202 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Domino 9.0.1 FT Index Hang and potential crash
Sun, Dec 10th 2017 208
End of Service for JVM 1.6
Sat, Nov 25th 2017 10
Traveler 9.0.1.20 Released
Sat, Nov 18th 2017 8
VIEW_REBUILD_DIR changed to /dev/shm/view_rebuild
Tue, Nov 14th 2017 8
Erster DNUG "Domino2025 Jam" Event 23.11.2017
Thu, Nov 9th 2017 5
Domino on Linux Start Script 3.1.3 with changed way to request it
Mon, Oct 30th 2017 4
Great news Notes Domino 10 and beyond
Wed, Oct 25th 2017 9
Top 10
Domino 9.0.1 FT Index Hang and potential crash
Sun, Dec 10th 2017 208
IBM Notes V9.0.1 Mac 64 Bit English (CN6VDEN )
Tue, Sep 29th 2015 22
Details about JVM 1.8 Update in Notes/Domino 9.0.1 FP8
Sun, Feb 5th 2017 18
Symantec Backup Exec End of Life
Sat, Dec 5th 2015 17
Passing a document to an agent without saving it first
Sun, Apr 6th 2014 16
Domino 9.0.1 FP4 IF2 Security Update
Sat, Sep 26th 2015 15
TLS 1.2 Connection Issues with mail.protection.outlook.COM
Thu, Jan 7th 2016 15
IBM Notes & Domino are not vulnerable to OpenSSL "Heartbleed" bug (CVE-2014-0160)
Wed, Apr 9th 2014 13
Solution for Notes/Domino related process is still running when applying a Fixpack or Hotfix
Wed, Mar 25th 2015 13
Notes Client/Windows Crash with Windows 10 Creators update
Thu, Jun 1st 2017 12


Domino Federarted Web Login / SAML with F5 and ADFS 3.0
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Daniel Nashed    


In the last couple of weeks I spent a lot of time with customer Web Federated Login workshops and implementations.
Not sure what happened but suddenly everyone is interested in SAML. It looks like more and more customers are looking into that because they have already implemented SSO for other applications like O365.

In one case a customer had an existing F5 configuration. In one other case we had a customer with Windows 2012 R2 and ADFS 3.0.

Both configurations are not officially supported yet but we got it to work! Specially the F5 configuration was tricky. But in general both are just another SAML 2.0 implementation.
We officially asked if those two configurations can be officially supported. It looks like it is more testing and documentation effort than any code change that is needed.
But it is not yet an officially supported configuration. Implementing ADFS 3.0 is quite similar than ADFS 2.0.

Win2012 R2 ADFS 3.0

ADFS 3.0 in fact is a nicer implementation and does not need any IIS components. Also the SSO portal application is now implemented in a way that the UI can be completely customized. You can add you logo, change the CSS or could even build your complete own page.

Also the installation is easier. ADFS 3.0 comes with Win2012 R2 and just needs to be enabled as a separate role. In contrast earlier versions shipped with SAML 1.1 support and you and to separately download and install SAML 2.0.

The configuration is very similar but you cannot use the cookbooks 1:1. Some configuration details are now set via PowerShell commands.
For example if you need to disable the extended protection when working with Chrome.

Domino SAML Implementation

In two customer situations we ran into an odd issue. When initiating the SAML login from the SSO portal like ADFS (with ADFS 3.0 the portal looks prettier and more customers might directly use the portal) redirecting to the Domino HTTP server caused a strange behavior.
The URL invoked should have been the default server URL but there have been som random chars at the end of the URL. Tracing turned out that this was a day one issue with Domino Web Federated Login (WFL) and it was never thought of that the first request is the login request with a redirect from the Identity provider (IdP) in our case ADFS 3.0 or the F5 applicance.

Even Domino uses a IdP Initiated model the first request was always initiated by Domino.

Here is the flow that Domino uses.

- Browser hits the Domino Server for a resource that needs authentication

- User ist redirected to the IdP for authentication --> the URL contains ?loginToRp to tell the ADFS server where to return to after authentication. This is a ADFS specific parameter which is for example not understood by F5.
  Example: https://nsh-win-ad.ad.nashcom.loc/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=https://domino.nashcom.loc/names.nsf
  At the same time the server sets an undocumented cookie "DOMRELAYSTATE" which contains some data in binary format (base64 encoded) which contains the location to redirect to after login.

- User is authenticated at the IdP. Either via AD name and password or with a Kerberos ticket (Integrated Windows Authentication -- IWA) if configured and the user and workstation are in the current AD.


- Browser redirects back to Domino with the SAML post request
 Example:
https://domino.nashcom.loc/names.nsf?SAMLLogin

- After verifying the SAML data, the user is authenticated and a LTPA cookie is generated


- At the same time the server reads the "DOMRELAYSTATE" cookie, removes it and redirects the user to his original location


Redirection Issue

In our problem case the user had no "DOMRELAYSTATE" cookie which caused the server to add some garbage to the URL.
We got a hotfix for the issue which will hopefully make it into one of the next IFs. The SPR for this defect is SPR # MKINA8XN74.

Summary

So in general if you want to implement SAML right now I would use ADFS 3.0 and Windows 2012 R2 if you have the choice - even it is not yet supported by Domino.
But ADFS 3.0 is the much better product which is better supported by Microsoft. And it is a much cleaner implementation. No dependency on IIS as well!





---------------------
http://blog.nashcom.de/nashcomblog.nsf/dx/domino-federarted-web-login-saml-with-f5-and-adfs-3.0.htm
Apr 25, 2016
5 hits



Recent Blog Posts
208
Domino 9.0.1 FT Index Hang and potential crash
Sun, Dec 10th 2017 5:08a   Daniel Nashed
We ran into a hang situation multiple times during FT indexing. It turned out that this is a regression introduced in FP9 due to changes in the FT index area. In certain situations the FTIndex update does hang getting document data and will cause one CPU core to be maxed out for this thread. The description of the SPR says it is a "spike" but it more looks like the thread permanently uses CPU. This can happen with updall, DBMT and also other tasks updating the FT index. The process can
10
End of Service for JVM 1.6
Sat, Nov 25th 2017 3:34p   Daniel Nashed
IBM uses the Oracle JVM as their base for their IBM JVM platform which is used in IBM products like Notes, Domin and Traveler. JVM 6.0 has been around for almost 10 years and is now discontinued since Sep 2017. Oracle discontinued their support for JVM 1.6 so IBM cannot support JVM 1.6 on their side. That also means for IBM platforms that there is no patch support for JVM 1.6! For Notes and Domino means you have to update to 9.0.1 FP8/FP10 for JVM 1.8 and hopefully FP10 will bring com
8
Traveler 9.0.1.20 Released
Sat, Nov 18th 2017 3:44p   Daniel Nashed
Traveler 9.0.1.20 has been released and I installed it already. As usual, if you are not waiting for an urgent open issue that is listed in the fix list, it might make sense to wait before installing a new version in production asap. I have installed it already befor the weekend and it looks good for my small environment. Beside the fixes listed below there is a new feature: Support for invitee availability search from Calendar on Exchange ActiveSync clients. Still trying to test it. N
8
VIEW_REBUILD_DIR changed to /dev/shm/view_rebuild
Tue, Nov 14th 2017 2:35p   Daniel Nashed
We just discovered an interesting configuration issue, which generates quite some logging and is a bit annoying. When you specify the view_rebuild_dir without the trailing slash / back-slash, the server will internally append the slash. But if you configured the view_rebuild_dir in the config document without the (back) slash the server will tell you every couple of minutes that the server changed the setting. This happens why the internal path is always stored with the trailing (back) sl
5
Erster DNUG "Domino2025 Jam" Event 23.11.2017
Thu, Nov 9th 2017 1:44p   Daniel Nashed
Nach den Ankündigungen zu Domino 10, der IBM & HCL Kooperation und Domino 2025 haben wir die Agenda für den DNUG Domino Day am 23.11.2017 in Düsseldorf umgestellt. Teil des Domino Days wird der erste deutsche "Domino 2025 Jam" Event sein. Neben dem Uffe Sorensen wir auch ein Kollege von HCL mit dabei sein. Es wird im Vortrag von Uffe u.A. um die aktuellen Informationen zur Kooperation gehen. Ihr könnt alle eure Fragen mitbringen und im "Jam" Teil geht es dann um Feedback fü
4
Domino on Linux Start Script 3.1.3 with changed way to request it
Mon, Oct 30th 2017 5:43a   Daniel Nashed
Just updated the start script to a new version with some minor changes. There was one issue with systemd on shutdown and I made a change in the way config files are used. Most of the new features are coming in either thru projects or when I want something for my own environment. I don't get much feedback or feature requests beside that. One change triggered by a project was how config files apply. We wanted to use the same configuration for all servers. But we wanted special settings f
9
Great news Notes Domino 10 and beyond
Wed, Oct 25th 2017 9:03p   Daniel Nashed
We got great news today. There will be a Notes & Domino 10 in 2018. And IBM also announced that with joined efforts with HCL Technologies they are working on a strategy for #Domino2025. This isn't a new partnership. IBM and HCL are already working together for Tivoli and Rational software. But is was still a big surprise today. Notes and Domino 9.0.1 FP10 is committed for 2017 and I am looking forward to hear more about the Notes & Domino Strategy planned for 2018 with Notes and D
7
Correctly Stopping a Traveler Server
Tue, Oct 24th 2017 2:02p   Daniel Nashed
This is not new but I ran into this a couple of times on customer site. Specially on a Traveler HA server this becomes important. Shutting down the Traveler servertask when the Domino server/service is stopped might lead to hang situations of the HTTP task. The better way would be to shutdown the Traveler servertask first. But even that might lead to undesired results. There is a special Traveler shutdown command "tell traveler shutdown" that can be used to let Traveler finish it's wor
9
Notes Client 9.0.1 FP9 F1 released
Sat, Oct 14th 2017 5:31p   Daniel Nashed
There is also a client IF1 for 9.0.1 FP9 which fixes one part of the issue that I reported. Depending on your configuration MIME messages sent did show up with different fonts on Notes clients. It happened in edit mode or when the embedded MIME browser was disabled. What has been fixed is that the IF1 client shows correct fronts. But earlier clients still shows different fonts (for example if you send a mail with sans serif it will show up in serif). I don't know if that can be fixed at
6
Domino 9.0.1 FP 9 IF2 available with important fixes
Fri, Oct 13th 2017 9:09a   Daniel Nashed
Two of the issues fixed in IF2 have been discussed before in my blog. But there are also two other critical issues fixed. Some of my customers reported DBMT and updall hangs which have been fixed with TDOOAREP8W. And the Private on first use folder issue also has been reported before. If you have installed 9.0.1 FP 9 you should update to IF2! -- Daniel JPAIAQ5SKW PANIC: DbMarkCorrupt! (d:notefileadmin4.nsf Dbiid: 0x3D91E116 0x3C07FE17) JVEKAQSGCC S




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition