Use Notes client accounts with federated login for access to externally-based services within the Notes client
You can use IBM® Notes® 9.0 Social Edition federated login for services accessed from within the Notes client after the user has authenticated and started the client, whether or not federated login is also used for the Notes startup sequence.
Note Part of a complete SAML-based solution for Domino requires working in other environments. This wiki article is meant to supplement the information on SAML in the IBM Domino 9.0 Social Edition Administrator Help. For basic information, see the following two Help topics:
About this task
Integrated Windows authentication (IWA) using the SPNEGO and Kerberos protocols, a feature added in Domino® release 8.5.3, by itself is a good choice if the services your Notes client users need access to, such as IBM Sametime® and IBM Connections, are provided only on on-premise servers within your organization. However, when the services are hosted on external servers - for example in IBM SmartCloud® - you can create SAML managed accounts for Notes federated login to the services.
SAML is capable of authenticating users across organizational boundaries, allowing Notes client users to access third-party services, as well as IBM servers in the cloud. Depending on the configuration of the SAML Identity Provider (IdP), the user may gain access with no additional password prompts.
If you combine IWA and SAML for your Notes federated login strategy, a Windows Notes client user can enter a single password to log in to all of the following:
- the operating system
- the Notes client
- properly configured sidebar components within the Notes client, including those hosted on servers external to the Notes client user's organization, assuming those servers use a SAML IdP that also is configured for IWA
- SAML-based third-party Web applications configured for authentication by trusted identity provider(s), assuming those servers use a SAML IdP that also is configured for IWA
To configure access to external services for Notes client users in your organization, you create managed accounts for each service, link them to a SAML account, and apply the accounts to users by means of a desktop settings policy. Services that you may configure for SAML include:
- IBM SmartCloud Sametime chat
- IBM SmartCloud Connections
- Embedded and external browser access to Web applications, such as SmartCloud services or Domino web resources.
- Feeds
Task 1: Create a SAML Account
- In the Domino Directory, navigate to the Policies > Accounts view, and click Add Account.
- Enter an account name and description to identify its purpose, for example, Renovations (SAML).
Tip: You might want to use the account description to track which other accounts link to the SAML account.
- In the Account type field, select SAML-IdP.
- In the Account server name field, enter the DNS name of the IdP server.
- In the Protocol field, select Other.
- Switch to the Advanced Tab. In the Authentication URL field, enter the IdP-Initiated Login URL of your IdP server. For example:
- Make sure the Authentication Type field is set to SAML-IdP (the default value).
- (Optional) To enable Enforce SSL, select Yes.
- (Optional) If the IdP server is form-based and you customized the IdP login page, you must specify the login form's credential related element's id in the properties list to make the account work correctly. On the Advanced tab, in the Add these name/value pairs to the Properties list section of the form, specify the following name/value pairs:
- custom_user_key=The id of username input in login form
- custom_password_key=The id of password input in login form
- custom_submitBtn_key=The id of submit button in login form
- Save and close the SAML account.
- (Optional) To enable Enforce trusted sites, select Yes. To support this option, you must also add the SAML IdP's URL into trusted sites. In the Domino Directory, open the desktop settings policy, select the Accounts tab, and specify trusted sites in the Trusted Sites section of the tab.
Task 2: Create service accounts
Create accounts for all services you need to support. The following examples cover:
- SmartCloud Sametime
- SmartCloud Connections
- Embedded and external browsers
- Feeds
Example: Create a service account for SmartCloud Sametime
If there is a federation set up between the SAML IdP and SmartCloud, you can use a service account to log in Notes client users to Sametime through the Notes sidebar.
- In the Domino Directory, navigate to the Policies > Accounts view, and click Add Cloud Account.
- In the Account type field, select Sametime.
- In the Account server name field, enter the DNS name of the SmartCloud Sametime Server URL.
- In the Is Primary Account field, select Yes.
- In the Name of linked SAML account field, click the Link SAML account button and select the SAML account created in Task 1 of this article.
- Switch to the Advanced tab, and in the Authentication server field, enter the authentication URL for the Sametime server (usually the same value found in the Account server name field).
- In the Authentication Type field, select ST-DOMINO-SSO.
- (Optional) In the Custom message text field, enter a message to help users determine the credential they need to enter. For example, enter "You are logging in to a SmartCloud server. Please enter your username and password."
- Save and close the account.
Example: Create a service account for SmartCloud Connections
If there is a federation set up between the SAML IdP and SmartCloud, you can use a service account to log in Notes client users to Connections through the Notes sidebar.
- In the Domino Directory, navigate to the Policies > Accounts view, and click Add Cloud Account.
- In the Account type field, select Connections.
- In the Account server name field, enter the SmartCloud Connections server URL.
- In the Is Primary Account field, select No.
- In the Name of linked SAML account field, click the Link SAML account button and select the SAML account created in Task 1 of this article.
- Switch to the Advanced tab, and in the Authentication server field, enter the authentication URL for the Connections server (usually the same value found in the Account server name field).
- In the Authentication Type field, select HTTP.
- (Optional) In the Custom message text field, enter a message to help users determine the credential they need to enter. For example, enter "You are logging in to a SmartCloud server. Please enter your username and password."
- Save and close the account.
Example: Create a service account for embedded and external browsers
If there is a federation set up between the SAML IdP and an external Web application (for example, SmartCloud), you can use a service account to log in Notes client users to Web application resources using the Notes embedded browser or an external browser.
- In the Domino Directory, navigate to the Policies > Accounts view, and click Add Account.
- Enter an account name and description, for example, Browser (SAML).
- In the Account type field, select Other.
- In the Account server name field, enter Service Provider URL.
- In the Name of linked SAML account field, click the Link SAML account button and select the SAML account created in Task 1 of this article.
- Switch to the Advanced tab, and in the Authentication server field, enter the authentication URL for the Service Provider server (usually the same value found in the Account server name field).
- In the Authentication Type field, select HTTP.
- (Optional) In the Custom message text field, enter a message to help users determine the credential they need to enter. For example, enter "You are logging in to a SmartCloud server. Please enter your username and password."
- On the Advanced tab, in the Add these name/value pairs to the Properties list section of the form, specify the following name/value pair to determine the Embedded Browser SSO Timeout value:
custom_ssotimeout_key=seconds)
- Save and close the account.
Example: Create a service account for Feeds
If there is a federation set up between the SAML IdP and Domino, you can use a service account to log in Notes client users to Feeds through the Notes sidebar.
- In the Domino Directory, navigate to the Policies > Accounts view, and click Add Account.
- Enter an account name and description, for example, Feeds (SAML).
- In the Account type field, select HTTP.
- In the Account server name field, enter the Feeds RSS URL, for example:
https://us.renovations.com/rssfeed.nsf/feed.rss
- In the Name of linked SAML account field, click the Link SAML account button and select the SAML account created in Task 1 of this article.
- Switch to the Advanced tab, and in the Authentication server field, enter the authentication URL for the Service Provider server (usually the same value found in the Account server name field).
- In the Authentication Type field, select HTTP.
- (Optional) In the Custom message text field, enter a message to help users determine the credential they need to enter. For example, enter "You are logging in to a SmartCloud server. Please enter your username and password."
- Save and close the account.
Task 3: Configure a desktop settings policy to apply the SAML account to specified Notes client users
- In the Domino Directory, navigate to the Policies > Settings view, and click Add Settings..
- Select Desktop.
- Switch to the Accounts tab, click Update Links button in Administrative Account Defaults section, and select the selected supported option.
- Select the service accounts created in Task 2 of this article. The linked SAML account will also be automatically added.
- Save and close the account selection dialog box.
- Save and close the desktop settings document.
- Apply the desktop settings policy to whatever Notes client users you want to specify.
|