202 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
Update to RHEL 7.4 breaks DB2 Cluster (TSAMP / RSCT)
Tue, Nov 28th 2017 10
Domino 10 – to be continued!
Mon, Nov 6th 2017 8
IBM Connections 6 – Following and Followers blank
Wed, Oct 25th 2017 7
Exchange integration into WebSphere Portal (SSO – Kerberos)
Tue, Sep 26th 2017 8
User provisioning for IBM Connections Cloud – You have the choice
Mon, Aug 28th 2017 8
SAML & IBM Connections 5.5 – not a dream team
Fri, Aug 18th 2017 10
IBM Docs – Migration from DB2 –> ORACLE
Fri, Jul 7th 2017 6
Top 10
Configuration of secret key storage in WebSphere Application Server
Thu, Mar 12th 2015 19
DB2 Instance autostart does not work on SLES 12 / RHEL 7
Tue, Jul 12th 2016 18
WebSphere custom TAI – Doing SSO the right way
Tue, Sep 6th 2016 17
SAML – Enterprise SSO in the WebSphere world
Mon, Jul 20th 2015 15
HTTP Outbound authentication via SAML
Tue, Oct 6th 2015 12
IBM Connections – Set read-only access to CCM libraries
Thu, Oct 6th 2016 12
Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182) (2016.06.28)
Tue, Sep 13th 2016 11
WebSphere Portal – Change WCM AD Group permissions using memberFixer
Fri, Apr 8th 2016 10
SAML & IBM Connections 5.5 – not a dream team
Fri, Aug 18th 2017 10
Update to RHEL 7.4 breaks DB2 Cluster (TSAMP / RSCT)
Tue, Nov 28th 2017 10


HTTP Outbound authentication via SAML
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Julius Schwarzweller    

HTTP Outbound authentication via SAML (ADFS Server)

Hi all,

this time I had to deal with a real administrative challenge:

Enable WebSphere Portal to display IBM Connections content using IC portlets and authenticate HTTP Outbound calls using SAML.

WebSphere Portal can load content from external sources using a secure HTTP Outbound proxy (aka. Ajax Proxy). This is the case for IBM Connections portlets that load content from an IBM Connections server.

Normally when you deploy those IBM Connections portlets, authentication of requests sent via HTTP Outbound Proxy is done using IBM`s SSO mechanism using LTPAToken between WebSphere Portal & IBM Connections. But when it comes to more advanced cloud environments (Hybrid cloud integrations, integration of other software tools that do not support LTPA…), this technology is out dated. So I`m back to my “hot topic” SAML ;-)… This solves most of our SSO problems but brings some new hurdles with it.

How does it work?

HTTPOutbound : SAML1

Content that you want to consume from another system is not directly loaded from server to browser when using WebSphere Portal. WebSphere Portal calls backend systems using API to e.g. IBM Connections to display content (in this case if you use the IBM Connections portlets). This communication is routed via an application called HTTPOutbound Proxy (aka. AjaxProxy).

Since WebSphere Portal 8.5 CF03 you can authentication those HTTP Outbound Proxy calls using the SAML protocol. In the above example, the Outbound Proxy authenticates the user that is logged in the WebSphere Portal server on the connected IBM Connections system. The mandatory configuration steps are documented for TFIM & ADFS Server (from CF05 on) as IdP provider. But I think the information provided in knowledge center are a bit confusing and not really complete. That`s why I tried to summarize everything in this blog post.

Steps I used to activate HTTP Outbound Connection authentication via SAML (ADFS Server as IdP)

ADFS: Changing the cookie domain –> described here
This is a rather easy step where you need to make sure that the cookies, ADFS server generates are set for the domain you use with your WebSphere Portal / IBM Connections system.

  • open the file web.config in the IIS ADFS web module (inetpub base folder  – in my case this is c:/inetpub/adfs/ls/) and add the cookie handler between
 <system.web> and <compilation defaultLanguage="c#">

Cookie handler:

<httpCookies domain="your_domain" httpOnlyCookies="false" requireSSL="false"/>

HTTPOutbound1

  • Create a Outbound rule using IIS Management Console

This is a tricky one, as you need an additional ARR (Application Request Routing) snap-in in order to configure this outbound rule. You can install this snap-in using the Microsoft Web Platform Installer 5.0 –> here

Start the exe and search for “Application Request”

HTTOutbound2

Click to install.

Then open the IIS management console and click “Application Request Routing Cache”

HTTPOutbound3

Click on “Server Proxy Settings”

HTTPOutbound4

 

 

 

 

 

Click on “Advanced Routing – URL Rewrite”

HTTPOutbound5

Add a new Outbound rule

HTTPOutbound6

More details

HTTPOutbound7

Puhh… done <img src=" class="wp-smiley" style="height: 1em; max-height: 1em;" /> The documentation in the knowledge center leaves you rather alone when configuring those steps … Anyway it works like this <img src=" class="wp-smiley" style="height: 1em; max-height: 1em;" />

WebSphere Portal: Create HTTP Outbound configuration –> described here

Identity provider settings

Create a xml file with the following content (Adjust hostnames to match your environment)

<?xml version="1.0" encoding="UTF-8"?>
<proxy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.ibm.com/xmlns/prod/sw/http/outbound/proxy-config/2.0">
<variables>
  <!--  replace values with the IdP login URL and the partner URL -->
  <endpoint name="adfs01.idp_prot">https</endpoint>
  <endpoint name="adfs01.idp_host">YOURADFSSERVER.SERVER.COM</endpoint>
  <endpoint name="adfs01.idp_port">443</endpoint>
  <endpoint name="adfs01.idp_uri">/adfs/ls/IdpInitiatedSignOn.aspx</endpoint>
  <endpoint name="adfs01.partner_url">https://YOURIBMCONNECTIONSSERVER.SERVER.COM/samlsps/acs</endpoint>
</variables>
<meta-data>
  <name>adfs01.IDP_PROTOCOL</name>
  <value>https</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_HOST</name>
  <value>YOURADFSSERVER.SERVER.COM</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_PORT</name>
  <value>443</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_URI</name>
  <value>/adfs/ls/IdpInitiatedSignOn.aspx</value>
</meta-data>
<meta-data>
  <name>adfs01.PARAM_NAME.1</name>
  <value>LoginToRp</value>
</meta-data>
<meta-data>
   <name>adfs01.PARAM_VALUE.1</name>
   <value>https://YOURIBMCONNECTIONSSERVER.SERVER.COM/samlsps/acs</value>
</meta-data>
<meta-data>
   <name>adfs01.IDP_AUTH_TOKEN_SOURCE</name>
   <value>cookies</value>
</meta-data>
<meta-data>
   <name>adfs01.IDP_AUTH_TOKEN_COOKIE.1</name>
   <value>MSISAuth</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_AUTH_TOKEN_COOKIE.2</name>
  <value>MSISAuth1</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_AUTH_TOKEN_COOKIE.3</name>
  <value>MSISAuthenticated</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_AUTH_COOKIE.1</name>
  <value>SamlSession</value>
</meta-data>
</proxy-rules>

Register this XML file using a ConfigEngine task

 ./ConfigEngine.sh update-outbound-http-connection-config -DConfigFileName=XML_file -DOutboundProfileType=global

Define a policy rule for the remote Connections to the IBM Connections Server

Create a xml file with the following content (Adjust hostnames to match your environment):

<?xml version="1.0" encoding="UTF-8"?>
<!-- Copyright IBM Corp. 2011, 2014  All Rights Reserved.              -->
<proxy-rules xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.ibm.com/xmlns/prod/sw/ajax/proxy-config/1.1">
<mapping contextpath="/proxy" url="*"/>
<mapping contextpath="/myproxy" url="*"/>
<mapping contextpath="/common_proxy" url="*"/>

<policy active="true" basic-auth-support="false" name="SocialADFS" url="https://YOURIBMCONNECTIONSSERVER.SERVER.COM/*">
<actions>
  <method>POST</method>
  <method>GET</method>
  <method>DELETE</method>
  <method>PUT</method>
  <method>HEAD</method>
</actions>
<headers>
  <header>Accept-Language</header>
  <header>User-Agent</header>
  <header>Accept.*</header>
  <header>Content.*</header>
  <header>Authorization*</header>
  <header>Content*</header>
  <header>If-.*</header>
  <header>Pragma</header>
  <header>Cache-Control</header>
  <header>X-Update-Nonce</header>
  <header>X-Shindig-ST</header>
  <header>X-IC-CRE-Request-Origin</header>
  <header>X-IC-CRE-User</header>
  <header>X-Method-Override</header>
  <header>X-Requested-With</header>
</headers>
<cookie-rule name="SocialAdfs_WEF_Cookie_Rule">
  <cookie>*</cookie>
  <scope>user</scope>
  <handling>store-in-request</handling>
</cookie-rule>
<meta-data>
  <name>SSO_SAML20_IDP</name>
  <value>adfs01</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_HOST</name>
  <value>YOURADFSSERVER.SERVER.COM</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_PORT</name>
  <value>443</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_URI</name>
  <value>/adfs/ls/IdpInitiatedSignOn.aspx</value>
</meta-data>
<meta-data>
  <name>adfs01.PARAM_NAME.1</name>
  <value>LoginToRp</value>
</meta-data>
<meta-data>
  <name>adfs01.PARAM_VALUE.1</name>
  <value>https://YOURIBMCONNECTIONSSERVER.SERVER.COM/samlsps/acs</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_AUTH_TOKEN_SOURCE</name>
  <value>cookies</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_AUTH_TOKEN_COOKIE.1</name>
  <value>MSISAuth</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_AUTH_TOKEN_COOKIE.2</name>
  <value>MSISAuth1</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_AUTH_TOKEN_COOKIE.3</name>
  <value>MSISAuthenticated</value>
</meta-data>
<meta-data>
  <name>adfs01.IDP_AUTH_COOKIE.1</name>
  <value>SamlSession</value>
</meta-data>
<meta-data>
  <name>forward-http-errors</name>
  <value>true</value>
</meta-data>
</policy>
<meta-data>
  <name>forward-http-errors</name>
  <value>true</value>
</meta-data>
<meta-data>
  <name>xhr-authentication-support</name>
  <value>true</value>
</meta-data>
<meta-data>
  <name>socket-timeout</name>
  <value>50000</value>
</meta-data>
<meta-data>
  <name>retries</name>
  <value>2</value>
</meta-data>
<meta-data>
  <name>max-connections-per-host</name>
  <value>50</value>
</meta-data>
<meta-data>
  <name>max-total-connections</name>
  <value>1000</value>
</meta-data>
</proxy-rules>

Register this XML file using a ConfigEngine task

 ./ConfigEngine.sh update-outbound-http-connection-config -DConfigFileName=/ibm/proxy_smartcloud.xml -DApplicationScopeRef=PA_icWEFPtlts

–> This time I limit the configuration to the IBM Connections portlets … “-DOutboundProfileType=global” should also work.

The result is:

HTTPOutbound8

Summary

To be honest … This was a real piece of work… Tough and really complex stuff!

Anyway… Thanks IBM for this great integration. Do more SAML stuff… I really like this 😉



---------------------
http://techblog.gis-ag.info/2015/10/06/http-outbound-authentication-via-saml/
Oct 06, 2015
13 hits



Recent Blog Posts
10
Update to RHEL 7.4 breaks DB2 Cluster (TSAMP / RSCT)
Tue, Nov 28th 2017 9:33a   GIS Techblog
Update to RHEL 7.4 breaks DB2 Cluster (TSAMP / RSCT) Hi all, after updating a RHEL 7.3 system to RHEL 7.4 the DB2 HADR / TSAMP cluster stopped working. I was able to establish the HADR connection but the service IPs were not assigned to the network interface. Executing the command “lssam” to display the cluster state showed that nearly all resources are in the “Pending online state”. First of all I though it is an issue with the cluster config – so that I deleted th
8
Domino 10 – to be continued!
Mon, Nov 6th 2017 8:48a   GIS Techblog
Welcome to the first post about IBM Domino on our GIS AG Techblog! Here at GIS AG, we have a dedicated IBM Domino team made up of certified specialists for everything from development, to administration, support and beyond. On this blog we will be sharing the latest news and technical information about IBM Domino. If you have any questions or comments, please, feel free to write an Email to: frederik.potyka@gis-ag.com Visit our About Us page! Domino  10 – This year Notes and Domino 9.0
7
IBM Connections 6 – Following and Followers blank
Wed, Oct 25th 2017 8:42a   GIS Techblog
IBM Connections 6 – Following and Followers blank Hi, during the last weeks we had to deal with a strange problem in an IBM Connections 6 environment. The system was migrated from IC 5.5 to IC 6 and live for about 4 weeks when suddenly the following problem occurred: Neither users that I follow nor followers were shown in the UI. Despite installing the latest Fixes no bigger changes have been performed on the system. I was able to follow a user: Looks good: Then opening “Following
8
Exchange integration into WebSphere Portal (SSO – Kerberos)
Tue, Sep 26th 2017 12:03p   GIS Techblog
Exchange integration into WebSphere Portal (SSO – Kerberos) During the last years working with Portal I had several challenges with WebSphere Portals HTTP Outbound Proxy (aka. Ajax Proxy) in terms of authenticating backend calls to various other systems. What we`ve done so far in terms of SSO / backend authentication: – Authenticating using LTPAToken – Authenticating using SAML – Authenticating using SPNEGO / Kerberos (this was a new one for me) The challenge this time
8
User provisioning for IBM Connections Cloud – You have the choice
Mon, Aug 28th 2017 1:42p   GIS Techblog
User provisioning for IBM Connections Cloud – You have the choice Customers who use IBM Cloud for Connections, Sametime or other applications face the problem to manage their cloud accounts. For some single users you can use the Web frontend to add or change user accounts or to assign subscriptions and licenses to users. But in real world scenarios it is not possible to manage thousands of users manually or to keep them synchronized with an on-prem user repository or LDAP. This can be handled
10
SAML & IBM Connections 5.5 – not a dream team
Fri, Aug 18th 2017 7:45a   GIS Techblog
Hi all, last week we had to fight with an activation of SAML on a IC 5.5 CR3 environment. The setup was: IBM Connections 5.5 CR3 as test instance ADFS Server 3.0 (I know… it is only tested with ADFS 2.0 – but works with 3.0 too) We followed the instructions from the IBM Connections Knowledge Center. Smooth setup everything standard procedure. When testing this setup, the redirect to the IdP was initiated. After logging into the IdP the browser was redirected to IBM Connections ACS
6
IBM Docs – Migration from DB2 –> ORACLE
Fri, Jul 7th 2017 9:52a   GIS Techblog
IBM Docs – Migration from DB2 –> ORACLE Hi, within our last big project, we had the challenge to transfer the IBM Docs database from DB2 to ORACLE. Within this database comments and other document related data is stored. Officially there is no script available to perform this move using DBT (remove constraints / transfer / reapply constraints). We looked into the database and figured out how to perform this task using DBT – so we are not dependent on any other products. We m
4
IBM Connections – trouble adding additional nodes
Wed, May 31st 2017 2:52p   GIS Techblog
IBM Connections – trouble adding additional nodes Hi all, we are currently involved in a project where we installed a 1 node IBM Connections 6 Cluster and later added a second node to the cell. So far so good… Everything that needs to be done after adding the second node is described here … Everything? Yes, mainly… but not in the mandatory details as I think! Missing custom properties and other settings might result in non-functional nodes. Especially not setting httpSess
3
SNOUG 2017 Presentation – SikaConnect goes External
Thu, Mar 23rd 2017 1:06p   GIS Techblog
SNOUG 2017 Presentation – SikaConnect goes External Hi all, yesterday I was at SNouG in Zurich. I had a great time there – good speakers and a overall perfectly organized event (would we expect sth. else from Switzerland? ) Raymond Weber from SIKA Informationssysteme AG and I did a session about the SIKA Extranet Feature:
1
Whiteboard in IBM Sametime Meeting 9.0.1 removed
Fri, Mar 17th 2017 10:43a   GIS Techblog
Whiteboard in IBM Sametime Meeting 9.0.1 removed IBM implemented in Sametime Meeting 9.0.1 a whiteboard function as technical preview. Ben described in his articel how to enable this feature: https://collaborationben.com/2016/05/20/whiteboard-in-sametime-9-0-1/ With the current cumulative Fix 901-ST-General-FP-SMOL-AK4G43  for the Meeting Server IBM has removed this function. The response on my PMR was: “I can confirm The Meetings Whiteboard feature release is being put on hold indefinitely.




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition