SSO and LDAP Open Mic Webcast Josh Edwards October 7, 2015 - - PowerPoint PPT Presentation

sso and ldap
SMART_READER_LITE
LIVE PREVIEW

SSO and LDAP Open Mic Webcast Josh Edwards October 7, 2015 - - PowerPoint PPT Presentation

Feb 11, 2024 184 likes •494 views

SSO and LDAP Open Mic Webcast Josh Edwards October 7, 2015 Summary Overview of SSO What kind of SSO mechanisms are supported with Sametime? How does the rich client handle sso settings? How to configure Websphere and Sametime to

slide-1
SLIDE 1

SSO and LDAP

Open Mic Webcast Josh Edwards October 7, 2015

slide-2
SLIDE 2

Summary

  • Overview of SSO
  • What kind of SSO mechanisms are supported with

Sametime?

  • How does the rich client handle sso settings?
  • How to configure Websphere and Sametime to support

LTPA tokens.

  • Overview of LDAP
  • How to configure inbox awareness for 3rd party LDAPs
  • Closing Remarks
slide-3
SLIDE 3

Overview of SSO

  • SSO stands for Single Sign-On
  • SSO allows a single ID to access all systems that

are participating without the need to login multiple times to each different system.

  • In order to make use of SSO across the board in

Sametime 9 we make use of a Websphere based Ltpa token and LDAP.

slide-4
SLIDE 4

What kind of SSO mechanisms are supported with Sametime?

  • SPNEGO -

http://www.ibm.com/developerworks/lotus/documentati

  • n/spnegosametime/
  • Siteminder - http://www-

01.ibm.com/support/knowledgecenter/SSKTXQ_9.0.0/ admin/config/config_sec_siteminder_st_components.d ita

  • SAML(Primarily utilized for Smartcloud and limited

functionality) - http://www- 01.ibm.com/support/knowledgecenter/SSKTXQ_9.0.0/ admin/config/st_adm_security_sso_for_saml_and_co mm_serv.dita?lang=en

slide-5
SLIDE 5

Example SSO Client Settings

  • *Note: Do not check remember password when utilizing to-

ken based single sign-on.

slide-6
SLIDE 6

Example SSO Client Settings

  • *Note: Do not check remember password when utilizing to-

ken based single sign-on.

slide-7
SLIDE 7

How Does the rich client handle Domino sso settings for community logins?

  • The client requests a LTPA token from the domino server on

1352 configured as the authentication server in the embedded client SSO setting config > under the "Log In" tab of the Server Community Settings.

  • If authentication server isn't set, client uses the same host as

configured for the community server.

  • *Note: In case of a stand-alone Mux configuration, the

authentication server must be defined and populated to point the LTPA request to the Domino server running the community server machine for the request to process properly.

  • *Note See step 6 of this link if connecting to a cluster for special

configuration steps. http://www- 01.ibm.com/support/docview.wss?uid=swg21196034

slide-8
SLIDE 8

How to configure Websphere and Sametime to support LTPA tokens - Overview

  • Configure the Single sign-on(SSO) settings

in Websphere.

  • Export the key from Websphere.
  • Import the key exported from Websphere

into the Domino server where Sametime is installed.

  • Configure Single sign-on(SSO) settings in

domino.

slide-9
SLIDE 9

How to configure Websphere and Sametime to support LTPA tokens.

slide-10
SLIDE 10

How to configure Websphere and Sametime to support LTPA tokens.

  • In webpshere enable Interoperability mode
  • Name cookies appropriately LtpaToken for V1 cookie name and LtpaToken2

for V2 cookie name. Ensure the case and spelling match.

  • Web inbound security should be unchecked on the Sametime side when

mixing with portal and/or connections so that Sametime performs the lookup.

slide-11
SLIDE 11

Exporting the key from Websphere

slide-12
SLIDE 12

Exporting the key from Websphere

  • Export the key and copy the file to your local client so

that can be accessed for the import.

  • Do NOT click generate keys for general exporting.
slide-13
SLIDE 13

Importing the Websphere key into Domino

  • If a SSO configuration already exists for

this server then simply skip this step and import the keys.

slide-14
SLIDE 14

Importing the Websphere key into Domino

  • *Note: Perform this import step whether a

new SSO configuration was created or a preexisting one is used in Domino.

slide-15
SLIDE 15

Importing the Websphere key into Domino

  • Enter the absolute path to where the

exported Websphere key exists on the local client.

slide-16
SLIDE 16

Ltpa Cont. Domino Configuration

  • After importing the Websphere key on the domino

sever where sametime is installed ensure the Token Format is set to LtpaToken and LtpaToken2.

  • Also ensure the dns domain matches between the

Websphere configuration and the domino configuration.

slide-17
SLIDE 17

Ltpa Cont. Example Settings

slide-18
SLIDE 18

Ltpa Cont.

  • If utilizing a custom token name or internet

site there are additional ini parameters that must be utilized for Sametime community server to use them.

http://www-01.ibm.com/support/docview.wss? uid=swg21157740

slide-19
SLIDE 19

LDAP

slide-20
SLIDE 20

What is LDAP

  • LDAP Stands for Lightweight Directory

Access Protocol.

  • LDAP stores attributes about users. It can

contain details such as email address, first name, last name, phone number and many

  • ther attributes that define a user.
  • LDAP can be utilized by a multitude of

different servers in order to all share the same directory information. When deploying the new Sametime features we require the use of a LDAP server.

slide-21
SLIDE 21

What is a LDIF?

  • LDIF stands for LDAP Data Interchange Format
  • LDIFs represent data stored in LDAP in a plain

text format.

  • In troubleshooting various LDAP issues like

authentication problems, awareness, or business card problems it is common to get a LDIF for a particular user and compare the attributes available to the actual LDAP configuration. Additionally, comparing the actual values of the attributes to the values that are returned in the the logs can help in determining configuration issues.

slide-22
SLIDE 22

LDIF Example

slide-23
SLIDE 23

LDAP Configuration for Sametime

slide-24
SLIDE 24

LDAP Configuration For Active Directory

slide-25
SLIDE 25

Active Directory Example

slide-26
SLIDE 26

Active Directory Example

  • Here we have specified the base DN.
slide-27
SLIDE 27

Active Directory Example

  • Notice that for the directory type active directory is selected.
  • A key point is ensure that the Federated repository properties
  • f mail;cn;uid is not modified or the order changed. Additional

attributes may be added to the end.

slide-28
SLIDE 28

How to configure inbox awareness for 3rd party LDAPs

There are two possible ways to accomplish this setup: 1) Synchronize the user name in the Person document in the Domino Directory with the non-Domino LDAP name that Sametime uses to authenticate a user. For example, if the non-Domino LDAP Sametime directory is IBM Directory Server, and a user's dn from IBM Directo- ry Server is as follows: uid=wpsadmin,cn=users,dc=ibm,dc=com then you need to add the following to the LTPA user name field (located on the Administration Tab of the Person doc- ument) for wpsadmin in Domino: LTPA user name: uid=wpsadmin/cn=users/dc=ibm/dc=com 2) Or, synchronize the user name in the non-Domino LDAP with the name that Domino Web Access uses to authenti- cate the user by using Directory Assistance. For more information on creating and configuring Directory Assistance, refer to the Domino Administrator help database. Full Length Article - http://www-01.ibm.com/support/docview.wss?uid=swg21230590

slide-29
SLIDE 29

Summary Points for Success

There are 4 main key points to consider when utilizing SSO and LDAP to have a successful deployment.

  • common keys
  • common realm
  • common domains
  • common ldap – (it is preferred and recommended to

utilize a common ldap between components although if this is not the case it still might be possible to offer functionality with special configuration)

slide-30
SLIDE 30

Questions?