|
|
IBM® Domino® 9.0 Social Edition provides support for federated-identity authentication using the SAML protocol.
Note Part of a complete SAML-based solution for Domino requires working in other environments. This wiki article is meant to supplement the information on SAML in the IBM Domino 9.0 Social Edition Administrator Help. For basic information, see the following two Help topics:
Using Security Assertion Markup Language (SAML) to configure federated-identity authentication
Choosing a federation to configure as your identity provider (IdP)
This article documents using both IBM Domino and IBM Tivoli®.
1. Launch the TFIM console.
2. View of main console.
3. Create a new Federation.
- Expand the left-hand menu item Tivoli Federated Identify Manager - Configure Federated Single Sign-On and click Federations to get to the following screen.
- Click the Create button to create a new Federation.
4. Choose a Federation Name.
- Fill in a Federation Name. This name will become a component of the URL, so keep it a reasonable length.
- Select Identity Provider.
- Click Next.
5. Choose a Company Name
- Fill in the company name at a minimum. This name will appear in the certificate.
- Click Next.
6. Choose a Federation Protocol.
- Select SAML 1.1.
- Click Next.
7. Point of Contact URL,
- Fill in the Point of Contact which should be https://<your_TFIM_server_name.your_organization
:9443
- Click Next.
Note: The /sps/ will be appended to this URL automatically. SPS = SSO Protocol Service.
8. Signatures.
- Select SAML messages for HTTP POST profile are signed as required by the protocol.
- Choose a Keystore and enter the Keystore Password.
- Click on the List Keys button and select the Public/Private key pair to use.
- Click Next.
9. Click Next.Note: The Allow IBM Protocol Extension is another optional "can't hurt" recommendation.
10. Security Token Timeouts.
Note: Pay special attention to the text, " In addition, synchronize the system clocks of your server and your partner's server". This is imperative, failure to do this will generate bad SAML requests.
11. Identity Mapping Options.
- Select Use XSL or JavaScript transformation for identity mapping. which will use default rules
- Click Next.
12. Identity Mapping Rule.
- Select the default TFIM mapping rule. This rule is uploaded from a text file. This file lives in a default location on the TFIM server: Program Files\IBM\FIM\examples\mapping_rules.
Note: Make sure you have mapped a local drive to this location on the TFIM server before browsing.
- Click Next.
13. Save changes.
- Click Finish to apply the changes.
14. Load Configuration.
- You will see a message saying that changes need to be reloaded, like the one below; click the button to do that and you are done!
15. Configure WebSEAL
- When you successfully create the new Federation, you will see the below screen, click the "Download Tivoli Access Manager Configuration Tool" button to download the configuration jar file to configure a WebSEAL server for this new federation.
- Save the "tfimcfg.jar" file on disk(eg: C:\tfimcfg.jar)
- Open cmd widnow, input the following command to launch the configuration command tool:
cd C:\Program Files\IBM\FIM\ewas\java\jre\bin
java.exe -jar C:\tfimcfg.jar -cfgfile "C:\Program Files\Tivoli\PDWeb\etc\webseald-default.conf" |
- Input the configuration informations in the command tool as showed below:
- At the “TAM Domain Name[Default]:” line, keep the default value and then press ENTER.
- At the "TAM administrator user-id [sec_master]: "line , type the administrator ID that was created during TAM installation (default sec_master), and then press ENTER.
- At the “TAM administrator password: ” line, type the administrator password that was created during TAM installation, press ENTER, type 1, and then press ENTER to proceed to the next step.
- At the "WebSEAL hostname: " line, type your server's hostname(eg: ***.ibm.com), then press ENTER, type 1, and then press ENTER to proceed to the next step.
- At the “ITFIM hostname: ” line, type your server's hostname(eg: ***.ibm.com), and then press ENTER.
- At the “ITFIM HTTP port: ” line, type 9080, and then press ENTER.
- At the "Optional TFIM administrator user-id: " line, leave empty and press ENTER.
- At the "Optional TFIM administrator password:" line, leave empty and press ENTER.
- At the "Use SSL connection to ITFIM server:" line, type n, press ENTER, type 1, and then press ENTER to proceed to the next step.
- At Federation to configure prompt, type the number corresponding to your newly created Federation name( eg: IDPSAML20), and then press ENTER.
- type 1, and then press ENTER to proceed to the next step.
- After the federation endpoints are displayed, press 3 to select "3.Unauthenticated access", and then press ENTER.
- At "Do you wish to replace the junction, or reuse it? ... " line, choose "1. Reuse" and press ENTER;
- Press 1 to continue until configuration complete.
- When Configuration is completed, make sure that the WebSEAL Server is successfully restarted.
|