – Domino authentication server must be Windows – Kind of half-assed implementation • Will not fail back to user name and password – Domino User DN is still needed in AD
  • 18. MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Uses SAML to connect to ADFS or TAM – Could use others but completely unsupported • Most are (and all of mine have been) ADFS • Can be used to get rid of Notes ID password • Very flexible – WFL for iNotes, web apps – NFL for Notes clients – Use either or both
  • 19. MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Pros – Standard, cross platform • Client OS – All of them • Domino server OS – All of them – Use AD user name and password – Flexible WFL options • Inside the corporate network, transparent logon • Outside, use forms based logon – Go completely Notes ID password-less
  • 20. MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Cons • Is pretty complex • Documentation is woeful • Notes requires files be present in the user profile to work – Stub notes.ini with full CN user name – Deploy.nsf for certificates • Requires a custom ADFS SSL cert – Means need to use non-commercial certificate – Create ADFS server specifically for NFL as users may get SSL certificate trust issues unless it is computer trusted roots – Again, a bit half arsed
  • 21. MWLUG 2017 Moving Collaboration Forward SAML/WFL/NFL • Cons (cont) • Slow logging into Notes client – All this security shenanigans take time • But this can be fixed by also using NSL. – First login uses NFL – Subsequent logins switch to NSL • Domino User DN is still needed in AD • No ADFS 4.0 support – So no Windows 2016 server support – ADFS 3.0 support took 4 years
  • 22. MWLUG 2017 Moving Collaboration Forward What about Traveler? • Verse client now supports Certificate Authentication – Note, *NOT* SSO, but at least password-less • No native iOS support that I know of – So iOS native still uses HTTP password • Some MDM’s have their own mail clients to address this
  • 23. MWLUG 2017 Moving Collaboration Forward Common Thread…. • “Domino DN still needed in AD” – (or email address, just some unique ID equal in both systems) – Domino DN = “CN=Darren Duke,OU=blah,O=bob” • It’s the LDAP version of your Domino name – Use TDI to populate AD field with Domino DN • Prereq, needs *existing* common ID between AD and Domino – Email address? – Domino short name = sAMAccountName? • Some orgs use AltSecurityIdentities, some email address • Others use custom field – If custom make sure to AD index that field!!!
  • 24. MWLUG 2017 Moving Collaboration Forward Notes client setup suggestions • Prepopulate Notes client setup values automatically – https://blog.darrenduke.net/Darren/DDBZ.nsf/dx/ use-a-custom-notes.ini-file-and-prepopulate-user- settings-on-notes-first-startup.htm – Use the above either standalone, with NSL or with NFL – Andy’s and Rob’s SAML LS/Connect Show and Tell • www.andypedisich.com/blogs/andysblog.nsf/dx/SHOW 100.ppt/%24file/SHOW100.ppt
  • 25. MWLUG 2017 Moving Collaboration Forward Q and A • So if time permitted ask away….. • Also: – https://blog.darrenduke.net – @darrenduke on Twitter