193 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
CREATE_R9_LOG is not a valid notes.ini parameter and does not exist!
Fri, Mar 24th 2017 291
Traveler 9.0.1.17 Relased with important bug fixes
Fri, Mar 24th 2017 311
D9.0.1 FP8 Attachment Corruption Issue with Disclaimers
Tue, Mar 21st 2017 94
Traveler on Domino 9.0.1 FP8
Tue, Mar 7th 2017 23
Notes and Domino 9.0.1 Feature Pack 8 shipped
Tue, Mar 7th 2017 8
Travele 9.0.16 released with re-connect issue
Sun, Mar 5th 2017 9
Travele 9.0.1.16 released with re-connect issue
Sun, Mar 5th 2017 12
Top 10
Traveler 9.0.1.17 Relased with important bug fixes
Fri, Mar 24th 2017 311
CREATE_R9_LOG is not a valid notes.ini parameter and does not exist!
Fri, Mar 24th 2017 291
D9.0.1 FP8 Attachment Corruption Issue with Disclaimers
Tue, Mar 21st 2017 94
IBM Notes V9.0.1 Mac 64 Bit English (CN6VDEN )
Tue, Sep 29th 2015 31
Traveler on Domino 9.0.1 FP8
Tue, Mar 7th 2017 23
IBM Notes/Domino 9.0.1 Feature Pack 8 Preliminary Release Notice
Fri, Jan 27th 2017 20
Details about JVM 1.8 Update in Notes/Domino 9.0.1 FP8
Sun, Feb 5th 2017 19
Passing a document to an agent without saving it first
Sun, Apr 6th 2014 17
Traveler 9.0.1 IF7
Fri, Nov 7th 2014 16
Symantec Backup Exec End of Life
Sat, Dec 5th 2015 15


Domino Federarted Web Login / SAML with F5 and ADFS 3.0
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Daniel Nashed    


In the last couple of weeks I spent a lot of time with customer Web Federated Login workshops and implementations.
Not sure what happened but suddenly everyone is interested in SAML. It looks like more and more customers are looking into that because they have already implemented SSO for other applications like O365.

In one case a customer had an existing F5 configuration. In one other case we had a customer with Windows 2012 R2 and ADFS 3.0.

Both configurations are not officially supported yet but we got it to work! Specially the F5 configuration was tricky. But in general both are just another SAML 2.0 implementation.
We officially asked if those two configurations can be officially supported. It looks like it is more testing and documentation effort than any code change that is needed.
But it is not yet an officially supported configuration. Implementing ADFS 3.0 is quite similar than ADFS 2.0.

Win2012 R2 ADFS 3.0

ADFS 3.0 in fact is a nicer implementation and does not need any IIS components. Also the SSO portal application is now implemented in a way that the UI can be completely customized. You can add you logo, change the CSS or could even build your complete own page.

Also the installation is easier. ADFS 3.0 comes with Win2012 R2 and just needs to be enabled as a separate role. In contrast earlier versions shipped with SAML 1.1 support and you and to separately download and install SAML 2.0.

The configuration is very similar but you cannot use the cookbooks 1:1. Some configuration details are now set via PowerShell commands.
For example if you need to disable the extended protection when working with Chrome.

Domino SAML Implementation

In two customer situations we ran into an odd issue. When initiating the SAML login from the SSO portal like ADFS (with ADFS 3.0 the portal looks prettier and more customers might directly use the portal) redirecting to the Domino HTTP server caused a strange behavior.
The URL invoked should have been the default server URL but there have been som random chars at the end of the URL. Tracing turned out that this was a day one issue with Domino Web Federated Login (WFL) and it was never thought of that the first request is the login request with a redirect from the Identity provider (IdP) in our case ADFS 3.0 or the F5 applicance.

Even Domino uses a IdP Initiated model the first request was always initiated by Domino.

Here is the flow that Domino uses.

- Browser hits the Domino Server for a resource that needs authentication

- User ist redirected to the IdP for authentication --> the URL contains ?loginToRp to tell the ADFS server where to return to after authentication. This is a ADFS specific parameter which is for example not understood by F5.
  Example: https://nsh-win-ad.ad.nashcom.loc/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=https://domino.nashcom.loc/names.nsf
  At the same time the server sets an undocumented cookie "DOMRELAYSTATE" which contains some data in binary format (base64 encoded) which contains the location to redirect to after login.

- User is authenticated at the IdP. Either via AD name and password or with a Kerberos ticket (Integrated Windows Authentication -- IWA) if configured and the user and workstation are in the current AD.


- Browser redirects back to Domino with the SAML post request
 Example:
https://domino.nashcom.loc/names.nsf?SAMLLogin

- After verifying the SAML data, the user is authenticated and a LTPA cookie is generated


- At the same time the server reads the "DOMRELAYSTATE" cookie, removes it and redirects the user to his original location


Redirection Issue

In our problem case the user had no "DOMRELAYSTATE" cookie which caused the server to add some garbage to the URL.
We got a hotfix for the issue which will hopefully make it into one of the next IFs. The SPR for this defect is SPR # MKINA8XN74.

Summary

So in general if you want to implement SAML right now I would use ADFS 3.0 and Windows 2012 R2 if you have the choice - even it is not yet supported by Domino.
But ADFS 3.0 is the much better product which is better supported by Microsoft. And it is a much cleaner implementation. No dependency on IIS as well!





---------------------
http://blog.nashcom.de/nashcomblog.nsf/dx/domino-federarted-web-login-saml-with-f5-and-adfs-3.0.htm
Apr 25, 2016
5 hits



Recent Blog Posts
291
CREATE_R9_LOG is not a valid notes.ini parameter and does not exist!
Fri, Mar 24th 2017 8:29p   Daniel Nashed
After hearing this question twice a week I think it is time for a blog entry. There is a notes.ini parameter for the different ODS formats in different releases. The latest one you should use is Create_R9_Databases=1 to create databases with ODS 52. ODS 52 is needed for local databases which are encrypted (there was an underlying ODS issue that has been addressed in ODS 52). Also for hew new LargeSummary (16MB instead of 32KB per document) you need to be on ODS 52. But there is no ne
311
Traveler 9.0.1.17 Relased with important bug fixes
Fri, Mar 24th 2017 8:12p   Daniel Nashed
As posted before Traveler 9.0.1.16 had one issue that needed urgent attention. Push was not working when the mail-server had a short downtime. If you are on that release you should update asap. There are a couple of other fixes along with that ARPA included in 9.0.1.17. Just back from a couple of days of travel and installed it this morning. Looks good so far. APAR # Abstract LO90889 Invitee status not correct on mobile device if the invitee response is received in a non-syncing
94
D9.0.1 FP8 Attachment Corruption Issue with Disclaimers
Tue, Mar 21st 2017 3:27p   Daniel Nashed
There is an issue that has been reported about FP8. When using disclaimers attachments might be corrupted. IBM released a technote with details and is working on a fix. Feature Pack 8 contains an enhancement/fix to correctly send Google Calendar files. The fix is enabled by default and causes this corruption. You can still deploy FP8 and disable the feature/fix temporary via Notes.ini MIMEDisclaimersNoEncode=0 on your SMTP outbound server. See this SPR #TPONAKFJLP / APAR #LO91828 fo
23
Traveler on Domino 9.0.1 FP8
Tue, Mar 7th 2017 9:51p   Daniel Nashed
Domino 9.0.1 Feature Pack 8 has just shipped. If you are intending to update your Traveler Server to Domino FP8 you should be aware that you need at least Traveler 9.0.1.16 (which currently has an issue reconnecting to a mail-server if it wasn't reachable --> see previous blog posts). If you still intend to update your server there are some important requirements. FP8 comes with Java 1.8 and Traveler is using that JVM. So it some changes are needed in the Traveler code to support the
8
Notes and Domino 9.0.1 Feature Pack 8 shipped
Tue, Mar 7th 2017 6:43p   Daniel Nashed
Feature Pack 8 has shipped today including new templates. The new version comes with updated documentation for the Client, the Server and also for the Designer. For ADFS 3.0 there is brand new documentation that is not just in simple "cookbook" style. We had the opportinity to give feedback before it was released. Here is the main entries for the documentation. Beside Java 1.8 support, NIFNSF and large summary support there are a couple of other new stuff. XPages was not mention
9
Travele 9.0.16 released with re-connect issue
Sun, Mar 5th 2017 2:26p   Daniel Nashed
Traveler 9.0.16 has been released a while go with an issue that might impact you if you need to restart your mail servers. There is an APAR and there is already a hotfix available if you are already on that release. If you are not on this release yet, you should wait for a new version! There is also a work-around if you are on that release -- see below. 9.0.16 itself comes with a couple of bugfixes and preparation for Domino 9.0.1 FP8 which will introduce JVM 1.8. You will need to upgra
12
Travele 9.0.1.16 released with re-connect issue
Sun, Mar 5th 2017 2:26p   Daniel Nashed
Traveler 9.0.1.16 has been released a while go with an issue that might impact you if you need to restart your mail servers. There is an APAR and there is already a hotfix available if you are already on that release. If you are not on this release yet, you should wait for a new version! There is also a work-around if you are on that release -- see below. 9.0.1.16 itself comes with a couple of bugfixes and preparation for Domino 9.0.1 FP8 which will introduce JVM 1.8. You will need
19
Details about JVM 1.8 Update in Notes/Domino 9.0.1 FP8
Sun, Feb 5th 2017 10:30p   Daniel Nashed
After my post I got a couple of offline and online questions about details for JVM 1.8 in the Notes Client. The release notes will be update but here is the comment from Scott in case you missed it in the comments. Thanks Scott for this detailed additonal information!!! Java Upgrade to 1.8. The Java run time environment provided with Domino has been upgraded to Java JRE version 1.8 to provide you with access to the latest features. - This is actually both Notes & Domino.
20
IBM Notes/Domino 9.0.1 Feature Pack 8 Preliminary Release Notice
Fri, Jan 27th 2017 3:57p   Daniel Nashed
Today IBM released the first official information about Feature Pack 8 for Notes and Domino 9.0.1 The Preliminary Release Notice provides detailed information about the first feature pack which is currently listed with status "gold candidate". http://www.lotus.com/ldd/fixlist.nsf/8d1c0550e6242b69852570c900549a74/26aa7417bb60f7df852580b40072af2d Here are the release notes, with some comments from my side. (comments in blue). Things to Note: NBP replaced with ICAA - There is no N
8
Notes 9.0.1 FP7 IF1 released
Thu, Dec 8th 2016 3:59p   Daniel Nashed
There is a new IF1 for the Notes Client. Now it begins to be more complicated. The client IF1 and the server IF1 for the Linux issue (see previous posts) have nothing to do with each other and contain different SPRs. The most important fix is the issue we had with ID vault when the new port encryption is used. Given that the SPR is fixed in the client this looks like a client issue and not a server issue. -- Daniel Notes 9.0.1 Fix Pack 7 Interim Fix 1 RGAUADUM59 Duplica




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition