191 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Notes 9.0.1 FP7 IF1 released
Thu, Dec 8th 2016 8
Traveler 9.0.1.15 available with some important changes
Tue, Nov 15th 2016 9
DNUG Domino Day 2016 in DUS und DNUG Comes to you in BER
Fri, Oct 21st 2016 6
IBM Champion Nomination 2016
Tue, Oct 18th 2016 7
IBM Domino 9.0.1 Fix Pack 7 Interim Fix 1 addresses critical issues affecting Domino 9.0.1 FP7 for Linux64 & zLinux64
Fri, Oct 14th 2016 6
Domino 9.0.1 FP7 issue Notes User Id File Upload To Vault Failed If Port_enc_adv Parameter Is Enabled
Wed, Oct 12th 2016 5
Cluster replicator hang with 9.0.1 FP7 on Linux64
Wed, Oct 12th 2016 9
Top 10
IBM Notes V9.0.1 Mac 64 Bit English (CN6VDEN )
Tue, Sep 29th 2015 27
TLS 1.2 Connection Issues with mail.protection.outlook.COM
Thu, Jan 7th 2016 14
Taking full benefit of RAM for File-System Cache with Domino on W64
Thu, Mar 13th 2014 10
Traveler 9.0.1 IF7
Fri, Nov 7th 2014 10
Solution for Notes/Domino related process is still running when applying a Fixpack or Hotfix
Wed, Mar 25th 2015 10
Symantec Backup Exec End of Life
Sat, Dec 5th 2015 9
Cluster replicator hang with 9.0.1 FP7 on Linux64
Wed, Oct 12th 2016 9
Traveler 9.0.1.15 available with some important changes
Tue, Nov 15th 2016 9
Notes 9.0.1 FP7 IF1 released
Thu, Dec 8th 2016 8
Domino 9.0.1 FP6
Sun, May 22nd 2016 7


Domino Federarted Web Login / SAML with F5 and ADFS 3.0
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Daniel Nashed    


In the last couple of weeks I spent a lot of time with customer Web Federated Login workshops and implementations.
Not sure what happened but suddenly everyone is interested in SAML. It looks like more and more customers are looking into that because they have already implemented SSO for other applications like O365.

In one case a customer had an existing F5 configuration. In one other case we had a customer with Windows 2012 R2 and ADFS 3.0.

Both configurations are not officially supported yet but we got it to work! Specially the F5 configuration was tricky. But in general both are just another SAML 2.0 implementation.
We officially asked if those two configurations can be officially supported. It looks like it is more testing and documentation effort than any code change that is needed.
But it is not yet an officially supported configuration. Implementing ADFS 3.0 is quite similar than ADFS 2.0.

Win2012 R2 ADFS 3.0

ADFS 3.0 in fact is a nicer implementation and does not need any IIS components. Also the SSO portal application is now implemented in a way that the UI can be completely customized. You can add you logo, change the CSS or could even build your complete own page.

Also the installation is easier. ADFS 3.0 comes with Win2012 R2 and just needs to be enabled as a separate role. In contrast earlier versions shipped with SAML 1.1 support and you and to separately download and install SAML 2.0.

The configuration is very similar but you cannot use the cookbooks 1:1. Some configuration details are now set via PowerShell commands.
For example if you need to disable the extended protection when working with Chrome.

Domino SAML Implementation

In two customer situations we ran into an odd issue. When initiating the SAML login from the SSO portal like ADFS (with ADFS 3.0 the portal looks prettier and more customers might directly use the portal) redirecting to the Domino HTTP server caused a strange behavior.
The URL invoked should have been the default server URL but there have been som random chars at the end of the URL. Tracing turned out that this was a day one issue with Domino Web Federated Login (WFL) and it was never thought of that the first request is the login request with a redirect from the Identity provider (IdP) in our case ADFS 3.0 or the F5 applicance.

Even Domino uses a IdP Initiated model the first request was always initiated by Domino.

Here is the flow that Domino uses.

- Browser hits the Domino Server for a resource that needs authentication

- User ist redirected to the IdP for authentication --> the URL contains ?loginToRp to tell the ADFS server where to return to after authentication. This is a ADFS specific parameter which is for example not understood by F5.
  Example: https://nsh-win-ad.ad.nashcom.loc/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=https://domino.nashcom.loc/names.nsf
  At the same time the server sets an undocumented cookie "DOMRELAYSTATE" which contains some data in binary format (base64 encoded) which contains the location to redirect to after login.

- User is authenticated at the IdP. Either via AD name and password or with a Kerberos ticket (Integrated Windows Authentication -- IWA) if configured and the user and workstation are in the current AD.


- Browser redirects back to Domino with the SAML post request
 Example:
https://domino.nashcom.loc/names.nsf?SAMLLogin

- After verifying the SAML data, the user is authenticated and a LTPA cookie is generated


- At the same time the server reads the "DOMRELAYSTATE" cookie, removes it and redirects the user to his original location


Redirection Issue

In our problem case the user had no "DOMRELAYSTATE" cookie which caused the server to add some garbage to the URL.
We got a hotfix for the issue which will hopefully make it into one of the next IFs. The SPR for this defect is SPR # MKINA8XN74.

Summary

So in general if you want to implement SAML right now I would use ADFS 3.0 and Windows 2012 R2 if you have the choice - even it is not yet supported by Domino.
But ADFS 3.0 is the much better product which is better supported by Microsoft. And it is a much cleaner implementation. No dependency on IIS as well!





---------------------
http://blog.nashcom.de/nashcomblog.nsf/dx/domino-federarted-web-login-saml-with-f5-and-adfs-3.0.htm
Apr 25, 2016
4 hits



Recent Blog Posts
8
Notes 9.0.1 FP7 IF1 released
Thu, Dec 8th 2016 3:59p   Daniel Nashed
There is a new IF1 for the Notes Client. Now it begins to be more complicated. The client IF1 and the server IF1 for the Linux issue (see previous posts) have nothing to do with each other and contain different SPRs. The most important fix is the issue we had with ID vault when the new port encryption is used. Given that the SPR is fixed in the client this looks like a client issue and not a server issue. -- Daniel Notes 9.0.1 Fix Pack 7 Interim Fix 1 RGAUADUM59 Duplica
9
Traveler 9.0.1.15 available with some important changes
Tue, Nov 15th 2016 7:14p   Daniel Nashed
Traveler 9.0.1.15 has been released with some important fixes and also changes. The Release documentation has some interesting details. Here is the extract from the release documentation with some comments. What's New "Device wipe is no longer an option for iOS 10.x devices as support was dropped by Apple. You can still use the Wipe Traveler Data option." For security reasons Apple disabled wipe over ActiveSync which is understandable. Before that change every server could wipe
6
DNUG Domino Day 2016 in DUS und DNUG Comes to you in BER
Fri, Oct 21st 2016 7:13a   Daniel Nashed
Auch in diesem Jahr haben wir wieder einen DNUG Event im Bereich Notes/Domino in Düssldorf. Und Anfang November hat Anett Hammerschmidt für unsere Fachgruppe einen halben Tag DNUG Comes To you mit anschließendem DNUG Stammtisch in Berliin. Bei beiden Events geht es um atkeulle Themen und Entwicklungen im Bereich Notes und Domino. Und es werden auch Kollegen von IBM vor Ort sein, mit denen man die aktuelle Strategie von IBM im Bereich Notes/Domino diskutieren kann. Ich hoffe viele von
7
IBM Champion Nomination 2016
Tue, Oct 18th 2016 5:07a   Daniel Nashed
The IBM Champion program is a great way to thank active members of the community and also to help them in some way to continue their work for the community. The nomination is still open until November 14th. So you still have time to nominate someone. Or renominate one of the current IBM Champions. See some details and official links below. -- Daniel "The IBM Champion program recognizes innovative thought leaders in the technical community — and rewards these contributors by amplif
6
IBM Domino 9.0.1 Fix Pack 7 Interim Fix 1 addresses critical issues affecting Domino 9.0.1 FP7 for Linux64 & zLinux64
Fri, Oct 14th 2016 9:08a   Daniel Nashed
As reported before on Linux64 there is a issue with the cluster replicator which has been addressed with IF1 (SPR #KBRNAEMPX2). Because of a change in FP7 that needed a recompile of the whole core including all components (SPR# KBRN9Q7EZW) but some files where missing in the installations. IBM has fixed the issue with 9.0.1 FP7 IF1 which is already available for download. I got it already yesterday for testing thru our PMR and it replaces the missing files. If you are running Domino on Li
5
Domino 9.0.1 FP7 issue Notes User Id File Upload To Vault Failed If Port_enc_adv Parameter Is Enabled
Wed, Oct 12th 2016 6:45a   Daniel Nashed
Alex Novak mentioned another issue with FP7 which might affect you in my blog comments. We only have the public description of the SPR and I assume only the ID Vault server communication is affected. SPR # BBSZAEEK8C APAR #LO90429.: Notes User Id File Upload To Vault Failed If Port_enc_adv Parameter Is Enabled So for now you should not enable the new AES encryption on your ID Vault server until this issue is fixed. Given the 3 issues I reported in the last days in my blog (one is on
9
Cluster replicator hang with 9.0.1 FP7 on Linux64
Wed, Oct 12th 2016 6:32a   Daniel Nashed
There is another issue (SPR #RSOIAEME5L) that might affect you when running with Linux64 and 9.0.1 FP7. Due to the change in FP7 on Linux64 (SPR# KBRN9Q7EZW) all server binaries needed to be updated in FP7. It turned out that some binaries have not been replaced by the FP7 installer. In this case the cluster replicator task wasn't updated. Because of the change of internal structures this causes issues with older core servertasks in Domino (business partner applications using the public C-
5
CD to MIME Conversion Issue in 9.0.1 FP7 generating Javascript for sections
Mon, Oct 10th 2016 4:41a   Daniel Nashed
We ran into an issue at a customer on Friday. Today we got the confirmation that it is a bug and development is already looking into this. It looks like a low level issue when converting Richtext into MIME in mails on server side. In my test I have seen than probably all server based conversions are affected. Clients sending MIME message directly do not show this issue. When the server converts a message to MIME JavaScript is generated for collapsible sections (for example when you reply t
5
Change in Apple iOS 10.x (and later) devices prevents full device wipe via Traveler Web & SmartCloud Notes Administration interfaces
Thu, Sep 29th 2016 3:11a   Daniel Nashed
Surprisingly and without any notice that I am aware of Apple has removed the ability to reset iOS devices over ActiveSync. A chance in this area was expected in general because it could be risky to allow an ActiveSync account to wipe a complete device. It's still a surprise that they completely removed the wipe functionality. IMHO the better change would have been to just remove all data that this ActiveSync profile has synced -- similar to the application wipe IBM implemented with Travel
7
Notes and Domino Future
Fri, Sep 23rd 2016 7:49a   Daniel Nashed
There have been a lot of rumors and IBM is not very good in communicating road-maps since a couple of years. I hope we will see a clear statement about future functionality soon. There is already a public statement in the IBM blog that gives some answers and I have been at a couple of events where IBM explained part of the strategy. https://www.ibm.com/blogs/social-business/2016/09/12/ibm-notes-domino-v9-extends-support/ Now that the current strategy is more clear and IBM decided to cont




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition