This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Vanessa Lopfoozenoni
Oct 21, 2014, 6:52 PM
1 Posts

Using other Identity Providers with SAML

  • Category: Administration
  • Platform: Linux
  • Release: 9.0.1
  • Role: Administrator
  • Tags: saml
  • Replies: 4

Hello!

The central identity store in our organization is NetIQ eDirectory (formerly Novell eDirectory) and we are looking for a way to enable users to log in to Notes client and Domino web applications using their eDirectory accounts. One general solution for achieving this seems to be SAML, which I have no experience with. I looked at Domino Administrator help and it says that currently supported Identity Providers are TFIM or ADFS. Being an eDirectory shop, we could set up an Identity Provider using NetIQ Access Manager, which supports SAML 2.0 but is not supported by Domino.

Is it at all feasible to use an IdP other than TFIM or ADFS as SAML IdP for Domino? I am more eDirectory admin than Domino admin in our organization, so I would appreciate an advice from Domino experts and thank you in advance.

 

~Delores Lopjumiburoden
Oct 22, 2014, 12:34 AM
3 Posts
Other IdP's with SAML

We have tested and support (to a limited extent) SAML with ADFS (2.0 and above I think?) and TFIM.  Currently we DO NOT support any other IdP's. If this is a Connections on Cloud opportunity then there MIGHT be a possability to support different IdPs, but this will need to be raised with your IBM sales rep first and the Connections on Cloud team will need to be involved early to make a call on wether or not they'll support whatever configuration you're looking at.

For on-premesis stuff, the process for Domino may be different, but to get SAML support for Connections you MUST open a PMR first, fill out a questionaire showing your IdP configuration, network architecture and application configuration then wait for L3 support to approve your request.

That said, I've seen customers setup SAML for Domino and Connections with at least two other IdP's (PortalGuard w/ Domino and SimpleSAMLphp w/ Connections, Domino and Docs). Both of those IdP's needed some tweaking to work properly - in both cases the redirection/return-URL parameter name (named "loginToRP" for ADFS and "partnerid" for TFIM) needed to be either re-written to something supported by the IdP or the IdP needed to be configured to process it properly. In a different case the assertion itself (being generated by the IdP) was not exactly to the SAML spec - although it worked with at least two other companies' SAML-consuming services. I'd like to stress IBM does not officially support these configurations, but the customers involved are chosing to take the risks involved with running an unsupported configuration.

You should know in advance that Domino/Connections/Portal etc. are very strict on validating the signatures and XML payloads of SAML assertions - everything in the SAML specification must be implemented properly by the IdP and all attributes must be properly declared. Something as simple as a default attribute not being provided or a single character being uppercase when it should be lowercase can prevent the whole thing working and is very painful to debug taking many hours of support's time.

Finally, below is an excerpt from an internal e-mail sent to the IBM pre-sales team recently.  Although many customers have SAML configured and working without issues, I think it sheds some light on IBM's concerns around partners and customers attempting to configure SAML, especially when they aren't already experienced in doing so:

I'd like to very much second what <NAME REMOVED> has said here.

I've been drafted in to work on no fewer than five SAML engagements (one of which being a critsit) in the past few months. All of them have demonstrated a fundamental lack of honesty/modesty and/or care and attention to detail when it came to the understanding and implementation of some, much or all of parts of a SAML architecture those technologists needing help were involved with.

SAML sounds like a panacea for single-sign-on to customers (and for partners pressured to implement a solution). They seldom realise the real cost and sheer attention to detail required to set it up properly. In a number of cases I've seen the security model destroyed by it being set-up it up in an incompetent fashion and - literally - weeks of man effort wasted due to a lack of skills, experience, theoretical knowledge and hubris.

The ICS team (both in the labs and wider IBM) are in many cases out of our element when it comes to anything to do with SAML beyond our products implementation [and supported configurations] of it.  This means we must involve IBM Security Solutions people to assist on non-revenue generating work - [nearly always] with customers not using IBM products to provide the SAML back-ends for our technology.

Below is a very much [non-exhaustive] list of common issues which tend to crop-up, all of which can take significant time to identify and solve; most of which are things the labs cannot effectively help on through a PMR process and must be pre-empted with customers setting up SAML [competently and correctly] beforehand:

  • A single attribute or element missing from the XML payload of a SAML assertion.
  • A certificate which uses SHA-1 HMACs or other insecure or deprecated algorithms (I've even seen *sigh* MD5!)
  • Certificates which use DSA or ECDSA keys where only RSA are supported by some parts of the architecture.
  • Servers where times are out of sync due to not running ntpd or equivalent.
  • Time-based validity windows that are too large and are refused by some parts of the architecture (in one case I've seen assertions set to be valid for *sigh again* MONTHS, not hours.)
  • Invalid trust assertions in the payload (for services that don't exist, for accounts that cannot be identified, for non-user principals ... )
  • Untrusted signatures being used to sign the payload (forgotten to import certs, importing the wrong certs, typo's in hostnames, issuers which don't exist...)

SAML is a great technology, but it is also a system designed to be secure whilst tying together many different systems. Doing this right matters (else why bother at all with authentication and authorisation), doing it right also requires detailed knowledge of the systems involved, the theory of SAML and a healthy respect for knowing no matter how skilled an administrator you are, you won't get this done in a day and will need to "dot every i and cross every t" before it works.

We do have some [great] SAML skills in ICS - <NAME REMOVED> in the US being the primary lead from the Domino side of things [and <NAMES REMOVED> in the Dublin labs]. The Connections on Cloud team now also have a been through a good many trials by fire setting it up with customers using federated identity in our SaaS offerings.

[Remember there are other options for SSO (SPNEGO, Kerberos, SSO via LTPA, WebSEAL, SiteMinder etc.) which may be easier to setup and maintain for customers. SAML is just another option, and one which requires more than a modicum of care.]

 

 

Edit: typos.

~Tanita Desweverobu
Oct 22, 2014, 3:55 AM
94 Posts
Yes but...
Other IdPs can work -- SAML is a public standard that anybody can implement --  and I've even added enhancements to Domino's SAML SP implementation to fix issues that people have pointed out on this and other forums. That said, only those two IdPs are officially supported (and thoroughly documented), so any PMRs that you open to ask support for help with any configuration issues that you might run into with unsupported IdPs won't go very far.
~Ned Umlutherettu
Oct 23, 2014, 10:24 PM
113 Posts
SAML for web access
for http access- SAML is just the starting point to IBM LTPA based websso cookie
if you have something else enforcing authentication via SAML that can set ltpatoken cookies in your browser
we can then import that SSO config into the domino webserver(s)

I've seen a handful of customers excited about SAML and ADFS but at the time unwilling to upgrade their whole infastructre to 9x
as long as 1 server is 9+ we can set it up for SAML, set the LTPA token and then communicate (pre authenticated) with any other ibm sso participating product

but if you got some other solution doing the SAML for you, you dont even need 1 server 9x
many sso solution simply leverage LTPAtokens and even Domino 8.0 could understand ltpa2 style WAS tokens


browser -> Webseal (SAML)  -> ltpa ->Domino SSO
                                  \ IDP /            -> ltpa -> WAS
                                                         -> ltpa -> etc
~Julia Quetnivitchikle
Jan 27, 2016, 8:48 AM
1 Posts
iNotes with SimpleSAMLphp

I did open a PMR at IBM for iNotes with SimpleSAMLphp support however the only thing they said that's not supported.

I get the following error:

SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
1 /opt/simplesamlphp/www/_include.php:37 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Unable to find the current binding.

Could someone help me with iNotes to SimpleSAMLphp.

 


This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal