192 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Details about JVM 1.8 Update in Notes/Domino 9.0.1 FP8
Sun, Feb 5th 2017 16
IBM Notes/Domino 9.0.1 Feature Pack 8 Preliminary Release Notice
Fri, Jan 27th 2017 10
Notes 9.0.1 FP7 IF1 released
Thu, Dec 8th 2016 12
Traveler 9.0.1.15 available with some important changes
Tue, Nov 15th 2016 4
DNUG Domino Day 2016 in DUS und DNUG Comes to you in BER
Fri, Oct 21st 2016 6
IBM Champion Nomination 2016
Tue, Oct 18th 2016 6
IBM Domino 9.0.1 Fix Pack 7 Interim Fix 1 addresses critical issues affecting Domino 9.0.1 FP7 for Linux64 & zLinux64
Fri, Oct 14th 2016 9
Top 10
IBM Notes V9.0.1 Mac 64 Bit English (CN6VDEN )
Tue, Sep 29th 2015 33
Symantec Backup Exec End of Life
Sat, Dec 5th 2015 16
Details about JVM 1.8 Update in Notes/Domino 9.0.1 FP8
Sun, Feb 5th 2017 16
Solution for Notes/Domino related process is still running when applying a Fixpack or Hotfix
Wed, Mar 25th 2015 13
Some Additonal TLS 1.0 Information
Thu, Nov 6th 2014 12
Notes 9.0.1 FP7 IF1 released
Thu, Dec 8th 2016 12
Taking full benefit of RAM for File-System Cache with Domino on W64
Thu, Mar 13th 2014 10
Domino 9.0.1 FP6
Sun, May 22nd 2016 10
IBM Notes/Domino 9.0.1 Feature Pack 8 Preliminary Release Notice
Fri, Jan 27th 2017 10
Notes/Domino 9.0.1 FP3 - Java Console/Controller Incompatibility
Wed, Feb 18th 2015 9


Domino Federarted Web Login / SAML with F5 and ADFS 3.0
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Daniel Nashed    


In the last couple of weeks I spent a lot of time with customer Web Federated Login workshops and implementations.
Not sure what happened but suddenly everyone is interested in SAML. It looks like more and more customers are looking into that because they have already implemented SSO for other applications like O365.

In one case a customer had an existing F5 configuration. In one other case we had a customer with Windows 2012 R2 and ADFS 3.0.

Both configurations are not officially supported yet but we got it to work! Specially the F5 configuration was tricky. But in general both are just another SAML 2.0 implementation.
We officially asked if those two configurations can be officially supported. It looks like it is more testing and documentation effort than any code change that is needed.
But it is not yet an officially supported configuration. Implementing ADFS 3.0 is quite similar than ADFS 2.0.

Win2012 R2 ADFS 3.0

ADFS 3.0 in fact is a nicer implementation and does not need any IIS components. Also the SSO portal application is now implemented in a way that the UI can be completely customized. You can add you logo, change the CSS or could even build your complete own page.

Also the installation is easier. ADFS 3.0 comes with Win2012 R2 and just needs to be enabled as a separate role. In contrast earlier versions shipped with SAML 1.1 support and you and to separately download and install SAML 2.0.

The configuration is very similar but you cannot use the cookbooks 1:1. Some configuration details are now set via PowerShell commands.
For example if you need to disable the extended protection when working with Chrome.

Domino SAML Implementation

In two customer situations we ran into an odd issue. When initiating the SAML login from the SSO portal like ADFS (with ADFS 3.0 the portal looks prettier and more customers might directly use the portal) redirecting to the Domino HTTP server caused a strange behavior.
The URL invoked should have been the default server URL but there have been som random chars at the end of the URL. Tracing turned out that this was a day one issue with Domino Web Federated Login (WFL) and it was never thought of that the first request is the login request with a redirect from the Identity provider (IdP) in our case ADFS 3.0 or the F5 applicance.

Even Domino uses a IdP Initiated model the first request was always initiated by Domino.

Here is the flow that Domino uses.

- Browser hits the Domino Server for a resource that needs authentication

- User ist redirected to the IdP for authentication --> the URL contains ?loginToRp to tell the ADFS server where to return to after authentication. This is a ADFS specific parameter which is for example not understood by F5.
  Example: https://nsh-win-ad.ad.nashcom.loc/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=https://domino.nashcom.loc/names.nsf
  At the same time the server sets an undocumented cookie "DOMRELAYSTATE" which contains some data in binary format (base64 encoded) which contains the location to redirect to after login.

- User is authenticated at the IdP. Either via AD name and password or with a Kerberos ticket (Integrated Windows Authentication -- IWA) if configured and the user and workstation are in the current AD.


- Browser redirects back to Domino with the SAML post request
 Example:
https://domino.nashcom.loc/names.nsf?SAMLLogin

- After verifying the SAML data, the user is authenticated and a LTPA cookie is generated


- At the same time the server reads the "DOMRELAYSTATE" cookie, removes it and redirects the user to his original location


Redirection Issue

In our problem case the user had no "DOMRELAYSTATE" cookie which caused the server to add some garbage to the URL.
We got a hotfix for the issue which will hopefully make it into one of the next IFs. The SPR for this defect is SPR # MKINA8XN74.

Summary

So in general if you want to implement SAML right now I would use ADFS 3.0 and Windows 2012 R2 if you have the choice - even it is not yet supported by Domino.
But ADFS 3.0 is the much better product which is better supported by Microsoft. And it is a much cleaner implementation. No dependency on IIS as well!





---------------------
http://blog.nashcom.de/nashcomblog.nsf/dx/domino-federarted-web-login-saml-with-f5-and-adfs-3.0.htm
Apr 25, 2016
7 hits



Recent Blog Posts
16
Details about JVM 1.8 Update in Notes/Domino 9.0.1 FP8
Sun, Feb 5th 2017 10:30p   Daniel Nashed
After my post I got a couple of offline and online questions about details for JVM 1.8 in the Notes Client. The release notes will be update but here is the comment from Scott in case you missed it in the comments. Thanks Scott for this detailed additonal information!!! Java Upgrade to 1.8. The Java run time environment provided with Domino has been upgraded to Java JRE version 1.8 to provide you with access to the latest features. - This is actually both Notes & Domino.
10
IBM Notes/Domino 9.0.1 Feature Pack 8 Preliminary Release Notice
Fri, Jan 27th 2017 3:57p   Daniel Nashed
Today IBM released the first official information about Feature Pack 8 for Notes and Domino 9.0.1 The Preliminary Release Notice provides detailed information about the first feature pack which is currently listed with status "gold candidate". http://www.lotus.com/ldd/fixlist.nsf/8d1c0550e6242b69852570c900549a74/26aa7417bb60f7df852580b40072af2d Here are the release notes, with some comments from my side. (comments in blue). Things to Note: NBP replaced with ICAA - There is no N
12
Notes 9.0.1 FP7 IF1 released
Thu, Dec 8th 2016 3:59p   Daniel Nashed
There is a new IF1 for the Notes Client. Now it begins to be more complicated. The client IF1 and the server IF1 for the Linux issue (see previous posts) have nothing to do with each other and contain different SPRs. The most important fix is the issue we had with ID vault when the new port encryption is used. Given that the SPR is fixed in the client this looks like a client issue and not a server issue. -- Daniel Notes 9.0.1 Fix Pack 7 Interim Fix 1 RGAUADUM59 Duplica
4
Traveler 9.0.1.15 available with some important changes
Tue, Nov 15th 2016 7:14p   Daniel Nashed
Traveler 9.0.1.15 has been released with some important fixes and also changes. The Release documentation has some interesting details. Here is the extract from the release documentation with some comments. What's New "Device wipe is no longer an option for iOS 10.x devices as support was dropped by Apple. You can still use the Wipe Traveler Data option." For security reasons Apple disabled wipe over ActiveSync which is understandable. Before that change every server could wipe
6
DNUG Domino Day 2016 in DUS und DNUG Comes to you in BER
Fri, Oct 21st 2016 7:13a   Daniel Nashed
Auch in diesem Jahr haben wir wieder einen DNUG Event im Bereich Notes/Domino in Düssldorf. Und Anfang November hat Anett Hammerschmidt für unsere Fachgruppe einen halben Tag DNUG Comes To you mit anschließendem DNUG Stammtisch in Berliin. Bei beiden Events geht es um atkeulle Themen und Entwicklungen im Bereich Notes und Domino. Und es werden auch Kollegen von IBM vor Ort sein, mit denen man die aktuelle Strategie von IBM im Bereich Notes/Domino diskutieren kann. Ich hoffe viele von
6
IBM Champion Nomination 2016
Tue, Oct 18th 2016 5:07a   Daniel Nashed
The IBM Champion program is a great way to thank active members of the community and also to help them in some way to continue their work for the community. The nomination is still open until November 14th. So you still have time to nominate someone. Or renominate one of the current IBM Champions. See some details and official links below. -- Daniel "The IBM Champion program recognizes innovative thought leaders in the technical community — and rewards these contributors by amplif
9
IBM Domino 9.0.1 Fix Pack 7 Interim Fix 1 addresses critical issues affecting Domino 9.0.1 FP7 for Linux64 & zLinux64
Fri, Oct 14th 2016 9:08a   Daniel Nashed
As reported before on Linux64 there is a issue with the cluster replicator which has been addressed with IF1 (SPR #KBRNAEMPX2). Because of a change in FP7 that needed a recompile of the whole core including all components (SPR# KBRN9Q7EZW) but some files where missing in the installations. IBM has fixed the issue with 9.0.1 FP7 IF1 which is already available for download. I got it already yesterday for testing thru our PMR and it replaces the missing files. If you are running Domino on Li
8
Domino 9.0.1 FP7 issue Notes User Id File Upload To Vault Failed If Port_enc_adv Parameter Is Enabled
Wed, Oct 12th 2016 6:45a   Daniel Nashed
Alex Novak mentioned another issue with FP7 which might affect you in my blog comments. We only have the public description of the SPR and I assume only the ID Vault server communication is affected. SPR # BBSZAEEK8C APAR #LO90429.: Notes User Id File Upload To Vault Failed If Port_enc_adv Parameter Is Enabled So for now you should not enable the new AES encryption on your ID Vault server until this issue is fixed. Given the 3 issues I reported in the last days in my blog (one is on
6
Cluster replicator hang with 9.0.1 FP7 on Linux64
Wed, Oct 12th 2016 6:32a   Daniel Nashed
There is another issue (SPR #RSOIAEME5L) that might affect you when running with Linux64 and 9.0.1 FP7. Due to the change in FP7 on Linux64 (SPR# KBRN9Q7EZW) all server binaries needed to be updated in FP7. It turned out that some binaries have not been replaced by the FP7 installer. In this case the cluster replicator task wasn't updated. Because of the change of internal structures this causes issues with older core servertasks in Domino (business partner applications using the public C-
5
CD to MIME Conversion Issue in 9.0.1 FP7 generating Javascript for sections
Mon, Oct 10th 2016 4:41a   Daniel Nashed
We ran into an issue at a customer on Friday. Today we got the confirmation that it is a bug and development is already looking into this. It looks like a low level issue when converting Richtext into MIME in mails on server side. In my test I have seen than probably all server based conversions are affected. Clients sending MIME message directly do not show this issue. When the server converts a message to MIME JavaScript is generated for collapsible sections (for example when you reply t




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition