SSO and LDAP Open Mic Webcast Josh Edwards October 7, 2015
Summary ● Overview of SSO ● What kind of SSO mechanisms are supported with Sametime? ● How does the rich client handle sso settings? ● How to configure Websphere and Sametime to support LTPA tokens. ● Overview of LDAP ● How to configure inbox awareness for 3 rd party LDAPs ● Closing Remarks
Overview of SSO ● SSO stands for Single Sign-On ● SSO allows a single ID to access all systems that are participating without the need to login multiple times to each different system. ● In order to make use of SSO across the board in Sametime 9 we make use of a Websphere based Ltpa token and LDAP.
What kind of SSO mechanisms are supported with Sametime? ● SPNEGO - http://www.ibm.com/developerworks/lotus/documentati on/spnegosametime/ ● Siteminder - http://www- 01.ibm.com/support/knowledgecenter/SSKTXQ_9.0.0/ admin/config/config_sec_siteminder_st_components.d ita ● SAML(Primarily utilized for Smartcloud and limited functionality) - http://www- 01.ibm.com/support/knowledgecenter/SSKTXQ_9.0.0/ admin/config/st_adm_security_sso_for_saml_and_co mm_serv.dita?lang=en
Example SSO Client Settings ● *Note: Do not check remember password when utilizing to- ken based single sign-on.
Example SSO Client Settings ● *Note: Do not check remember password when utilizing to- ken based single sign-on.
How Does the rich client handle Domino sso settings for community logins? The client requests a LTPA token from the domino server on ● 1352 configured as the authentication server in the embedded client SSO setting config > under the "Log In" tab of the Server Community Settings. If authentication server isn't set, client uses the same host as ● configured for the community server. *Note: In case of a stand-alone Mux configuration, the ● authentication server must be defined and populated to point the LTPA request to the Domino server running the community server machine for the request to process properly. *Note See step 6 of this link if connecting to a cluster for special ● configuration steps. http://www- 01.ibm.com/support/docview.wss?uid=swg21196034
How to configure Websphere and Sametime to support LTPA tokens - Overview ● Configure the Single sign-on(SSO) settings in Websphere. ● Export the key from Websphere. ● Import the key exported from Websphere into the Domino server where Sametime is installed. ● Configure Single sign-on(SSO) settings in domino.
How to configure Websphere and Sametime to support LTPA tokens.
How to configure Websphere and Sametime to support LTPA tokens. In webpshere enable Interoperability mode ● Name cookies appropriately LtpaToken for V1 cookie name and LtpaToken2 ● for V2 cookie name. Ensure the case and spelling match. Web inbound security should be unchecked on the Sametime side when ● mixing with portal and/or connections so that Sametime performs the lookup.
Exporting the key from Websphere
Exporting the key from Websphere ● Export the key and copy the file to your local client so that can be accessed for the import. ● Do NOT click generate keys for general exporting.
Importing the Websphere key into Domino ● If a SSO configuration already exists for this server then simply skip this step and import the keys.
Importing the Websphere key into Domino ● *Note: Perform this import step whether a new SSO configuration was created or a preexisting one is used in Domino.
Importing the Websphere key into Domino ● Enter the absolute path to where the exported Websphere key exists on the local client.
Ltpa Cont. Domino Configuration ● After importing the Websphere key on the domino sever where sametime is installed ensure the Token Format is set to LtpaToken and LtpaToken2. ● Also ensure the dns domain matches between the Websphere configuration and the domino configuration.
Ltpa Cont. Example Settings
Ltpa Cont. ● If utilizing a custom token name or internet site there are additional ini parameters that must be utilized for Sametime community server to use them. http://www-01.ibm.com/support/docview.wss? uid=swg21157740
LDAP
What is LDAP ● LDAP Stands for Lightweight Directory Access Protocol. ● LDAP stores attributes about users. It can contain details such as email address, first name, last name, phone number and many other attributes that define a user. ● LDAP can be utilized by a multitude of different servers in order to all share the same directory information. When deploying the new Sametime features we require the use of a LDAP server.
What is a LDIF? ● LDIF stands for LDAP Data Interchange Format ● LDIFs represent data stored in LDAP in a plain text format. ● In troubleshooting various LDAP issues like authentication problems, awareness, or business card problems it is common to get a LDIF for a particular user and compare the attributes available to the actual LDAP configuration. Additionally, comparing the actual values of the attributes to the values that are returned in the the logs can help in determining configuration issues.
LDIF Example
LDAP Configuration for Sametime
LDAP Configuration For Active Directory
Active Directory Example
Active Directory Example ● Here we have specified the base DN.
Active Directory Example Notice that for the directory type active directory is selected. ● A key point is ensure that the Federated repository properties ● of mail;cn;uid is not modified or the order changed. Additional attributes may be added to the end.
How to configure inbox awareness for 3 rd party LDAPs There are two possible ways to accomplish this setup: 1) Synchronize the user name in the Person document in the Domino Directory with the non-Domino LDAP name that Sametime uses to authenticate a user. For example, if the non-Domino LDAP Sametime directory is IBM Directory Server, and a user's dn from IBM Directo- ry Server is as follows: uid=wpsadmin,cn=users,dc=ibm,dc=com then you need to add the following to the LTPA user name field (located on the Administration Tab of the Person doc- ument) for wpsadmin in Domino: LTPA user name: uid=wpsadmin/cn=users/dc=ibm/dc=com 2) Or, synchronize the user name in the non-Domino LDAP with the name that Domino Web Access uses to authenti- cate the user by using Directory Assistance. For more information on creating and configuring Directory Assistance, refer to the Domino Administrator help database. Full Length Article - http://www-01.ibm.com/support/docview.wss?uid=swg21230590
Summary Points for Success There are 4 main key points to consider when utilizing SSO and LDAP to have a successful deployment. ● common keys ● common realm ● common domains ● common ldap – (it is preferred and recommended to utilize a common ldap between components although if this is not the case it still might be possible to offer functionality with special configuration)
Questions?
Recommend
More recommend